Overview

overview

10

Static

static

3

madzig1.3.exe

windows7-x64

10

madzig1.3.exe

windows10-2004-x64

7

uvrnbijywa.vbs

windows7-x64

1

uvrnbijywa.vbs

windows10-2004-x64

1

xtzzxbx.exe

windows7-x64

3

xtzzxbx.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    93s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2024 02:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    madzig1.3.exe

  • Size

    904KB

  • MD5

    7272ea4c00d27f61d0fdb06766ec349e

  • SHA1

    81e72cd1bc4f5213cc41f5c78b184d47f2d36dd0

  • SHA256

    bfe6a417287d1f3c25bb93b8841620c3a7274c715f749c425d146b67496299f1

  • SHA512

    3898d9fb2417f484803fd9ef0f105f35e7c986219d635ba7cff78aecfc3617d041eb669f8297942f60248302f49cc12fbcb724484c2ea216a2ad89c49a2af64c

  • SSDEEP

    24576:mbpDQ4Y0F4Ji4U4+4484olVxA9VJ30eoPF+Fb3bDorUsXQAKZNA46jgPdD:cvFzQ/g9uodD

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\madzig1.3.exe
    "C:\Users\Admin\AppData\Local\Temp\madzig1.3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3420
    • C:\Users\Admin\AppData\Local\Temp\xtzzxbx.exe
      "C:\Users\Admin\AppData\Local\Temp\xtzzxbx.exe" "C:\Users\Admin\AppData\Local\Temp\uvrnbijywa.au3"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1308
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 684
        3⤵
        • Program crash
        PID:4588
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1308 -ip 1308
    1⤵
      PID:4472

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\azwovjtxhn.dw
      Filesize

      36KB

      MD5

      d6e1c7b21467a5abb8bf7905c0df8269

      SHA1

      e691fa39cb04cf04aaa6f69fa0fda60bb4cff799

      SHA256

      1b838e446889eec4d84cf5ab66eb5656019f611c58d7b758279cd492bceb7eb5

      SHA512

      004aa5df26dbdb61fc57633f8a62f7ac58b21fcdfeb35fcdf1fe842b7a9ef188fc4deea53f6452b8689ae39495bd03f69108a90adbbcf939427c030302f0f0e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jfdpkhyiha.g
      Filesize

      185KB

      MD5

      91417fefd9465110ca2ce182f16dcabf

      SHA1

      049e446939b302595a4318f976cc5e3d83a5d499

      SHA256

      5d84f0c087e6d6928bd641b46db069f01d54ab88049906ea804409146f6452b0

      SHA512

      568c2bec10d6d07784379e15518c797788ee490db177d270a7b86409c014b4ba7bad2079d0ebad8a25331b85b02ce13605318edee6a1e96bf53928ab041cf117

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\uvrnbijywa.au3
      Filesize

      4KB

      MD5

      2b951a4d0cd35c8bd945ba81138604fe

      SHA1

      f8400a801766f7bc9d41917703027e1628890446

      SHA256

      e1ed35d54e9a1bd2766ab47b66148af3037fcba26604a5c764a842015cee0638

      SHA512

      782ae563c588181143a75ef4df136604c68949e4e675d73ae36caf095664a6f5df9a7ec6d0ac4cfdce0fec927351d76c9653080a4672b0c1d7e1ffd005f66587

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\xtzzxbx.exe
      Filesize

      925KB

      MD5

      0adb9b817f1df7807576c2d7068dd931

      SHA1

      4a1b94a9a5113106f40cd8ea724703734d15f118

      SHA256

      98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

      SHA512

      883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

      Download Submit

    • memory/1308-9-0x0000000001750000-0x0000000001752000-memory.dmp

      Filesize

      8KB

      Download