Analysis
-
max time kernel
148s -
max time network
117s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 06:10
Static task
static1
Behavioral task
behavioral1
Sample
mazx.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
mazx.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
mazx.exe
-
Size
313KB
-
MD5
ce868e50711384f6932917ceab7b3349
-
SHA1
65254c5c5b67524cbc73d8e5f5755a24451f7fd5
-
SHA256
15c4fa85cbc2c692575d38601a56e49a52a23d74a2dce110bf17beadf46672bb
-
SHA512
e64b224fd9d60cc70a74b35dfd5869cbbbea44d1cde26a71c1a9a55dc5f226a0c409a9583c97c4115acc4c6d00a072d827162d32977386268789483ce8e89810
Malware Config
Signatures
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
mazx.exemazx.exesvchost.exedescription pid process target process PID 1448 set thread context of 284 1448 mazx.exe mazx.exe PID 284 set thread context of 1312 284 mazx.exe Explorer.EXE PID 1096 set thread context of 1312 1096 svchost.exe Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
mazx.exeExplorer.EXEsvchost.exedescription pid process target process PID 1448 wrote to memory of 680 1448 mazx.exe mazx.exe PID 1448 wrote to memory of 680 1448 mazx.exe mazx.exe PID 1448 wrote to memory of 680 1448 mazx.exe mazx.exe PID 1448 wrote to memory of 680 1448 mazx.exe mazx.exe PID 1448 wrote to memory of 284 1448 mazx.exe mazx.exe PID 1448 wrote to memory of 284 1448 mazx.exe mazx.exe PID 1448 wrote to memory of 284 1448 mazx.exe mazx.exe PID 1448 wrote to memory of 284 1448 mazx.exe mazx.exe PID 1448 wrote to memory of 284 1448 mazx.exe mazx.exe PID 1448 wrote to memory of 284 1448 mazx.exe mazx.exe PID 1448 wrote to memory of 284 1448 mazx.exe mazx.exe PID 1312 wrote to memory of 1096 1312 Explorer.EXE svchost.exe PID 1312 wrote to memory of 1096 1312 Explorer.EXE svchost.exe PID 1312 wrote to memory of 1096 1312 Explorer.EXE svchost.exe PID 1312 wrote to memory of 1096 1312 Explorer.EXE svchost.exe PID 1096 wrote to memory of 1532 1096 svchost.exe cmd.exe PID 1096 wrote to memory of 1532 1096 svchost.exe cmd.exe PID 1096 wrote to memory of 1532 1096 svchost.exe cmd.exe PID 1096 wrote to memory of 1532 1096 svchost.exe cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
mazx.exemazx.exesvchost.exedescription pid process Token: SeDebugPrivilege 1448 mazx.exe Token: SeDebugPrivilege 284 mazx.exe Token: SeDebugPrivilege 1096 svchost.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
mazx.exemazx.exesvchost.exepid process 1448 mazx.exe 284 mazx.exe 284 mazx.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
mazx.exesvchost.exepid process 284 mazx.exe 284 mazx.exe 284 mazx.exe 1096 svchost.exe 1096 svchost.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1532 cmd.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\mazx.exe"C:\Users\Admin\AppData\Local\Temp\mazx.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\mazx.exe"C:\Users\Admin\AppData\Local\Temp\mazx.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\mazx.exe"C:\Users\Admin\AppData\Local\Temp\mazx.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\mazx.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/284-0-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/284-1-0x000000000041E320-mapping.dmp
-
memory/1096-2-0x0000000000000000-mapping.dmp
-
memory/1096-3-0x00000000009B0000-0x00000000009B8000-memory.dmpFilesize
32KB
-
memory/1096-5-0x00000000005D0000-0x00000000006F8000-memory.dmpFilesize
1.2MB
-
memory/1532-4-0x0000000000000000-mapping.dmp