db71afc74e7b156796bfdf79ac0402be47cb873d0c86e34ee430f3e2a398ee17

General

Target

e6354ae0b5be2a9c0d883d560e7756d6.exe
Size

1.4MB
MD5

e6354ae0b5be2a9c0d883d560e7756d6
SHA1

4aa226591a22c2991370663346205e0106ae19a9
SHA256

db71afc74e7b156796bfdf79ac0402be47cb873d0c86e34ee430f3e2a398ee17
SHA512

685e968eaa4af9e29469c9ece517d6be85b8f94372b7d98047564ad68b94b9cdf18f5d599ec338772afab1d24695c6630667f808a2c0b4937f8bf8b3acec4a5d
SSDEEP

24576:I6yJMY9UFoRDhkeYM1jJR97zUbia9JVe0hs5WfBiERJchVML1bT6Ef:nY9UORVOM1jJHzaiape0hsABFRJch6Lz

Score

9^/10

rezer0 upx

Malware Config

Signatures

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/2820-9-0x0000000000A30000-0x0000000000A5C000-memory.dmp	rezer0

Executes dropped EXE 1 IoCs

Processes:

test.exe

pid process

2820 test.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2608 cmd.exe

pid	process
2820	test.exe

pid	process
2608	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1940-1-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/1940-10-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/1940-17-0x0000000000400000-0x00000000006F1000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2780 schtasks.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

test.exe

pid process

2820 test.exe
2820 test.exe
2820 test.exe
2820 test.exe
2820 test.exe
2820 test.exe
2820 test.exe
2820 test.exe
2820 test.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

test.exe

description pid process

Token: SeDebugPrivilege 2820 test.exe

pid	process
2780	schtasks.exe

pid	process
2820	test.exe
2820	test.exe
2820	test.exe
2820	test.exe
2820	test.exe
2820	test.exe
2820	test.exe
2820	test.exe
2820	test.exe

description	pid	process
Token: SeDebugPrivilege	2820	test.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

e6354ae0b5be2a9c0d883d560e7756d6.execmd.exetest.exe

description	pid	process	target process
PID 1940 wrote to memory of 2608	1940	e6354ae0b5be2a9c0d883d560e7756d6.exe	cmd.exe
PID 1940 wrote to memory of 2608	1940	e6354ae0b5be2a9c0d883d560e7756d6.exe	cmd.exe
PID 1940 wrote to memory of 2608	1940	e6354ae0b5be2a9c0d883d560e7756d6.exe	cmd.exe
PID 1940 wrote to memory of 2608	1940	e6354ae0b5be2a9c0d883d560e7756d6.exe	cmd.exe
PID 2608 wrote to memory of 2820	2608	cmd.exe	test.exe
PID 2608 wrote to memory of 2820	2608	cmd.exe	test.exe
PID 2608 wrote to memory of 2820	2608	cmd.exe	test.exe
PID 2608 wrote to memory of 2820	2608	cmd.exe	test.exe
PID 2820 wrote to memory of 2780	2820	test.exe	schtasks.exe
PID 2820 wrote to memory of 2780	2820	test.exe	schtasks.exe
PID 2820 wrote to memory of 2780	2820	test.exe	schtasks.exe
PID 2820 wrote to memory of 2780	2820	test.exe	schtasks.exe
PID 2820 wrote to memory of 2648	2820	test.exe	vbc.exe
PID 2820 wrote to memory of 2648	2820	test.exe	vbc.exe
PID 2820 wrote to memory of 2648	2820	test.exe	vbc.exe
PID 2820 wrote to memory of 2648	2820	test.exe	vbc.exe
PID 2820 wrote to memory of 2564	2820	test.exe	vbc.exe
PID 2820 wrote to memory of 2564	2820	test.exe	vbc.exe
PID 2820 wrote to memory of 2564	2820	test.exe	vbc.exe
PID 2820 wrote to memory of 2564	2820	test.exe	vbc.exe
PID 2820 wrote to memory of 2632	2820	test.exe	vbc.exe
PID 2820 wrote to memory of 2632	2820	test.exe	vbc.exe
PID 2820 wrote to memory of 2632	2820	test.exe	vbc.exe
PID 2820 wrote to memory of 2632	2820	test.exe	vbc.exe
PID 2820 wrote to memory of 2552	2820	test.exe	vbc.exe
PID 2820 wrote to memory of 2552	2820	test.exe	vbc.exe
PID 2820 wrote to memory of 2552	2820	test.exe	vbc.exe
PID 2820 wrote to memory of 2552	2820	test.exe	vbc.exe
PID 2820 wrote to memory of 2188	2820	test.exe	vbc.exe
PID 2820 wrote to memory of 2188	2820	test.exe	vbc.exe
PID 2820 wrote to memory of 2188	2820	test.exe	vbc.exe
PID 2820 wrote to memory of 2188	2820	test.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\e6354ae0b5be2a9c0d883d560e7756d6.exe
"C:\Users\Admin\AppData\Local\Temp\e6354ae0b5be2a9c0d883d560e7756d6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608

C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vXAlJeWc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBDA4.tmp"
4⤵
- Creates scheduled task(s)
PID:2780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:2648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:2564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:2632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:2552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:2188

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe
Filesize
330KB

MD5
261aa73f93c90dcec0c36a51cb9b5dee

SHA1
b0c41e06cd2ded81706820423db40bf8fea2c957

SHA256
ae160b749914bd56aecbcf43d56a59bde2069a145682b2911fe50c6adabe1b54

SHA512
7b90335b4a7db7b5056f6d60db642754038dc544bd2c1f82e68b1f8e339bf70227f0c08d157b4ca1004448fab7d109f0239196f242d0edeab978de9025a3c0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBDA4.tmp
Filesize
1KB

MD5
f83556433547c508e7d80587b48bf33f

SHA1
6ce17c6e31fbb43cd850a58945fdc4f3fa2f1a5c

SHA256
7642b606889c8caff061a3df99ad4eee9aa8718805eb17a0b4a0189dd9df9142

SHA512
fb7017a2459895d0140272549bc64dfd5d1b0b9a2147e52b609a7b04d941fc7cf14b46e7339191e2b64cd6378abfc87d6aa41624fece1e05e56bd39d8e7bedb8

Download Submit
memory/1940-1-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/1940-10-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/1940-17-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2820-5-0x00000000011D0000-0x0000000001228000-memory.dmp

Filesize
352KB

Download
memory/2820-6-0x0000000074A10000-0x00000000750FE000-memory.dmp

Filesize
6.9MB

Download
memory/2820-7-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/2820-8-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/2820-9-0x0000000000A30000-0x0000000000A5C000-memory.dmp

Filesize
176KB

Download
memory/2820-16-0x0000000074A10000-0x00000000750FE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads