241d82b94453c2b5e9603c47ece0ef95e0e4344bfad3297dbf9cbec61dc7f53c

General

Target

Invoice UT05-222546.pdf.exe
Size

360KB
MD5

b76512014f74e255d5fa3bd144090baf
SHA1

19e3bd57858eea5e1904f379f5683243e39fbaed
SHA256

6de0a133506d6df141e56bf1f834c3028c31809a056f7bb97d76c9199c5823b7
SHA512

5c5d3757ebdb6bdd86d1de031889e788ea480c178e3e2959e314c1983a6f0da0eca698e384a70a616e7147cf1d3a406df7d615d84965b0b8d6a04069e438e4f3

Score

9^/10

rezer0

Malware Config

Signatures

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1836-56-0x0000000004C90000-0x0000000004CE2000-memory.dmp	rezer0

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

856 schtasks.exe

pid	process
856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Invoice UT05-222546.pdf.exe

pid	process
1836	Invoice UT05-222546.pdf.exe
1836	Invoice UT05-222546.pdf.exe
1836	Invoice UT05-222546.pdf.exe
1836	Invoice UT05-222546.pdf.exe
1836	Invoice UT05-222546.pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Invoice UT05-222546.pdf.exe

description pid process

Token: SeDebugPrivilege 1836 Invoice UT05-222546.pdf.exe

description	pid	process
Token: SeDebugPrivilege	1836	Invoice UT05-222546.pdf.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Invoice UT05-222546.pdf.exe

description	pid	process	target process
PID 1836 wrote to memory of 856	1836	Invoice UT05-222546.pdf.exe	schtasks.exe
PID 1836 wrote to memory of 856	1836	Invoice UT05-222546.pdf.exe	schtasks.exe
PID 1836 wrote to memory of 856	1836	Invoice UT05-222546.pdf.exe	schtasks.exe
PID 1836 wrote to memory of 856	1836	Invoice UT05-222546.pdf.exe	schtasks.exe
PID 1836 wrote to memory of 1084	1836	Invoice UT05-222546.pdf.exe	Invoice UT05-222546.pdf.exe
PID 1836 wrote to memory of 1084	1836	Invoice UT05-222546.pdf.exe	Invoice UT05-222546.pdf.exe
PID 1836 wrote to memory of 1084	1836	Invoice UT05-222546.pdf.exe	Invoice UT05-222546.pdf.exe
PID 1836 wrote to memory of 1084	1836	Invoice UT05-222546.pdf.exe	Invoice UT05-222546.pdf.exe
PID 1836 wrote to memory of 1128	1836	Invoice UT05-222546.pdf.exe	Invoice UT05-222546.pdf.exe
PID 1836 wrote to memory of 1128	1836	Invoice UT05-222546.pdf.exe	Invoice UT05-222546.pdf.exe
PID 1836 wrote to memory of 1128	1836	Invoice UT05-222546.pdf.exe	Invoice UT05-222546.pdf.exe
PID 1836 wrote to memory of 1128	1836	Invoice UT05-222546.pdf.exe	Invoice UT05-222546.pdf.exe
PID 1836 wrote to memory of 1120	1836	Invoice UT05-222546.pdf.exe	Invoice UT05-222546.pdf.exe
PID 1836 wrote to memory of 1120	1836	Invoice UT05-222546.pdf.exe	Invoice UT05-222546.pdf.exe
PID 1836 wrote to memory of 1120	1836	Invoice UT05-222546.pdf.exe	Invoice UT05-222546.pdf.exe
PID 1836 wrote to memory of 1120	1836	Invoice UT05-222546.pdf.exe	Invoice UT05-222546.pdf.exe
PID 1836 wrote to memory of 1696	1836	Invoice UT05-222546.pdf.exe	Invoice UT05-222546.pdf.exe
PID 1836 wrote to memory of 1696	1836	Invoice UT05-222546.pdf.exe	Invoice UT05-222546.pdf.exe
PID 1836 wrote to memory of 1696	1836	Invoice UT05-222546.pdf.exe	Invoice UT05-222546.pdf.exe
PID 1836 wrote to memory of 1696	1836	Invoice UT05-222546.pdf.exe	Invoice UT05-222546.pdf.exe
PID 1836 wrote to memory of 1136	1836	Invoice UT05-222546.pdf.exe	Invoice UT05-222546.pdf.exe
PID 1836 wrote to memory of 1136	1836	Invoice UT05-222546.pdf.exe	Invoice UT05-222546.pdf.exe
PID 1836 wrote to memory of 1136	1836	Invoice UT05-222546.pdf.exe	Invoice UT05-222546.pdf.exe
PID 1836 wrote to memory of 1136	1836	Invoice UT05-222546.pdf.exe	Invoice UT05-222546.pdf.exe

C:\Users\Admin\AppData\Local\Temp\Invoice UT05-222546.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice UT05-222546.pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yNYFRHTfohvGo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5EC4.tmp"
2⤵
- Creates scheduled task(s)
PID:856

C:\Users\Admin\AppData\Local\Temp\Invoice UT05-222546.pdf.exe
"{path}"
2⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\Invoice UT05-222546.pdf.exe
"{path}"
2⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\Invoice UT05-222546.pdf.exe
"{path}"
2⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\Invoice UT05-222546.pdf.exe
"{path}"
2⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\Invoice UT05-222546.pdf.exe
"{path}"
2⤵
PID:1136

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5EC4.tmp
Filesize
1KB

MD5
8dc0ae1991f4255c790a3988f7812299

SHA1
6629cb446e0e9428d196009508772de588cd063c

SHA256
1ee90c59c2a1590614b007a05bdcf7d8c9b184d64268edc55aaf42ef004a6948

SHA512
0b2d4f7d90ab2e245d9d677a40e302d4fa519cbd9b3ead381336c2e087f2986215a7482762b90a3e5ebccf317a575c6485cdab4e59f26832f207b045b05e459f

Download Submit
memory/856-58-0x0000000000000000-mapping.dmp

Download
memory/1836-54-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/1836-55-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/1836-56-0x0000000004C90000-0x0000000004CE2000-memory.dmp

Filesize
328KB

Download
memory/1836-57-0x0000000076421000-0x0000000076423000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads