15c4fa85cbc2c692575d38601a56e49a52a23d74a2dce110bf17beadf46672bb

General

Target

mazx.exe
Size

313KB
MD5

ce868e50711384f6932917ceab7b3349
SHA1

65254c5c5b67524cbc73d8e5f5755a24451f7fd5
SHA256

15c4fa85cbc2c692575d38601a56e49a52a23d74a2dce110bf17beadf46672bb
SHA512

e64b224fd9d60cc70a74b35dfd5869cbbbea44d1cde26a71c1a9a55dc5f226a0c409a9583c97c4115acc4c6d00a072d827162d32977386268789483ce8e89810

Score

7^/10

evasion trojan

Malware Config

Signatures

Suspicious use of SetThreadContext 3 IoCs

Processes:

mazx.exemazx.exesvchost.exe

description	pid	process	target process
PID 1448 set thread context of 284	1448	mazx.exe	mazx.exe
PID 284 set thread context of 1312	284	mazx.exe	Explorer.EXE
PID 1096 set thread context of 1312	1096	svchost.exe	Explorer.EXE

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1312 Explorer.EXE
1312 Explorer.EXE
1312 Explorer.EXE
1312 Explorer.EXE

pid	process
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

mazx.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 1448 wrote to memory of 680	1448	mazx.exe	mazx.exe
PID 1448 wrote to memory of 680	1448	mazx.exe	mazx.exe
PID 1448 wrote to memory of 680	1448	mazx.exe	mazx.exe
PID 1448 wrote to memory of 680	1448	mazx.exe	mazx.exe
PID 1448 wrote to memory of 284	1448	mazx.exe	mazx.exe
PID 1448 wrote to memory of 284	1448	mazx.exe	mazx.exe
PID 1448 wrote to memory of 284	1448	mazx.exe	mazx.exe
PID 1448 wrote to memory of 284	1448	mazx.exe	mazx.exe
PID 1448 wrote to memory of 284	1448	mazx.exe	mazx.exe
PID 1448 wrote to memory of 284	1448	mazx.exe	mazx.exe
PID 1448 wrote to memory of 284	1448	mazx.exe	mazx.exe
PID 1312 wrote to memory of 1096	1312	Explorer.EXE	svchost.exe
PID 1312 wrote to memory of 1096	1312	Explorer.EXE	svchost.exe
PID 1312 wrote to memory of 1096	1312	Explorer.EXE	svchost.exe
PID 1312 wrote to memory of 1096	1312	Explorer.EXE	svchost.exe
PID 1096 wrote to memory of 1532	1096	svchost.exe	cmd.exe
PID 1096 wrote to memory of 1532	1096	svchost.exe	cmd.exe
PID 1096 wrote to memory of 1532	1096	svchost.exe	cmd.exe
PID 1096 wrote to memory of 1532	1096	svchost.exe	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

mazx.exemazx.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1448 mazx.exe
Token: SeDebugPrivilege 284 mazx.exe
Token: SeDebugPrivilege 1096 svchost.exe

description	pid	process
Token: SeDebugPrivilege	1448	mazx.exe
Token: SeDebugPrivilege	284	mazx.exe
Token: SeDebugPrivilege	1096	svchost.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

mazx.exemazx.exesvchost.exe

pid	process
1448	mazx.exe
284	mazx.exe
284	mazx.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

mazx.exesvchost.exe

pid process

284 mazx.exe
284 mazx.exe
284 mazx.exe
1096 svchost.exe
1096 svchost.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1532 cmd.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1312 Explorer.EXE
1312 Explorer.EXE
1312 Explorer.EXE
1312 Explorer.EXE
1312 Explorer.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

pid	process
284	mazx.exe
284	mazx.exe
284	mazx.exe
1096	svchost.exe
1096	svchost.exe

pid	process
1532	cmd.exe

pid	process
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
PID:1312

C:\Users\Admin\AppData\Local\Temp\mazx.exe
"C:\Users\Admin\AppData\Local\Temp\mazx.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1448

C:\Users\Admin\AppData\Local\Temp\mazx.exe
"C:\Users\Admin\AppData\Local\Temp\mazx.exe"
3⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\mazx.exe
"C:\Users\Admin\AppData\Local\Temp\mazx.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:284

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1096

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\mazx.exe"
3⤵
- Deletes itself
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/284-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/284-1-0x000000000041E320-mapping.dmp

Download
memory/1096-2-0x0000000000000000-mapping.dmp

Download
memory/1096-3-0x00000000009B0000-0x00000000009B8000-memory.dmp

Filesize
32KB

Download
memory/1096-5-0x00000000005D0000-0x00000000006F8000-memory.dmp

Filesize
1.2MB

Download
memory/1532-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads