bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac

General

Target

bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
Size

204KB
MD5

0ac4edfbeaba0f502662782e754cd132
SHA1

661cac1f7496debc8b6caa9fdad81355a53471a5
SHA256

bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac
SHA512

adadf04554127edad2bb4876f8bd7a35d10668d4eba41460bb194494bda5cff1496bcb086a0f18cc97650f9b5a8e16acbcc58d94075fe03629ae04dd164f3bbe
SSDEEP

768:LlvMareJ+teVEwbjMPkG1VuW/wqvRXMXp677yCzdXZRT2Nq1MaQnepMri14PGBEw:LRl6J+8jlGVs4emEFb3P0lpX

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

maoze.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	maoze.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe

Executes dropped EXE 1 IoCs

Processes:

maoze.exe

pid process

2468 maoze.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

maoze.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /Z"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /E"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /R"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /o"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /y"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /q"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /H"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /g"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /W"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /z"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /d"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /b"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /j"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /T"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /Q"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /X"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /S"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /u"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /F"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /O"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /e"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /I"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /k"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /N"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /V"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /D"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /B"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /m"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /s"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /C"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /c"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /Y"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /P"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /l"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /J"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /p"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /f"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /A"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /i"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /w"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /K"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /v"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /x"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /r"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /h"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /L"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /U"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /G"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /n"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /t"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /a"	maoze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maoze = "C:\\Users\\Admin\\maoze.exe /M"	maoze.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2588-0-0x0000000000400000-0x0000000000443000-memory.dmp	upx
C:\Users\Admin\maoze.exe	upx
behavioral2/memory/2468-34-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/2588-37-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/2468-38-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exemaoze.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maoze.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

maoze.exe

pid	process
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe
2468	maoze.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exemaoze.exe

pid process

2588 bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
2468 maoze.exe

pid	process
2588	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
2468	maoze.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exemaoze.exe

description	pid	process	target process
PID 2588 wrote to memory of 2468	2588	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe	maoze.exe
PID 2588 wrote to memory of 2468	2588	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe	maoze.exe
PID 2588 wrote to memory of 2468	2588	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe	maoze.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
PID 2468 wrote to memory of 2588	2468	maoze.exe	bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe

C:\Users\Admin\AppData\Local\Temp\bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe
"C:\Users\Admin\AppData\Local\Temp\bffc35e7620db3970580d35331f6fd9a8389b56b14a783db58eda13a755e53ac.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\maoze.exe
  "C:\Users\Admin\maoze.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\maoze.exe

Filesize
204KB

MD5
b10a8e9143420e60993a130cfd62c06a

SHA1
f65978d3cd1218ac037c9290b40e4bd1df7d9d1b

SHA256
6a77f8d5d772c06990e92721e90ca6f72a48b927e08042fa886747effe7bfea0

SHA512
39f99e4d03c28448c5a9d9af95b6f1058099e367c15c98e888e9e0ff7fc6fea192d503ba6a6416cff65cfdc7b989fa6c2ed85cd9d9cce2c6b23aad46c27df464

Download Submit
memory/2468-34-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-38-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2588-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2588-37-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads