Analysis
-
max time kernel
133s -
resource
win10v191014 -
submitted
08-01-2020 23:47
Task
task1
Sample
6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe
Resource
win10v191014
0 signatures
General
-
Target
6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5
-
Sample
200108-qgryr1sq56
-
SHA256
6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5
Score
10/10
Malware Config
Signatures
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" 6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 5044 6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 5044 wrote to memory of 4304 5044 6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe 73 PID 5044 wrote to memory of 3420 5044 6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe 85 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4304 wmic.exe Token: SeSecurityPrivilege 4304 wmic.exe Token: SeTakeOwnershipPrivilege 4304 wmic.exe Token: SeLoadDriverPrivilege 4304 wmic.exe Token: SeSystemProfilePrivilege 4304 wmic.exe Token: SeSystemtimePrivilege 4304 wmic.exe Token: SeProfSingleProcessPrivilege 4304 wmic.exe Token: SeIncBasePriorityPrivilege 4304 wmic.exe Token: SeCreatePagefilePrivilege 4304 wmic.exe Token: SeBackupPrivilege 4304 wmic.exe Token: SeRestorePrivilege 4304 wmic.exe Token: SeShutdownPrivilege 4304 wmic.exe Token: SeDebugPrivilege 4304 wmic.exe Token: SeSystemEnvironmentPrivilege 4304 wmic.exe Token: SeRemoteShutdownPrivilege 4304 wmic.exe Token: SeUndockPrivilege 4304 wmic.exe Token: SeManageVolumePrivilege 4304 wmic.exe Token: 33 4304 wmic.exe Token: 34 4304 wmic.exe Token: 35 4304 wmic.exe Token: 36 4304 wmic.exe Token: SeBackupPrivilege 1968 vssvc.exe Token: SeRestorePrivilege 1968 vssvc.exe Token: SeAuditPrivilege 1968 vssvc.exe Token: SeIncreaseQuotaPrivilege 3420 wmic.exe Token: SeSecurityPrivilege 3420 wmic.exe Token: SeTakeOwnershipPrivilege 3420 wmic.exe Token: SeLoadDriverPrivilege 3420 wmic.exe Token: SeSystemProfilePrivilege 3420 wmic.exe Token: SeSystemtimePrivilege 3420 wmic.exe Token: SeProfSingleProcessPrivilege 3420 wmic.exe Token: SeIncBasePriorityPrivilege 3420 wmic.exe Token: SeCreatePagefilePrivilege 3420 wmic.exe Token: SeBackupPrivilege 3420 wmic.exe Token: SeRestorePrivilege 3420 wmic.exe Token: SeShutdownPrivilege 3420 wmic.exe Token: SeDebugPrivilege 3420 wmic.exe Token: SeSystemEnvironmentPrivilege 3420 wmic.exe Token: SeRemoteShutdownPrivilege 3420 wmic.exe Token: SeUndockPrivilege 3420 wmic.exe Token: SeManageVolumePrivilege 3420 wmic.exe Token: 33 3420 wmic.exe Token: 34 3420 wmic.exe Token: 35 3420 wmic.exe Token: 36 3420 wmic.exe -
Maze
Maze is a file encrypting virus and also a successor to ChaCha.
-
Deletes shadow copies 2 TTPs 2 IoCs
pid Process 4304 wmic.exe 3420 wmic.exe -
Drops startup file 6 IoCs
description ioc Process File created (read-only) C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zr0926.dat 6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html 6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zr0926.dat 6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe File created (read-only) C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\zr0926.dat 6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.html 6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\zr0926.dat 6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe"C:\Users\Admin\AppData\Local\Temp\6fcf946fb8c4c04a583587147b137ea8d7b3fc7f67e1b508b2653e0e21756ca5.exe"1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops startup file
PID:5044 -
C:\Windows\system32\wbem\wmic.exe"C:\ooqoy\a\m\..\..\..\Windows\auel\six\gs\..\..\..\system32\oinm\grvd\lsuk\..\..\..\wbem\capa\idwu\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes shadow copies
PID:4304
-
-
C:\Windows\system32\wbem\wmic.exe"C:\gtm\..\Windows\fcu\..\system32\gtm\..\wbem\gq\jhy\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes shadow copies
PID:3420
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968