afa179e0ec215f3c6d914719310cba0351c5a016c9c51453eea0fe4fe1c87de4

General

Target

b9b4c8a0b58f24eae6f327eb323aecc1.exe
Size

1.4MB
MD5

b9b4c8a0b58f24eae6f327eb323aecc1
SHA1

0d15ed0818508c8b8c502cd283a0833d763a0f79
SHA256

afa179e0ec215f3c6d914719310cba0351c5a016c9c51453eea0fe4fe1c87de4
SHA512

4c8d2dc7105725882646377b3a1ceba4b938d546a5dda7350b546f27a3873f77d769d5d8fcb0e344de6b3d1227e4f086df28990d54abe18aaf380f190c58b31c
SSDEEP

24576:W6yJMY9UFoRDhkeYM1jJR97zUbia9JVe0hs5WfBiERJchVML1bT6ES:BY9UORVOM1jJHzaiape0hsABFRJch6Lm

Score

9^/10

rezer0 upx

Malware Config

Signatures

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/2576-9-0x0000000000C40000-0x0000000000C6C000-memory.dmp	rezer0

Executes dropped EXE 1 IoCs

Processes:

test.exe

pid process

2576 test.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2032 cmd.exe

pid	process
2576	test.exe

pid	process
2032	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2088-1-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/2088-10-0x0000000000400000-0x00000000006F1000-memory.dmp	upx
behavioral1/memory/2088-17-0x0000000000400000-0x00000000006F1000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2392 schtasks.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

test.exe

pid process

2576 test.exe
2576 test.exe
2576 test.exe
2576 test.exe
2576 test.exe
2576 test.exe
2576 test.exe
2576 test.exe
2576 test.exe
2576 test.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

test.exe

description pid process

Token: SeDebugPrivilege 2576 test.exe

pid	process
2392	schtasks.exe

pid	process
2576	test.exe
2576	test.exe
2576	test.exe
2576	test.exe
2576	test.exe
2576	test.exe
2576	test.exe
2576	test.exe
2576	test.exe
2576	test.exe

description	pid	process
Token: SeDebugPrivilege	2576	test.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

b9b4c8a0b58f24eae6f327eb323aecc1.execmd.exetest.exe

description	pid	process	target process
PID 2088 wrote to memory of 2032	2088	b9b4c8a0b58f24eae6f327eb323aecc1.exe	cmd.exe
PID 2088 wrote to memory of 2032	2088	b9b4c8a0b58f24eae6f327eb323aecc1.exe	cmd.exe
PID 2088 wrote to memory of 2032	2088	b9b4c8a0b58f24eae6f327eb323aecc1.exe	cmd.exe
PID 2088 wrote to memory of 2032	2088	b9b4c8a0b58f24eae6f327eb323aecc1.exe	cmd.exe
PID 2032 wrote to memory of 2576	2032	cmd.exe	test.exe
PID 2032 wrote to memory of 2576	2032	cmd.exe	test.exe
PID 2032 wrote to memory of 2576	2032	cmd.exe	test.exe
PID 2032 wrote to memory of 2576	2032	cmd.exe	test.exe
PID 2576 wrote to memory of 2392	2576	test.exe	schtasks.exe
PID 2576 wrote to memory of 2392	2576	test.exe	schtasks.exe
PID 2576 wrote to memory of 2392	2576	test.exe	schtasks.exe
PID 2576 wrote to memory of 2392	2576	test.exe	schtasks.exe
PID 2576 wrote to memory of 2640	2576	test.exe	vbc.exe
PID 2576 wrote to memory of 2640	2576	test.exe	vbc.exe
PID 2576 wrote to memory of 2640	2576	test.exe	vbc.exe
PID 2576 wrote to memory of 2640	2576	test.exe	vbc.exe
PID 2576 wrote to memory of 2572	2576	test.exe	vbc.exe
PID 2576 wrote to memory of 2572	2576	test.exe	vbc.exe
PID 2576 wrote to memory of 2572	2576	test.exe	vbc.exe
PID 2576 wrote to memory of 2572	2576	test.exe	vbc.exe
PID 2576 wrote to memory of 2408	2576	test.exe	vbc.exe
PID 2576 wrote to memory of 2408	2576	test.exe	vbc.exe
PID 2576 wrote to memory of 2408	2576	test.exe	vbc.exe
PID 2576 wrote to memory of 2408	2576	test.exe	vbc.exe
PID 2576 wrote to memory of 2472	2576	test.exe	vbc.exe
PID 2576 wrote to memory of 2472	2576	test.exe	vbc.exe
PID 2576 wrote to memory of 2472	2576	test.exe	vbc.exe
PID 2576 wrote to memory of 2472	2576	test.exe	vbc.exe
PID 2576 wrote to memory of 2520	2576	test.exe	vbc.exe
PID 2576 wrote to memory of 2520	2576	test.exe	vbc.exe
PID 2576 wrote to memory of 2520	2576	test.exe	vbc.exe
PID 2576 wrote to memory of 2520	2576	test.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\b9b4c8a0b58f24eae6f327eb323aecc1.exe
"C:\Users\Admin\AppData\Local\Temp\b9b4c8a0b58f24eae6f327eb323aecc1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vXAlJeWc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp420F.tmp"
4⤵
- Creates scheduled task(s)
PID:2392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:2472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
4⤵
PID:2520

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe
Filesize
330KB

MD5
261aa73f93c90dcec0c36a51cb9b5dee

SHA1
b0c41e06cd2ded81706820423db40bf8fea2c957

SHA256
ae160b749914bd56aecbcf43d56a59bde2069a145682b2911fe50c6adabe1b54

SHA512
7b90335b4a7db7b5056f6d60db642754038dc544bd2c1f82e68b1f8e339bf70227f0c08d157b4ca1004448fab7d109f0239196f242d0edeab978de9025a3c0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp420F.tmp
Filesize
1KB

MD5
4697be186039e4fc6b23264261be89d9

SHA1
a0f9114a984ff332f7ad8188dde196a1ab277d87

SHA256
9358516b6767bfe3f81ac48b5c10609afdcb3bc0e4d6ffd4dc747702dbbe38e9

SHA512
db034e7258e0b0760cafec5a36b5582d8ab02316df8d4e4568e59d717ced6359d6a88e0074e134c9e457d9f88fb77c75bd049da34015fee00fd52696428087db

Download Submit
memory/2088-1-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2088-10-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2088-17-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/2576-6-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2576-5-0x0000000000EE0000-0x0000000000F38000-memory.dmp

Filesize
352KB

Download
memory/2576-7-0x0000000004A10000-0x0000000004A50000-memory.dmp

Filesize
256KB

Download
memory/2576-8-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/2576-9-0x0000000000C40000-0x0000000000C6C000-memory.dmp

Filesize
176KB

Download
memory/2576-16-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads