Analysis
-
max time kernel
176s -
max time network
187s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 04:12
Static task
static1
Behavioral task
behavioral1
Sample
5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe
Resource
win10v2004-20220414-en
General
-
Target
5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe
-
Size
140KB
-
MD5
8f3b91fab3b43f4ab87c0b0a313a21c5
-
SHA1
4a7108276f093be0336f7f457f5973b86a0ad587
-
SHA256
5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac
-
SHA512
15c369e28128f796de46d7efa88c50ff32ebc58beaa3c62d935c9f2f690ffbcf17381d894c95653947c895a54bc849c995d282e1ed32d4a703c3d9333041337f
Malware Config
Signatures
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1380-57-0x0000000000770000-0x000000000078E000-memory.dmp rezer0 -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exedescription pid process target process PID 1380 set thread context of 908 1380 5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exepid process 1380 5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 1380 5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe Token: SeDebugPrivilege 908 MSBuild.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exedescription pid process target process PID 1380 wrote to memory of 1600 1380 5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe schtasks.exe PID 1380 wrote to memory of 1600 1380 5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe schtasks.exe PID 1380 wrote to memory of 1600 1380 5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe schtasks.exe PID 1380 wrote to memory of 1600 1380 5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe schtasks.exe PID 1380 wrote to memory of 908 1380 5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe MSBuild.exe PID 1380 wrote to memory of 908 1380 5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe MSBuild.exe PID 1380 wrote to memory of 908 1380 5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe MSBuild.exe PID 1380 wrote to memory of 908 1380 5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe MSBuild.exe PID 1380 wrote to memory of 908 1380 5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe MSBuild.exe PID 1380 wrote to memory of 908 1380 5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe MSBuild.exe PID 1380 wrote to memory of 908 1380 5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe MSBuild.exe PID 1380 wrote to memory of 908 1380 5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe MSBuild.exe PID 1380 wrote to memory of 908 1380 5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe"C:\Users\Admin\AppData\Local\Temp\5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VILDCWsxo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp92FD.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp92FD.tmpFilesize
1KB
MD576246072f4346afb9d71a8f3246cdd13
SHA15c27abce8fd4d761b049eff1131ad255e82fac47
SHA256e74c0bf1e235800a6863412dc43c34cf2377c9b150cad2e85b15ceed2d73c25a
SHA5127af5caaea24abe05d4b57347a30000f0add4358d8e23c25cbc596909a5808549c0dd4dc102b8d017b5175b82d42da2d8be60f832a85dcf0d84dc4535299dd227
-
memory/908-64-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/908-66-0x000000000041102E-mapping.dmp
-
memory/908-71-0x00000000003C0000-0x00000000003EA000-memory.dmpFilesize
168KB
-
memory/908-70-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/908-68-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/908-63-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/908-61-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/908-60-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/908-65-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1380-54-0x0000000000AA0000-0x0000000000ACA000-memory.dmpFilesize
168KB
-
memory/1380-56-0x00000000004F0000-0x00000000004FA000-memory.dmpFilesize
40KB
-
memory/1380-55-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1380-57-0x0000000000770000-0x000000000078E000-memory.dmpFilesize
120KB
-
memory/1600-58-0x0000000000000000-mapping.dmp