maze | 7164f1dc836de4ec126ead001b406acd6196618c63addda9c5a3f323df4e462b

Analysis

max time kernel
149s
resource
win7v191014
submitted
08-01-2020 23:47

Sharing

Copy URL

Twitter E-mail

General

Target

7164f1dc836de4ec126ead001b406acd6196618c63addda9c5a3f323df4e462b
Sample

200108-dvzv841b7a
SHA256

7164f1dc836de4ec126ead001b406acd6196618c63addda9c5a3f323df4e462b

Score

10^/10

trojan ransomware maze

Malware Config

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 1508	1272	rundll32.exe	26
PID 1508 wrote to memory of 1924	1508	rundll32.exe	27
PID 1508 wrote to memory of 1080	1508	rundll32.exe	36

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1508	rundll32.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1924	wmic.exe
Token: SeSecurityPrivilege	1924	wmic.exe
Token: SeTakeOwnershipPrivilege	1924	wmic.exe
Token: SeLoadDriverPrivilege	1924	wmic.exe
Token: SeSystemProfilePrivilege	1924	wmic.exe
Token: SeSystemtimePrivilege	1924	wmic.exe
Token: SeProfSingleProcessPrivilege	1924	wmic.exe
Token: SeIncBasePriorityPrivilege	1924	wmic.exe
Token: SeCreatePagefilePrivilege	1924	wmic.exe
Token: SeBackupPrivilege	1924	wmic.exe
Token: SeRestorePrivilege	1924	wmic.exe
Token: SeShutdownPrivilege	1924	wmic.exe
Token: SeDebugPrivilege	1924	wmic.exe
Token: SeSystemEnvironmentPrivilege	1924	wmic.exe
Token: SeRemoteShutdownPrivilege	1924	wmic.exe
Token: SeUndockPrivilege	1924	wmic.exe
Token: SeManageVolumePrivilege	1924	wmic.exe
Token: 33	1924	wmic.exe
Token: 34	1924	wmic.exe
Token: 35	1924	wmic.exe
Token: SeBackupPrivilege	1584	vssvc.exe
Token: SeRestorePrivilege	1584	vssvc.exe
Token: SeAuditPrivilege	1584	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1080	wmic.exe
Token: SeSecurityPrivilege	1080	wmic.exe
Token: SeTakeOwnershipPrivilege	1080	wmic.exe
Token: SeLoadDriverPrivilege	1080	wmic.exe
Token: SeSystemProfilePrivilege	1080	wmic.exe
Token: SeSystemtimePrivilege	1080	wmic.exe
Token: SeProfSingleProcessPrivilege	1080	wmic.exe
Token: SeIncBasePriorityPrivilege	1080	wmic.exe
Token: SeCreatePagefilePrivilege	1080	wmic.exe
Token: SeBackupPrivilege	1080	wmic.exe
Token: SeRestorePrivilege	1080	wmic.exe
Token: SeShutdownPrivilege	1080	wmic.exe
Token: SeDebugPrivilege	1080	wmic.exe
Token: SeSystemEnvironmentPrivilege	1080	wmic.exe
Token: SeRemoteShutdownPrivilege	1080	wmic.exe
Token: SeUndockPrivilege	1080	wmic.exe
Token: SeManageVolumePrivilege	1080	wmic.exe
Token: 33	1080	wmic.exe
Token: 34	1080	wmic.exe
Token: 35	1080	wmic.exe

Maze
Maze is a file encrypting virus and also a successor to ChaCha.
trojan ransomware maze

Deletes shadow copies 2 TTPs 2 IoCs

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1924	wmic.exe
1080	wmic.exe

Drops startup file 6 IoCs

description	ioc	Process
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tv0al75.dat	rundll32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tv0al75.dat	rundll32.exe
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\tv0al75.dat	rundll32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.html	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\tv0al75.dat	rundll32.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp"	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7164f1dc836de4ec126ead001b406acd6196618c63addda9c5a3f323df4e462b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7164f1dc836de4ec126ead001b406acd6196618c63addda9c5a3f323df4e462b.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: EnumeratesProcesses
  - Drops startup file
  - Sets desktop wallpaper using registry
  PID:1508
- - C:\Windows\system32\wbem\wmic.exe
    "C:\nxisg\ql\u\..\..\..\Windows\w\wrqdg\ny\..\..\..\system32\foyyf\..\wbem\m\jwflr\i\..\..\..\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Deletes shadow copies
    PID:1924
- - C:\Windows\system32\wbem\wmic.exe
    "C:\my\ok\xhi\..\..\..\Windows\ytsmw\b\..\..\system32\fvb\pqh\..\..\wbem\v\vxeq\..\..\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Deletes shadow copies
    PID:1080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact