Analysis
-
max time kernel
47s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:44
Static task
static1
Behavioral task
behavioral1
Sample
Invoice UT05-222546.pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Invoice UT05-222546.pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
Invoice UT05-222546.pdf.exe
-
Size
360KB
-
MD5
b76512014f74e255d5fa3bd144090baf
-
SHA1
19e3bd57858eea5e1904f379f5683243e39fbaed
-
SHA256
6de0a133506d6df141e56bf1f834c3028c31809a056f7bb97d76c9199c5823b7
-
SHA512
5c5d3757ebdb6bdd86d1de031889e788ea480c178e3e2959e314c1983a6f0da0eca698e384a70a616e7147cf1d3a406df7d615d84965b0b8d6a04069e438e4f3
Malware Config
Signatures
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1836-56-0x0000000004C90000-0x0000000004CE2000-memory.dmp rezer0 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Invoice UT05-222546.pdf.exepid process 1836 Invoice UT05-222546.pdf.exe 1836 Invoice UT05-222546.pdf.exe 1836 Invoice UT05-222546.pdf.exe 1836 Invoice UT05-222546.pdf.exe 1836 Invoice UT05-222546.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Invoice UT05-222546.pdf.exedescription pid process Token: SeDebugPrivilege 1836 Invoice UT05-222546.pdf.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Invoice UT05-222546.pdf.exedescription pid process target process PID 1836 wrote to memory of 856 1836 Invoice UT05-222546.pdf.exe schtasks.exe PID 1836 wrote to memory of 856 1836 Invoice UT05-222546.pdf.exe schtasks.exe PID 1836 wrote to memory of 856 1836 Invoice UT05-222546.pdf.exe schtasks.exe PID 1836 wrote to memory of 856 1836 Invoice UT05-222546.pdf.exe schtasks.exe PID 1836 wrote to memory of 1084 1836 Invoice UT05-222546.pdf.exe Invoice UT05-222546.pdf.exe PID 1836 wrote to memory of 1084 1836 Invoice UT05-222546.pdf.exe Invoice UT05-222546.pdf.exe PID 1836 wrote to memory of 1084 1836 Invoice UT05-222546.pdf.exe Invoice UT05-222546.pdf.exe PID 1836 wrote to memory of 1084 1836 Invoice UT05-222546.pdf.exe Invoice UT05-222546.pdf.exe PID 1836 wrote to memory of 1128 1836 Invoice UT05-222546.pdf.exe Invoice UT05-222546.pdf.exe PID 1836 wrote to memory of 1128 1836 Invoice UT05-222546.pdf.exe Invoice UT05-222546.pdf.exe PID 1836 wrote to memory of 1128 1836 Invoice UT05-222546.pdf.exe Invoice UT05-222546.pdf.exe PID 1836 wrote to memory of 1128 1836 Invoice UT05-222546.pdf.exe Invoice UT05-222546.pdf.exe PID 1836 wrote to memory of 1120 1836 Invoice UT05-222546.pdf.exe Invoice UT05-222546.pdf.exe PID 1836 wrote to memory of 1120 1836 Invoice UT05-222546.pdf.exe Invoice UT05-222546.pdf.exe PID 1836 wrote to memory of 1120 1836 Invoice UT05-222546.pdf.exe Invoice UT05-222546.pdf.exe PID 1836 wrote to memory of 1120 1836 Invoice UT05-222546.pdf.exe Invoice UT05-222546.pdf.exe PID 1836 wrote to memory of 1696 1836 Invoice UT05-222546.pdf.exe Invoice UT05-222546.pdf.exe PID 1836 wrote to memory of 1696 1836 Invoice UT05-222546.pdf.exe Invoice UT05-222546.pdf.exe PID 1836 wrote to memory of 1696 1836 Invoice UT05-222546.pdf.exe Invoice UT05-222546.pdf.exe PID 1836 wrote to memory of 1696 1836 Invoice UT05-222546.pdf.exe Invoice UT05-222546.pdf.exe PID 1836 wrote to memory of 1136 1836 Invoice UT05-222546.pdf.exe Invoice UT05-222546.pdf.exe PID 1836 wrote to memory of 1136 1836 Invoice UT05-222546.pdf.exe Invoice UT05-222546.pdf.exe PID 1836 wrote to memory of 1136 1836 Invoice UT05-222546.pdf.exe Invoice UT05-222546.pdf.exe PID 1836 wrote to memory of 1136 1836 Invoice UT05-222546.pdf.exe Invoice UT05-222546.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice UT05-222546.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice UT05-222546.pdf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yNYFRHTfohvGo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5EC4.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Invoice UT05-222546.pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Invoice UT05-222546.pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Invoice UT05-222546.pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Invoice UT05-222546.pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Invoice UT05-222546.pdf.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5EC4.tmpFilesize
1KB
MD58dc0ae1991f4255c790a3988f7812299
SHA16629cb446e0e9428d196009508772de588cd063c
SHA2561ee90c59c2a1590614b007a05bdcf7d8c9b184d64268edc55aaf42ef004a6948
SHA5120b2d4f7d90ab2e245d9d677a40e302d4fa519cbd9b3ead381336c2e087f2986215a7482762b90a3e5ebccf317a575c6485cdab4e59f26832f207b045b05e459f
-
memory/856-58-0x0000000000000000-mapping.dmp
-
memory/1836-54-0x00000000003E0000-0x0000000000440000-memory.dmpFilesize
384KB
-
memory/1836-55-0x0000000000330000-0x0000000000338000-memory.dmpFilesize
32KB
-
memory/1836-56-0x0000000004C90000-0x0000000004CE2000-memory.dmpFilesize
328KB
-
memory/1836-57-0x0000000076421000-0x0000000076423000-memory.dmpFilesize
8KB