1f9621917578d1d5ec63c5b27bafd2fdf42f9af653d01419831be96436aa789e

Analysis

max time kernel
141s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trz8522.exe
Size

308KB
MD5

d255a9cc1c1fa4a08e322543673bcb7e
SHA1

b3ea990c7f730eb61ff4ed87748b150e34dbc76c
SHA256

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926
SHA512

a84b58693e1d5fe4e9d734b058c965a0bd1b0e64894c7dc301929eff31001fd39d31e0ee8d39e31122cf4e6b45def9ea38c5a1535c691fc6a53ceec86fcf1bd7
SSDEEP

6144:ikIZp16d70R3eArX76KRoGOAGw1nYCAtIRJNTu+SnumvMS1leV6EITBsllw:ikLdgR3e2GKKGOsUI0+VS10VCal

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

trz8522.exe

pid process

1912 trz8522.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

trz8522.exe

description pid process target process

PID 1688 set thread context of 1912 1688 trz8522.exe trz8522.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2584 1912 WerFault.exe trz8522.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

trz8522.exe

description pid process

Token: SeDebugPrivilege 1688 trz8522.exe

pid	process
1912	trz8522.exe

description	pid	process	target process
PID 1688 set thread context of 1912	1688	trz8522.exe	trz8522.exe

pid	pid_target	process	target process
2584	1912	WerFault.exe	trz8522.exe

description	pid	process
Token: SeDebugPrivilege	1688	trz8522.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

trz8522.execsc.exe

description	pid	process	target process
PID 1688 wrote to memory of 4312	1688	trz8522.exe	csc.exe
PID 1688 wrote to memory of 4312	1688	trz8522.exe	csc.exe
PID 1688 wrote to memory of 4312	1688	trz8522.exe	csc.exe
PID 4312 wrote to memory of 4820	4312	csc.exe	cvtres.exe
PID 4312 wrote to memory of 4820	4312	csc.exe	cvtres.exe
PID 4312 wrote to memory of 4820	4312	csc.exe	cvtres.exe
PID 1688 wrote to memory of 1912	1688	trz8522.exe	trz8522.exe
PID 1688 wrote to memory of 1912	1688	trz8522.exe	trz8522.exe
PID 1688 wrote to memory of 1912	1688	trz8522.exe	trz8522.exe
PID 1688 wrote to memory of 1912	1688	trz8522.exe	trz8522.exe
PID 1688 wrote to memory of 1912	1688	trz8522.exe	trz8522.exe

C:\Users\Admin\AppData\Local\Temp\trz8522.exe
"C:\Users\Admin\AppData\Local\Temp\trz8522.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zcpcxsiw.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9BA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE9B9.tmp"
3⤵
PID:4820

C:\Users\Admin\AppData\Roaming\trz8522.exe
C:\Users\Admin\AppData\Roaming\trz8522.exe
2⤵
- Executes dropped EXE
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 12
3⤵
- Program crash
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1912 -ip 1912
1⤵
PID:4724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE9BA.tmp
Filesize
1KB

MD5
d556fac64498738bf15d89c8ef5350a5

SHA1
d0c1fcf2981265fe24e04437f44e44929919e489

SHA256
7d7dbb4ab25e236f2488a020dbe810b641936a84bbd2149d31cb5838eba7f5b7

SHA512
69d4c8a1d5ffc0f642967bcd2522c1f5899fabe0ed24dcd62f266fb1febc24f14ddeb55728e2a608408c0a5955187a49b33caba66f04ac7eccef2f4592da845f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcpcxsiw.dll
Filesize
5KB

MD5
3a12660695a6a0dab08645f2a795a8d7

SHA1
84a2f1aaa47f3f91582a6d0e19f432bfbd1809ff

SHA256
78da0d32ebbbf5623081384c8e1a64e58c56120fab74fecdafee346c64a41824

SHA512
1affe7f71be976a4a409b972a4c2f5348c60a21a150541f5047b4922af4f173a1c72c8f98099b1024f2b425d518a89ace75cfb4566a5474814d4db5a11fb37d3

Download Submit
C:\Users\Admin\AppData\Roaming\trz8522.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE9B9.tmp
Filesize
652B

MD5
fa6c4c854c84c0abb5cf5ea82b8e49a4

SHA1
d906239ba9fd0afb769bb2fd3b7af73f3638d021

SHA256
54f4802f8e85684028320db958bea362fa3ddb19a99f238e0be06b61bd0fa4ef

SHA512
8027ad910229f25a714695781d2554230cd234a1c59975a92f40c03eb16aed01a80d9394af36efcb1f61c722fae9f4f0fd3b50ed82f9d55c0251c5074a03fb4c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zcpcxsiw.0.cs
Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zcpcxsiw.cmdline
Filesize
206B

MD5
0e50261059a682d3e50b6366290729cf

SHA1
f87cba8036ada930ff220f631d8efd606d5b4f9d

SHA256
bed686d6bbdd1eb6e2657bac34a761a7f7b68a1fe032222367bf7e62c60e61e4

SHA512
e462f29deb4676c6d9d3b9d21aa2e50c7588fdbed6d29d1701a7e74acf704d1ec417220c48973026bfbd15c80eb4339666d865fa494cd2274946608cff4d32c6

Download Submit
memory/1688-132-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1688-143-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1912-140-0x0000000000000000-mapping.dmp

Download
memory/4312-133-0x0000000000000000-mapping.dmp

Download
memory/4820-136-0x0000000000000000-mapping.dmp

Download