9d0547070e294e4158e6c446fa2295f5ae170f31cc64d677c5261d14caf38ab8

Resubmissions

01-07-2024 19:00

240701-xnp9zstfnc 5

01-07-2024 18:54

240701-xkj9kaxflj 4

01-07-2024 18:53

240701-xjrbgstdrf 10

01-07-2024 18:44

240701-xdytdatbqe 7

Analysis

max time kernel
193s
max time network
209s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
01-07-2024 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ezyZip.zip
Size

1.0MB
MD5

78bd0901f4a5a3476c8887c73e730d30
SHA1

3c04901951285ada89943d42eda7020c54e24e84
SHA256

9d0547070e294e4158e6c446fa2295f5ae170f31cc64d677c5261d14caf38ab8
SHA512

383e5fde5928dd91526832934a0ed7e34b502be370407e8f05c6c67a427decc328e44c0ffe6aeb0357f51c7acc751a4f8167e6e043e744186821eaec5e619c07
SSDEEP

24576:DxladE0NO6cWgTzE3+3pLVuLOhkC1xepCJ1FvNJW:DxlWE0NO6cbQ3+dVuG1uM1FVs

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 2 IoCs

Processes:

JudgeLZT.exeJudgeLZT.exe

description pid process target process

PID 476 set thread context of 4600 476 JudgeLZT.exe RegAsm.exe
PID 3712 set thread context of 392 3712 JudgeLZT.exe RegAsm.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1180 476 WerFault.exe JudgeLZT.exe
4712 3712 WerFault.exe JudgeLZT.exe

description	pid	process	target process
PID 476 set thread context of 4600	476	JudgeLZT.exe	RegAsm.exe
PID 3712 set thread context of 392	3712	JudgeLZT.exe	RegAsm.exe

pid	pid_target	process	target process
1180	476	WerFault.exe	JudgeLZT.exe
4712	3712	WerFault.exe	JudgeLZT.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

JudgeLZT.exeJudgeLZT.exe

description	pid	process	target process
PID 476 wrote to memory of 4600	476	JudgeLZT.exe	RegAsm.exe
PID 476 wrote to memory of 4600	476	JudgeLZT.exe	RegAsm.exe
PID 476 wrote to memory of 4600	476	JudgeLZT.exe	RegAsm.exe
PID 476 wrote to memory of 4600	476	JudgeLZT.exe	RegAsm.exe
PID 476 wrote to memory of 4600	476	JudgeLZT.exe	RegAsm.exe
PID 476 wrote to memory of 4600	476	JudgeLZT.exe	RegAsm.exe
PID 476 wrote to memory of 4600	476	JudgeLZT.exe	RegAsm.exe
PID 476 wrote to memory of 4600	476	JudgeLZT.exe	RegAsm.exe
PID 476 wrote to memory of 4600	476	JudgeLZT.exe	RegAsm.exe
PID 3712 wrote to memory of 2204	3712	JudgeLZT.exe	RegAsm.exe
PID 3712 wrote to memory of 2204	3712	JudgeLZT.exe	RegAsm.exe
PID 3712 wrote to memory of 2204	3712	JudgeLZT.exe	RegAsm.exe
PID 3712 wrote to memory of 3656	3712	JudgeLZT.exe	RegAsm.exe
PID 3712 wrote to memory of 3656	3712	JudgeLZT.exe	RegAsm.exe
PID 3712 wrote to memory of 3656	3712	JudgeLZT.exe	RegAsm.exe
PID 3712 wrote to memory of 2520	3712	JudgeLZT.exe	RegAsm.exe
PID 3712 wrote to memory of 2520	3712	JudgeLZT.exe	RegAsm.exe
PID 3712 wrote to memory of 2520	3712	JudgeLZT.exe	RegAsm.exe
PID 3712 wrote to memory of 392	3712	JudgeLZT.exe	RegAsm.exe
PID 3712 wrote to memory of 392	3712	JudgeLZT.exe	RegAsm.exe
PID 3712 wrote to memory of 392	3712	JudgeLZT.exe	RegAsm.exe
PID 3712 wrote to memory of 392	3712	JudgeLZT.exe	RegAsm.exe
PID 3712 wrote to memory of 392	3712	JudgeLZT.exe	RegAsm.exe
PID 3712 wrote to memory of 392	3712	JudgeLZT.exe	RegAsm.exe
PID 3712 wrote to memory of 392	3712	JudgeLZT.exe	RegAsm.exe
PID 3712 wrote to memory of 392	3712	JudgeLZT.exe	RegAsm.exe
PID 3712 wrote to memory of 392	3712	JudgeLZT.exe	RegAsm.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ezyZip.zip
1⤵
PID:4192

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2120

C:\Users\Admin\Documents\ezyZip\JudgeLZT.exe
"C:\Users\Admin\Documents\ezyZip\JudgeLZT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 476 -s 320
2⤵
- Program crash
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 476 -ip 476
1⤵
PID:3092

C:\Users\Admin\Documents\ezyZip\JudgeLZT.exe
"C:\Users\Admin\Documents\ezyZip\JudgeLZT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 292
2⤵
- Program crash
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3712 -ip 3712
1⤵
PID:536

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/392-10-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/476-1-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/3712-7-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/4600-0-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4600-3-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4600-4-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4600-5-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download