maze | 6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5

Analysis

max time kernel
147s
resource
win7v191014
submitted
08-01-2020 23:47

Sharing

Copy URL

Twitter E-mail

General

Target

6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5
Sample

200108-qgryr1sq56
SHA256

6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5

Score

10^/10

trojan ransomware maze

Malware Config

Signatures

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wmkofnqqe.dat	6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\wmkofnqqe.dat	6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.html	6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\wmkofnqqe.dat	6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wmkofnqqe.dat	6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html	6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp"	6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2012	6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1628	2012	6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe	26
PID 2012 wrote to memory of 1492	2012	6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe	34

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1628	wmic.exe
Token: SeSecurityPrivilege	1628	wmic.exe
Token: SeTakeOwnershipPrivilege	1628	wmic.exe
Token: SeLoadDriverPrivilege	1628	wmic.exe
Token: SeSystemProfilePrivilege	1628	wmic.exe
Token: SeSystemtimePrivilege	1628	wmic.exe
Token: SeProfSingleProcessPrivilege	1628	wmic.exe
Token: SeIncBasePriorityPrivilege	1628	wmic.exe
Token: SeCreatePagefilePrivilege	1628	wmic.exe
Token: SeBackupPrivilege	1628	wmic.exe
Token: SeRestorePrivilege	1628	wmic.exe
Token: SeShutdownPrivilege	1628	wmic.exe
Token: SeDebugPrivilege	1628	wmic.exe
Token: SeSystemEnvironmentPrivilege	1628	wmic.exe
Token: SeRemoteShutdownPrivilege	1628	wmic.exe
Token: SeUndockPrivilege	1628	wmic.exe
Token: SeManageVolumePrivilege	1628	wmic.exe
Token: 33	1628	wmic.exe
Token: 34	1628	wmic.exe
Token: 35	1628	wmic.exe
Token: SeBackupPrivilege	1976	vssvc.exe
Token: SeRestorePrivilege	1976	vssvc.exe
Token: SeAuditPrivilege	1976	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1492	wmic.exe
Token: SeSecurityPrivilege	1492	wmic.exe
Token: SeTakeOwnershipPrivilege	1492	wmic.exe
Token: SeLoadDriverPrivilege	1492	wmic.exe
Token: SeSystemProfilePrivilege	1492	wmic.exe
Token: SeSystemtimePrivilege	1492	wmic.exe
Token: SeProfSingleProcessPrivilege	1492	wmic.exe
Token: SeIncBasePriorityPrivilege	1492	wmic.exe
Token: SeCreatePagefilePrivilege	1492	wmic.exe
Token: SeBackupPrivilege	1492	wmic.exe
Token: SeRestorePrivilege	1492	wmic.exe
Token: SeShutdownPrivilege	1492	wmic.exe
Token: SeDebugPrivilege	1492	wmic.exe
Token: SeSystemEnvironmentPrivilege	1492	wmic.exe
Token: SeRemoteShutdownPrivilege	1492	wmic.exe
Token: SeUndockPrivilege	1492	wmic.exe
Token: SeManageVolumePrivilege	1492	wmic.exe
Token: 33	1492	wmic.exe
Token: 34	1492	wmic.exe
Token: 35	1492	wmic.exe

Maze
Maze is a file encrypting virus and also a successor to ChaCha.
trojan ransomware maze

Deletes shadow copies 2 TTPs 2 IoCs

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1628	wmic.exe
1492	wmic.exe

C:\Users\Admin\AppData\Local\Temp\6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe
"C:\Users\Admin\AppData\Local\Temp\6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\system32\wbem\wmic.exe
  "C:\cnsa\ykk\qtijv\..\..\..\Windows\bhjvp\..\system32\kds\fla\wts\..\..\..\wbem\mbl\hbc\jneww\..\..\..\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Deletes shadow copies
  PID:1628
- C:\Windows\system32\wbem\wmic.exe
  "C:\h\..\Windows\is\ya\..\..\system32\ra\..\wbem\hu\..\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Deletes shadow copies
  PID:1492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact