82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee

General

Target

82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
Size

371KB
MD5

8da70b07970cfa92d731183c78734056
SHA1

596f5da72da49e8ba0803153d440ce2290384b9e
SHA256

82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee
SHA512

9dff1a721f4709f6a8d9fd409a894f0c851bdd363eba1750f48b45b0d297ba5675ef9092730d2204984a1b6608d5836c359d81a3c515509a52a936aaae7a37cc

Score

9^/10

persistence rezer0

Malware Config

Signatures

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1156-56-0x00000000007F0000-0x000000000080E000-memory.dmp	rezer0

Executes dropped EXE 2 IoCs

Processes:

CompPkgSup.exeCompPkgSup.exe

pid process

1576 CompPkgSup.exe
1604 CompPkgSup.exe
Loads dropped DLL 1 IoCs

Processes:

82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe

pid process

1352 82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe

pid	process
1576	CompPkgSup.exe
1604	CompPkgSup.exe

pid	process
1352	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMI Update Service = "C:\\ProgramData\\Component Package Support\\CompPkgSup.exe"	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exeCompPkgSup.exe

description	pid	process	target process
PID 1156 set thread context of 1352	1156	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1576 set thread context of 1604	1576	CompPkgSup.exe	CompPkgSup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1808 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

CompPkgSup.exe

pid process

1604 CompPkgSup.exe

pid	process
1808	schtasks.exe

pid	process
1604	CompPkgSup.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exeCompPkgSup.exe

pid	process
1156	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
1156	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
1352	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
1576	CompPkgSup.exe
1576	CompPkgSup.exe
1576	CompPkgSup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exeCompPkgSup.exeCompPkgSup.exe

description	pid	process
Token: SeDebugPrivilege	1156	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
Token: SeDebugPrivilege	1352	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
Token: SeDebugPrivilege	1576	CompPkgSup.exe
Token: SeDebugPrivilege	1604	CompPkgSup.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exeCompPkgSup.exe

description	pid	process	target process
PID 1156 wrote to memory of 1352	1156	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1156 wrote to memory of 1352	1156	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1156 wrote to memory of 1352	1156	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1156 wrote to memory of 1352	1156	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1156 wrote to memory of 1352	1156	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1156 wrote to memory of 1352	1156	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1156 wrote to memory of 1352	1156	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1156 wrote to memory of 1352	1156	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1156 wrote to memory of 1352	1156	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1156 wrote to memory of 1352	1156	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1156 wrote to memory of 1352	1156	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1352 wrote to memory of 1576	1352	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	CompPkgSup.exe
PID 1352 wrote to memory of 1576	1352	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	CompPkgSup.exe
PID 1352 wrote to memory of 1576	1352	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	CompPkgSup.exe
PID 1352 wrote to memory of 1576	1352	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	CompPkgSup.exe
PID 1352 wrote to memory of 1808	1352	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	schtasks.exe
PID 1352 wrote to memory of 1808	1352	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	schtasks.exe
PID 1352 wrote to memory of 1808	1352	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	schtasks.exe
PID 1352 wrote to memory of 1808	1352	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	schtasks.exe
PID 1576 wrote to memory of 1604	1576	CompPkgSup.exe	CompPkgSup.exe
PID 1576 wrote to memory of 1604	1576	CompPkgSup.exe	CompPkgSup.exe
PID 1576 wrote to memory of 1604	1576	CompPkgSup.exe	CompPkgSup.exe
PID 1576 wrote to memory of 1604	1576	CompPkgSup.exe	CompPkgSup.exe
PID 1576 wrote to memory of 1604	1576	CompPkgSup.exe	CompPkgSup.exe
PID 1576 wrote to memory of 1604	1576	CompPkgSup.exe	CompPkgSup.exe
PID 1576 wrote to memory of 1604	1576	CompPkgSup.exe	CompPkgSup.exe
PID 1576 wrote to memory of 1604	1576	CompPkgSup.exe	CompPkgSup.exe
PID 1576 wrote to memory of 1604	1576	CompPkgSup.exe	CompPkgSup.exe
PID 1576 wrote to memory of 1604	1576	CompPkgSup.exe	CompPkgSup.exe
PID 1576 wrote to memory of 1604	1576	CompPkgSup.exe	CompPkgSup.exe

C:\Users\Admin\AppData\Local\Temp\82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
"C:\Users\Admin\AppData\Local\Temp\82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
"{path}"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "WMI Services" /tr "C:\ProgramData\Component Package Support\CompPkgSup.exe" /f
3⤵
- Creates scheduled task(s)
PID:1808

C:\ProgramData\Component Package Support\CompPkgSup.exe
"C:\ProgramData\Component Package Support\CompPkgSup.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576

C:\ProgramData\Component Package Support\CompPkgSup.exe
"{path}"
4⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\taskeng.exe
taskeng.exe {71B6F584-9A77-4B03-9DA4-A81BE93A33A4} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]
1⤵
PID:1192

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Component Package Support\CompPkgSup.exe

Download Submit
C:\ProgramData\Component Package Support\CompPkgSup.exe
Filesize
371KB

MD5
8da70b07970cfa92d731183c78734056

SHA1
596f5da72da49e8ba0803153d440ce2290384b9e

SHA256
82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee

SHA512
9dff1a721f4709f6a8d9fd409a894f0c851bdd363eba1750f48b45b0d297ba5675ef9092730d2204984a1b6608d5836c359d81a3c515509a52a936aaae7a37cc

Download Submit
C:\ProgramData\Component Package Support\CompPkgSup.exe

Download Submit
\ProgramData\Component Package Support\CompPkgSup.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1156-54-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/1156-55-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download
memory/1156-56-0x00000000007F0000-0x000000000080E000-memory.dmp

Filesize
120KB

Download
memory/1352-76-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-72-0x00000000001A0000-0x00000000001A6000-memory.dmp

Filesize
24KB

Download
memory/1352-92-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-90-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-87-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-86-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-84-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-82-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-79-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-78-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-77-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-93-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-75-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-74-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-73-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-95-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-66-0x000000000041800A-mapping.dmp

Download
memory/1352-65-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-63-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-62-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-60-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-58-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-57-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-96-0x0000000074F91000-0x0000000074F93000-memory.dmp

Filesize
8KB

Download
memory/1352-81-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-64-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-70-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1352-68-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1576-98-0x0000000000000000-mapping.dmp

Download
memory/1576-101-0x0000000001030000-0x0000000001090000-memory.dmp

Filesize
384KB

Download
memory/1604-112-0x000000000041800A-mapping.dmp

Download
memory/1808-102-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads