d0eadbedee0e0fcbfa81a6207b9ae78d51edbe3a1f555ebfe56fde75374330cd

General

Target

6e2f2d04a6348dc284a08df5a4502a3d.exe
Size

1.4MB
MD5

6e2f2d04a6348dc284a08df5a4502a3d
SHA1

73635edcad594a65eb50f67d76da549675bd9df0
SHA256

d0eadbedee0e0fcbfa81a6207b9ae78d51edbe3a1f555ebfe56fde75374330cd
SHA512

f9444b59392e76880b13e818b7c84b41fd19dc78bea748f0e6f1021b37b431034cc49fcbb86d4ccdfba86ef2962a740e0160e805734e8820ab88f7ca86c194a8
SSDEEP

24576:26yJMY9UFoRDhkeYM1jJR97zUbia9JVe0hs5WfBiERJchVML1bT6E7:hY9UORVOM1jJHzaiape0hsABFRJch6Lv

Score

9^/10

rezer0 upx

Malware Config

Signatures

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/2864-9-0x0000000002050000-0x000000000207C000-memory.dmp	rezer0

Executes dropped EXE 1 IoCs

Processes:

test.exe

pid process

2864 test.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1996 cmd.exe

pid	process
2864	test.exe

pid	process
1996	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2932-0-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/2932-16-0x0000000000400000-0x00000000006F1000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2292 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

test.exe

pid process

2864 test.exe
2864 test.exe
2864 test.exe
2864 test.exe
2864 test.exe
2864 test.exe
2864 test.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

test.exe

description pid process

Token: SeDebugPrivilege 2864 test.exe

pid	process
2292	schtasks.exe

pid	process
2864	test.exe
2864	test.exe
2864	test.exe
2864	test.exe
2864	test.exe
2864	test.exe
2864	test.exe

description	pid	process
Token: SeDebugPrivilege	2864	test.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

6e2f2d04a6348dc284a08df5a4502a3d.execmd.exetest.exe

description	pid	process	target process
PID 2932 wrote to memory of 1996	2932	6e2f2d04a6348dc284a08df5a4502a3d.exe	cmd.exe
PID 2932 wrote to memory of 1996	2932	6e2f2d04a6348dc284a08df5a4502a3d.exe	cmd.exe
PID 2932 wrote to memory of 1996	2932	6e2f2d04a6348dc284a08df5a4502a3d.exe	cmd.exe
PID 2932 wrote to memory of 1996	2932	6e2f2d04a6348dc284a08df5a4502a3d.exe	cmd.exe
PID 1996 wrote to memory of 2864	1996	cmd.exe	test.exe
PID 1996 wrote to memory of 2864	1996	cmd.exe	test.exe
PID 1996 wrote to memory of 2864	1996	cmd.exe	test.exe
PID 1996 wrote to memory of 2864	1996	cmd.exe	test.exe
PID 2864 wrote to memory of 2292	2864	test.exe	schtasks.exe
PID 2864 wrote to memory of 2292	2864	test.exe	schtasks.exe
PID 2864 wrote to memory of 2292	2864	test.exe	schtasks.exe
PID 2864 wrote to memory of 2292	2864	test.exe	schtasks.exe
PID 2864 wrote to memory of 2652	2864	test.exe	vbc.exe
PID 2864 wrote to memory of 2652	2864	test.exe	vbc.exe
PID 2864 wrote to memory of 2652	2864	test.exe	vbc.exe
PID 2864 wrote to memory of 2652	2864	test.exe	vbc.exe
PID 2864 wrote to memory of 2664	2864	test.exe	vbc.exe
PID 2864 wrote to memory of 2664	2864	test.exe	vbc.exe
PID 2864 wrote to memory of 2664	2864	test.exe	vbc.exe
PID 2864 wrote to memory of 2664	2864	test.exe	vbc.exe
PID 2864 wrote to memory of 2660	2864	test.exe	vbc.exe
PID 2864 wrote to memory of 2660	2864	test.exe	vbc.exe
PID 2864 wrote to memory of 2660	2864	test.exe	vbc.exe
PID 2864 wrote to memory of 2660	2864	test.exe	vbc.exe
PID 2864 wrote to memory of 2596	2864	test.exe	vbc.exe
PID 2864 wrote to memory of 2596	2864	test.exe	vbc.exe
PID 2864 wrote to memory of 2596	2864	test.exe	vbc.exe
PID 2864 wrote to memory of 2596	2864	test.exe	vbc.exe
PID 2864 wrote to memory of 2544	2864	test.exe	vbc.exe
PID 2864 wrote to memory of 2544	2864	test.exe	vbc.exe
PID 2864 wrote to memory of 2544	2864	test.exe	vbc.exe
PID 2864 wrote to memory of 2544	2864	test.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\6e2f2d04a6348dc284a08df5a4502a3d.exe
"C:\Users\Admin\AppData\Local\Temp\6e2f2d04a6348dc284a08df5a4502a3d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vXAlJeWc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2D19.tmp"
4⤵
- Creates scheduled task(s)
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:2664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:2660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:2596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:2544

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe
Filesize
330KB

MD5
261aa73f93c90dcec0c36a51cb9b5dee

SHA1
b0c41e06cd2ded81706820423db40bf8fea2c957

SHA256
ae160b749914bd56aecbcf43d56a59bde2069a145682b2911fe50c6adabe1b54

SHA512
7b90335b4a7db7b5056f6d60db642754038dc544bd2c1f82e68b1f8e339bf70227f0c08d157b4ca1004448fab7d109f0239196f242d0edeab978de9025a3c0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D19.tmp
Filesize
1KB

MD5
988e4c836725c089ec97ed6469441bee

SHA1
9cfb8a02160889208de53d7c7fcc8e49aa51ab64

SHA256
00c218d8762d067ffbc9d2682d719b145a1b3b3a3d5dd06bdd050a011e107108

SHA512
daaf2ddcc65e9028cf58eb901dc77c5497001cf109215255dd88c391d82f264271c23d6d4ae027f7cc02844275a6a2c7b3bb5f6b71abd0c45fb8631a2b708377

Download Submit
memory/2864-5-0x0000000000840000-0x0000000000898000-memory.dmp

Filesize
352KB

Download
memory/2864-6-0x0000000074AA0000-0x000000007518E000-memory.dmp

Filesize
6.9MB

Download
memory/2864-7-0x0000000004EF0000-0x0000000004F30000-memory.dmp

Filesize
256KB

Download
memory/2864-8-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/2864-9-0x0000000002050000-0x000000000207C000-memory.dmp

Filesize
176KB

Download
memory/2864-15-0x0000000074AA0000-0x000000007518E000-memory.dmp

Filesize
6.9MB

Download
memory/2932-0-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2932-16-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads