maze | 7164f1dc836de4ec126ead001b406acd6196618c63addda9c5a3f323df4e462b

Analysis

max time kernel
149s
resource
win10v191014
submitted
08/01/2020, 23:47

Sharing

Copy URL

Twitter E-mail

General

Target

7164f1dc836de4ec126ead001b406acd6196618c63addda9c5a3f323df4e462b
Sample

200108-dvzv841b7a
SHA256

7164f1dc836de4ec126ead001b406acd6196618c63addda9c5a3f323df4e462b

Score

10^/10

trojan ransomware maze

Malware Config

Signatures

Drops startup file 6 IoCs

description	ioc	Process
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aartzu.dat	rundll32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aartzu.dat	rundll32.exe
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\aartzu.dat	rundll32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.html	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\aartzu.dat	rundll32.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp"	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 4896	4880	rundll32.exe	72
PID 4896 wrote to memory of 4992	4896	rundll32.exe	74
PID 4896 wrote to memory of 5016	4896	rundll32.exe	87

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4896	rundll32.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4992	wmic.exe
Token: SeSecurityPrivilege	4992	wmic.exe
Token: SeTakeOwnershipPrivilege	4992	wmic.exe
Token: SeLoadDriverPrivilege	4992	wmic.exe
Token: SeSystemProfilePrivilege	4992	wmic.exe
Token: SeSystemtimePrivilege	4992	wmic.exe
Token: SeProfSingleProcessPrivilege	4992	wmic.exe
Token: SeIncBasePriorityPrivilege	4992	wmic.exe
Token: SeCreatePagefilePrivilege	4992	wmic.exe
Token: SeBackupPrivilege	4992	wmic.exe
Token: SeRestorePrivilege	4992	wmic.exe
Token: SeShutdownPrivilege	4992	wmic.exe
Token: SeDebugPrivilege	4992	wmic.exe
Token: SeSystemEnvironmentPrivilege	4992	wmic.exe
Token: SeRemoteShutdownPrivilege	4992	wmic.exe
Token: SeUndockPrivilege	4992	wmic.exe
Token: SeManageVolumePrivilege	4992	wmic.exe
Token: 33	4992	wmic.exe
Token: 34	4992	wmic.exe
Token: 35	4992	wmic.exe
Token: 36	4992	wmic.exe
Token: SeBackupPrivilege	1512	vssvc.exe
Token: SeRestorePrivilege	1512	vssvc.exe
Token: SeAuditPrivilege	1512	vssvc.exe
Token: SeIncreaseQuotaPrivilege	5016	wmic.exe
Token: SeSecurityPrivilege	5016	wmic.exe
Token: SeTakeOwnershipPrivilege	5016	wmic.exe
Token: SeLoadDriverPrivilege	5016	wmic.exe
Token: SeSystemProfilePrivilege	5016	wmic.exe
Token: SeSystemtimePrivilege	5016	wmic.exe
Token: SeProfSingleProcessPrivilege	5016	wmic.exe
Token: SeIncBasePriorityPrivilege	5016	wmic.exe
Token: SeCreatePagefilePrivilege	5016	wmic.exe
Token: SeBackupPrivilege	5016	wmic.exe
Token: SeRestorePrivilege	5016	wmic.exe
Token: SeShutdownPrivilege	5016	wmic.exe
Token: SeDebugPrivilege	5016	wmic.exe
Token: SeSystemEnvironmentPrivilege	5016	wmic.exe
Token: SeRemoteShutdownPrivilege	5016	wmic.exe
Token: SeUndockPrivilege	5016	wmic.exe
Token: SeManageVolumePrivilege	5016	wmic.exe
Token: 33	5016	wmic.exe
Token: 34	5016	wmic.exe
Token: 35	5016	wmic.exe
Token: 36	5016	wmic.exe

Maze
Maze is a file encrypting virus and also a successor to ChaCha.
trojan ransomware maze

Deletes shadow copies 2 TTPs 2 IoCs

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4992	wmic.exe
5016	wmic.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7164f1dc836de4ec126ead001b406acd6196618c63addda9c5a3f323df4e462b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7164f1dc836de4ec126ead001b406acd6196618c63addda9c5a3f323df4e462b.dll,#1
  2⤵
  - Drops startup file
  - Sets desktop wallpaper using registry
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: EnumeratesProcesses
  PID:4896
- - C:\Windows\system32\wbem\wmic.exe
    "C:\td\ujlwh\ccl\..\..\..\Windows\xbvca\..\system32\bnjk\stm\h\..\..\..\wbem\xt\ssq\..\..\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Deletes shadow copies
    PID:4992
- - C:\Windows\system32\wbem\wmic.exe
    "C:\hy\enehe\fcq\..\..\..\Windows\yallx\kvivk\..\..\system32\n\..\wbem\aes\..\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Deletes shadow copies
    PID:5016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact