maze | 33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502

Analysis

max time kernel
137s
resource
win7v191014
submitted
08-01-2020 23:47

Sharing

Copy URL

Twitter E-mail

General

Target

33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502
Sample

200108-qwszj1akws
SHA256

33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502

Score

10^/10

ransomware trojan maze

Malware Config

Signatures

Maze
Maze is a file encrypting virus and also a successor to ChaCha.
trojan ransomware maze

Drops startup file 6 IoCs

description	ioc	Process
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bbmka.dat	33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html	33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bbmka.dat	33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\bbmka.dat	33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.html	33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\bbmka.dat	33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp"	33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1440	33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 2008	1440	33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe	26
PID 1440 wrote to memory of 1488	1440	33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe	34

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2008	wmic.exe
Token: SeSecurityPrivilege	2008	wmic.exe
Token: SeTakeOwnershipPrivilege	2008	wmic.exe
Token: SeLoadDriverPrivilege	2008	wmic.exe
Token: SeSystemProfilePrivilege	2008	wmic.exe
Token: SeSystemtimePrivilege	2008	wmic.exe
Token: SeProfSingleProcessPrivilege	2008	wmic.exe
Token: SeIncBasePriorityPrivilege	2008	wmic.exe
Token: SeCreatePagefilePrivilege	2008	wmic.exe
Token: SeBackupPrivilege	2008	wmic.exe
Token: SeRestorePrivilege	2008	wmic.exe
Token: SeShutdownPrivilege	2008	wmic.exe
Token: SeDebugPrivilege	2008	wmic.exe
Token: SeSystemEnvironmentPrivilege	2008	wmic.exe
Token: SeRemoteShutdownPrivilege	2008	wmic.exe
Token: SeUndockPrivilege	2008	wmic.exe
Token: SeManageVolumePrivilege	2008	wmic.exe
Token: 33	2008	wmic.exe
Token: 34	2008	wmic.exe
Token: 35	2008	wmic.exe
Token: SeBackupPrivilege	1984	vssvc.exe
Token: SeRestorePrivilege	1984	vssvc.exe
Token: SeAuditPrivilege	1984	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1488	wmic.exe
Token: SeSecurityPrivilege	1488	wmic.exe
Token: SeTakeOwnershipPrivilege	1488	wmic.exe
Token: SeLoadDriverPrivilege	1488	wmic.exe
Token: SeSystemProfilePrivilege	1488	wmic.exe
Token: SeSystemtimePrivilege	1488	wmic.exe
Token: SeProfSingleProcessPrivilege	1488	wmic.exe
Token: SeIncBasePriorityPrivilege	1488	wmic.exe
Token: SeCreatePagefilePrivilege	1488	wmic.exe
Token: SeBackupPrivilege	1488	wmic.exe
Token: SeRestorePrivilege	1488	wmic.exe
Token: SeShutdownPrivilege	1488	wmic.exe
Token: SeDebugPrivilege	1488	wmic.exe
Token: SeSystemEnvironmentPrivilege	1488	wmic.exe
Token: SeRemoteShutdownPrivilege	1488	wmic.exe
Token: SeUndockPrivilege	1488	wmic.exe
Token: SeManageVolumePrivilege	1488	wmic.exe
Token: 33	1488	wmic.exe
Token: 34	1488	wmic.exe
Token: 35	1488	wmic.exe

Deletes shadow copies 2 TTPs 2 IoCs

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2008	wmic.exe
1488	wmic.exe

C:\Users\Admin\AppData\Local\Temp\33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe
"C:\Users\Admin\AppData\Local\Temp\33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\system32\wbem\wmic.exe
  "C:\asda\..\Windows\wcpeg\ev\..\..\system32\ppnd\..\wbem\n\ij\p\..\..\..\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Deletes shadow copies
  PID:2008
- C:\Windows\system32\wbem\wmic.exe
  "C:\atmd\..\Windows\auwe\rhvho\..\..\system32\fslfb\x\..\..\wbem\o\..\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Deletes shadow copies
  PID:1488

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact