19bc7da42bb7891d1cb8969238286d849b0d34f9ebe4e85825fee1c6c1baff20

General

Target

15d1e7a378364a34ae874ea987a256e7.exe
Size

210KB
MD5

15d1e7a378364a34ae874ea987a256e7
SHA1

7ede6fe1b12caac18ceb6d5f95c7e063506e58a0
SHA256

19bc7da42bb7891d1cb8969238286d849b0d34f9ebe4e85825fee1c6c1baff20
SHA512

238ce88b1920aefe022976227c95513d21d9c53f9355f31961fdbcc8ccd7c7bef43431787e80c25a713122095653e0175fe6db592ef39f090e61353dde465e60
SSDEEP

3072:zvuWpYFMkpSvhKuPWvdWKWzsMqNXl8g8D4vynkgGK8pwirYAxRrUr/AaH+Ot:zvuWopUK68FUG8wYAxyDA

Score

9^/10

rezer0

Malware Config

Signatures

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1992-4-0x0000000000D40000-0x0000000000D98000-memory.dmp	rezer0

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2720 schtasks.exe

pid	process
2720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

15d1e7a378364a34ae874ea987a256e7.exe

pid	process
1992	15d1e7a378364a34ae874ea987a256e7.exe
1992	15d1e7a378364a34ae874ea987a256e7.exe
1992	15d1e7a378364a34ae874ea987a256e7.exe
1992	15d1e7a378364a34ae874ea987a256e7.exe
1992	15d1e7a378364a34ae874ea987a256e7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

15d1e7a378364a34ae874ea987a256e7.exe

description pid process

Token: SeDebugPrivilege 1992 15d1e7a378364a34ae874ea987a256e7.exe

description	pid	process
Token: SeDebugPrivilege	1992	15d1e7a378364a34ae874ea987a256e7.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

15d1e7a378364a34ae874ea987a256e7.exe

C:\Users\Admin\AppData\Local\Temp\15d1e7a378364a34ae874ea987a256e7.exe
"C:\Users\Admin\AppData\Local\Temp\15d1e7a378364a34ae874ea987a256e7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\arVIeJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F2C.tmp"
2⤵
- Creates scheduled task(s)
PID:2720

C:\Users\Admin\AppData\Local\Temp\15d1e7a378364a34ae874ea987a256e7.exe
"{path}"
2⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\15d1e7a378364a34ae874ea987a256e7.exe
"{path}"
2⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\15d1e7a378364a34ae874ea987a256e7.exe
"{path}"
2⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\15d1e7a378364a34ae874ea987a256e7.exe
"{path}"
2⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\15d1e7a378364a34ae874ea987a256e7.exe
"{path}"
2⤵
PID:2708

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9F2C.tmp
Filesize
1KB

MD5
8342b90c3dacad5f8149caf9c8292ed2

SHA1
d168acf26fb145c0a5d2e66291c1d55d797b0b20

SHA256
ee3de97d1ce298f4267f7aeead9367daac36701b82bc6722af5d4ca9a8e906dd

SHA512
6cd4201ac15a4a518d99faef79c92c1dd09249bb2caad87dabf77af12ae89d4769f5dca4ebd1bd9140a017ad44a0d64e170befeda10da4e43a1471f9c5ce5649

Download Submit
memory/1992-0-0x0000000000DC0000-0x0000000000DFA000-memory.dmp

Filesize
232KB

Download
memory/1992-1-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/1992-2-0x00000000048F0000-0x0000000004930000-memory.dmp

Filesize
256KB

Download
memory/1992-3-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/1992-4-0x0000000000D40000-0x0000000000D98000-memory.dmp

Filesize
352KB

Download
memory/1992-10-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download

description	pid	process	target process
PID 1992 wrote to memory of 2720	1992	15d1e7a378364a34ae874ea987a256e7.exe	schtasks.exe
PID 1992 wrote to memory of 2720	1992	15d1e7a378364a34ae874ea987a256e7.exe	schtasks.exe
PID 1992 wrote to memory of 2720	1992	15d1e7a378364a34ae874ea987a256e7.exe	schtasks.exe
PID 1992 wrote to memory of 2720	1992	15d1e7a378364a34ae874ea987a256e7.exe	schtasks.exe
PID 1992 wrote to memory of 2680	1992	15d1e7a378364a34ae874ea987a256e7.exe	15d1e7a378364a34ae874ea987a256e7.exe
PID 1992 wrote to memory of 2680	1992	15d1e7a378364a34ae874ea987a256e7.exe	15d1e7a378364a34ae874ea987a256e7.exe
PID 1992 wrote to memory of 2680	1992	15d1e7a378364a34ae874ea987a256e7.exe	15d1e7a378364a34ae874ea987a256e7.exe
PID 1992 wrote to memory of 2680	1992	15d1e7a378364a34ae874ea987a256e7.exe	15d1e7a378364a34ae874ea987a256e7.exe
PID 1992 wrote to memory of 2300	1992	15d1e7a378364a34ae874ea987a256e7.exe	15d1e7a378364a34ae874ea987a256e7.exe
PID 1992 wrote to memory of 2300	1992	15d1e7a378364a34ae874ea987a256e7.exe	15d1e7a378364a34ae874ea987a256e7.exe
PID 1992 wrote to memory of 2300	1992	15d1e7a378364a34ae874ea987a256e7.exe	15d1e7a378364a34ae874ea987a256e7.exe
PID 1992 wrote to memory of 2300	1992	15d1e7a378364a34ae874ea987a256e7.exe	15d1e7a378364a34ae874ea987a256e7.exe
PID 1992 wrote to memory of 2892	1992	15d1e7a378364a34ae874ea987a256e7.exe	15d1e7a378364a34ae874ea987a256e7.exe
PID 1992 wrote to memory of 2892	1992	15d1e7a378364a34ae874ea987a256e7.exe	15d1e7a378364a34ae874ea987a256e7.exe
PID 1992 wrote to memory of 2892	1992	15d1e7a378364a34ae874ea987a256e7.exe	15d1e7a378364a34ae874ea987a256e7.exe
PID 1992 wrote to memory of 2892	1992	15d1e7a378364a34ae874ea987a256e7.exe	15d1e7a378364a34ae874ea987a256e7.exe
PID 1992 wrote to memory of 2772	1992	15d1e7a378364a34ae874ea987a256e7.exe	15d1e7a378364a34ae874ea987a256e7.exe
PID 1992 wrote to memory of 2772	1992	15d1e7a378364a34ae874ea987a256e7.exe	15d1e7a378364a34ae874ea987a256e7.exe
PID 1992 wrote to memory of 2772	1992	15d1e7a378364a34ae874ea987a256e7.exe	15d1e7a378364a34ae874ea987a256e7.exe
PID 1992 wrote to memory of 2772	1992	15d1e7a378364a34ae874ea987a256e7.exe	15d1e7a378364a34ae874ea987a256e7.exe
PID 1992 wrote to memory of 2708	1992	15d1e7a378364a34ae874ea987a256e7.exe	15d1e7a378364a34ae874ea987a256e7.exe
PID 1992 wrote to memory of 2708	1992	15d1e7a378364a34ae874ea987a256e7.exe	15d1e7a378364a34ae874ea987a256e7.exe
PID 1992 wrote to memory of 2708	1992	15d1e7a378364a34ae874ea987a256e7.exe	15d1e7a378364a34ae874ea987a256e7.exe
PID 1992 wrote to memory of 2708	1992	15d1e7a378364a34ae874ea987a256e7.exe	15d1e7a378364a34ae874ea987a256e7.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads