9d0547070e294e4158e6c446fa2295f5ae170f31cc64d677c5261d14caf38ab8

Resubmissions

01-07-2024 19:00

240701-xnp9zstfnc 5

01-07-2024 18:54

240701-xkj9kaxflj 4

01-07-2024 18:53

240701-xjrbgstdrf 10

01-07-2024 18:44

240701-xdytdatbqe 7

Analysis

max time kernel
117s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JudgeLZT.exe
Size

951KB
MD5

18f16ea3096e479cc7923df5269b25d8
SHA1

c0169fdb70ca980a8ca0baebb2fc3a118fd290c6
SHA256

1c84f3a2fd0a00690b2a2e385d952ec3f7a7c94223fd0e3a80aff510d329d13c
SHA512

5a38cf66a137a51776335f520f8b6a39db025a426b0669088f813979fabfe279c38c19504db233153865c6d0f2f759c61af751465245454498ef006a85a04d36
SSDEEP

24576:vuZIdQCtwQpFZWRmqU573CYz6VJyH+np1Vu1OxkCTK:HwQpFZWRh/A6VJyH+zVueTK

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

JudgeLZT.exe

description pid process target process

PID 4968 set thread context of 4648 4968 JudgeLZT.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

756 4968 WerFault.exe JudgeLZT.exe

description	pid	process	target process
PID 4968 set thread context of 4648	4968	JudgeLZT.exe	RegAsm.exe

pid	pid_target	process	target process
756	4968	WerFault.exe	JudgeLZT.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3976 WINWORD.EXE
3976 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

3976 WINWORD.EXE
3976 WINWORD.EXE
3976 WINWORD.EXE
3976 WINWORD.EXE
3976 WINWORD.EXE
3976 WINWORD.EXE
3976 WINWORD.EXE

pid	process
3976	WINWORD.EXE
3976	WINWORD.EXE

pid	process
3976	WINWORD.EXE
3976	WINWORD.EXE
3976	WINWORD.EXE
3976	WINWORD.EXE
3976	WINWORD.EXE
3976	WINWORD.EXE
3976	WINWORD.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

JudgeLZT.exe

description	pid	process	target process
PID 4968 wrote to memory of 4648	4968	JudgeLZT.exe	RegAsm.exe
PID 4968 wrote to memory of 4648	4968	JudgeLZT.exe	RegAsm.exe
PID 4968 wrote to memory of 4648	4968	JudgeLZT.exe	RegAsm.exe
PID 4968 wrote to memory of 4648	4968	JudgeLZT.exe	RegAsm.exe
PID 4968 wrote to memory of 4648	4968	JudgeLZT.exe	RegAsm.exe
PID 4968 wrote to memory of 4648	4968	JudgeLZT.exe	RegAsm.exe
PID 4968 wrote to memory of 4648	4968	JudgeLZT.exe	RegAsm.exe
PID 4968 wrote to memory of 4648	4968	JudgeLZT.exe	RegAsm.exe
PID 4968 wrote to memory of 4648	4968	JudgeLZT.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\JudgeLZT.exe
"C:\Users\Admin\AppData\Local\Temp\JudgeLZT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 280
2⤵
- Program crash
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4968 -ip 4968
1⤵
PID:2668

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3976

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
202B

MD5
4566d1d70073cd75fe35acb78ff9d082

SHA1
f602ecc057a3c19aa07671b34b4fdd662aa033cc

SHA256
fe33f57205e2ebb981c4744d5a4ddc231f587a9a0589e6565c52e1051eadb0c0

SHA512
b9584ebfdd25cc588162dd6525a399c72ac03bf0c61709b96a19feba7217d840ae2c60d7b0d3b43307a2776f497a388e79ef8a646c12ae59a7f5cc4789bbf3c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
c7615966e23dbfefa7bafbb4ec414fea

SHA1
eb7768d21f187136fdf40b1defef8e40e157081e

SHA256
7255134cf7d7a71adc33539ae367ffed07b8029c05ff82dde580b7dcb89a6a0b

SHA512
c069c117098bf8e7824a38746ce943204f3bdce9df7c5c2806dcbaa2e786047bc77a9e42cdd61903a48a44a711df4521f65fbae28930b6446c03e0e83cf8ff69

Download Submit
memory/3976-15-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-50-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-16-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-7-0x00007FF9D6B90000-0x00007FF9D6BA0000-memory.dmp

Filesize
64KB

Download
memory/3976-9-0x00007FFA16BAD000-0x00007FFA16BAE000-memory.dmp

Filesize
4KB

Download
memory/3976-8-0x00007FF9D6B90000-0x00007FF9D6BA0000-memory.dmp

Filesize
64KB

Download
memory/3976-6-0x00007FF9D6B90000-0x00007FF9D6BA0000-memory.dmp

Filesize
64KB

Download
memory/3976-10-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-12-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-11-0x00007FF9D6B90000-0x00007FF9D6BA0000-memory.dmp

Filesize
64KB

Download
memory/3976-13-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-14-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-5-0x00007FF9D6B90000-0x00007FF9D6BA0000-memory.dmp

Filesize
64KB

Download
memory/3976-26-0x00007FF9D4390000-0x00007FF9D43A0000-memory.dmp

Filesize
64KB

Download
memory/3976-19-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-18-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-23-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-24-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-22-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-21-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-20-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-17-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-25-0x00007FF9D4390000-0x00007FF9D43A0000-memory.dmp

Filesize
64KB

Download
memory/4648-4-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4648-3-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4648-1-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4968-0-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download