394a5f08dcda3e2a0112f4019653139676389637cb465509c6d644a5eed0f45a

General

Target

5fcda7ba7ec8e67ff814d484a57d62ab.exe
Size

1.4MB
MD5

5fcda7ba7ec8e67ff814d484a57d62ab
SHA1

d20c5e1a365838ca57e62f023e66abcfa62fe798
SHA256

394a5f08dcda3e2a0112f4019653139676389637cb465509c6d644a5eed0f45a
SHA512

09d335abac66d0b382165de007a5466228c1725fa7a90f0da08aae054a1a57a0370f32f16d943b61d0e17fbe6e9939fe671f90525b79b57415519e6cc7970c5b
SSDEEP

24576:k6yJMY9UFoRDhkeYM1jJR97zUbia9JVe0hs5WfBiERJchVML1bT6E7:rY9UORVOM1jJHzaiape0hsABFRJch6Lv

Score

9^/10

rezer0 upx

Malware Config

Signatures

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral2/memory/3592-12-0x0000000005CF0000-0x0000000005D1C000-memory.dmp	rezer0

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

test.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation test.exe
Executes dropped EXE 1 IoCs

Processes:

test.exe

pid process

3592 test.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	test.exe

pid	process
3592	test.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3324-0-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral2/memory/3324-14-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral2/memory/3324-22-0x0000000000400000-0x00000000006F1000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2676 schtasks.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

test.exe

pid process

3592 test.exe
3592 test.exe
3592 test.exe
3592 test.exe
3592 test.exe
3592 test.exe
3592 test.exe
3592 test.exe
3592 test.exe
3592 test.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

test.exe

description pid process

Token: SeDebugPrivilege 3592 test.exe

pid	process
2676	schtasks.exe

pid	process
3592	test.exe
3592	test.exe
3592	test.exe
3592	test.exe
3592	test.exe
3592	test.exe
3592	test.exe
3592	test.exe
3592	test.exe
3592	test.exe

description	pid	process
Token: SeDebugPrivilege	3592	test.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

5fcda7ba7ec8e67ff814d484a57d62ab.execmd.exetest.exe

description	pid	process	target process
PID 3324 wrote to memory of 4592	3324	5fcda7ba7ec8e67ff814d484a57d62ab.exe	cmd.exe
PID 3324 wrote to memory of 4592	3324	5fcda7ba7ec8e67ff814d484a57d62ab.exe	cmd.exe
PID 3324 wrote to memory of 4592	3324	5fcda7ba7ec8e67ff814d484a57d62ab.exe	cmd.exe
PID 4592 wrote to memory of 3592	4592	cmd.exe	test.exe
PID 4592 wrote to memory of 3592	4592	cmd.exe	test.exe
PID 4592 wrote to memory of 3592	4592	cmd.exe	test.exe
PID 3592 wrote to memory of 2676	3592	test.exe	schtasks.exe
PID 3592 wrote to memory of 2676	3592	test.exe	schtasks.exe
PID 3592 wrote to memory of 2676	3592	test.exe	schtasks.exe
PID 3592 wrote to memory of 1544	3592	test.exe	vbc.exe
PID 3592 wrote to memory of 1544	3592	test.exe	vbc.exe
PID 3592 wrote to memory of 1544	3592	test.exe	vbc.exe
PID 3592 wrote to memory of 3488	3592	test.exe	vbc.exe
PID 3592 wrote to memory of 3488	3592	test.exe	vbc.exe
PID 3592 wrote to memory of 3488	3592	test.exe	vbc.exe
PID 3592 wrote to memory of 2092	3592	test.exe	vbc.exe
PID 3592 wrote to memory of 2092	3592	test.exe	vbc.exe
PID 3592 wrote to memory of 2092	3592	test.exe	vbc.exe
PID 3592 wrote to memory of 2344	3592	test.exe	vbc.exe
PID 3592 wrote to memory of 2344	3592	test.exe	vbc.exe
PID 3592 wrote to memory of 2344	3592	test.exe	vbc.exe
PID 3592 wrote to memory of 1080	3592	test.exe	vbc.exe
PID 3592 wrote to memory of 1080	3592	test.exe	vbc.exe
PID 3592 wrote to memory of 1080	3592	test.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\5fcda7ba7ec8e67ff814d484a57d62ab.exe
"C:\Users\Admin\AppData\Local\Temp\5fcda7ba7ec8e67ff814d484a57d62ab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4592

C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vXAlJeWc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8C13.tmp"
4⤵
- Creates scheduled task(s)
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:2344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:3488

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe
Filesize
330KB

MD5
261aa73f93c90dcec0c36a51cb9b5dee

SHA1
b0c41e06cd2ded81706820423db40bf8fea2c957

SHA256
ae160b749914bd56aecbcf43d56a59bde2069a145682b2911fe50c6adabe1b54

SHA512
7b90335b4a7db7b5056f6d60db642754038dc544bd2c1f82e68b1f8e339bf70227f0c08d157b4ca1004448fab7d109f0239196f242d0edeab978de9025a3c0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8C13.tmp
Filesize
1KB

MD5
7afcb5ac27ba6486390ed09397525d82

SHA1
beedb6a613c2bd009e6d180d0a9545c9b810b9e9

SHA256
e04a4ca13e4dc28ae9f2e1e49e5e925ef51ce93eeb50f6dd1e1ad598f33a6bf2

SHA512
fb2f68922ac726ca0ccba47447c182b95f4255b9e2b1215c395533c22d117d7187e9e571c058fc7c5cf9dd5a5c01a147b60571b73cfc8856ff498c4dfd2dca4e

Download Submit
C:\Users\Admin\AppData\Roaming\vXAlJeWc.exe
Filesize
136KB

MD5
dc06c6db35dbdcabc83fedde81f6cb94

SHA1
ec65cf2f386ffaaa525a27520be21c6ea7f3eac4

SHA256
fbdf373ed39620cac6674b0492ce76f43efa24572d49b08d8cbcdcfa1c2ef7de

SHA512
c9e9ede167c54afcaebca031e072adf250a14cf0602038253708acea3d0c8fda5d4618ef7584b525c9199eb5afe441401945add09d3a6d3fdee1c209401acdb3

Download Submit
memory/3324-14-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/3324-22-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/3324-0-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/3592-7-0x0000000005FB0000-0x0000000006554000-memory.dmp

Filesize
5.6MB

Download
memory/3592-10-0x00000000059B0000-0x00000000059BA000-memory.dmp

Filesize
40KB

Download
memory/3592-11-0x00000000059A0000-0x00000000059A8000-memory.dmp

Filesize
32KB

Download
memory/3592-13-0x0000000006600000-0x000000000669C000-memory.dmp

Filesize
624KB

Download
memory/3592-12-0x0000000005CF0000-0x0000000005D1C000-memory.dmp

Filesize
176KB

Download
memory/3592-9-0x0000000005B70000-0x0000000005B80000-memory.dmp

Filesize
64KB

Download
memory/3592-8-0x0000000005A00000-0x0000000005A92000-memory.dmp

Filesize
584KB

Download
memory/3592-5-0x0000000000F60000-0x0000000000FB8000-memory.dmp

Filesize
352KB

Download
memory/3592-21-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/3592-6-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads