maze | 33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502

Analysis

max time kernel
150s
resource
win10v191014
submitted
08-01-2020 23:47

Sharing

Copy URL

Twitter E-mail

General

Target

33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502
Sample

200108-qwszj1akws
SHA256

33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502

Score

10^/10

ransomware trojan maze

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4988	33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 2936	4988	33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe	73
PID 4988 wrote to memory of 2408	4988	33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe	83

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2936	wmic.exe
Token: SeSecurityPrivilege	2936	wmic.exe
Token: SeTakeOwnershipPrivilege	2936	wmic.exe
Token: SeLoadDriverPrivilege	2936	wmic.exe
Token: SeSystemProfilePrivilege	2936	wmic.exe
Token: SeSystemtimePrivilege	2936	wmic.exe
Token: SeProfSingleProcessPrivilege	2936	wmic.exe
Token: SeIncBasePriorityPrivilege	2936	wmic.exe
Token: SeCreatePagefilePrivilege	2936	wmic.exe
Token: SeBackupPrivilege	2936	wmic.exe
Token: SeRestorePrivilege	2936	wmic.exe
Token: SeShutdownPrivilege	2936	wmic.exe
Token: SeDebugPrivilege	2936	wmic.exe
Token: SeSystemEnvironmentPrivilege	2936	wmic.exe
Token: SeRemoteShutdownPrivilege	2936	wmic.exe
Token: SeUndockPrivilege	2936	wmic.exe
Token: SeManageVolumePrivilege	2936	wmic.exe
Token: 33	2936	wmic.exe
Token: 34	2936	wmic.exe
Token: 35	2936	wmic.exe
Token: 36	2936	wmic.exe
Token: SeBackupPrivilege	328	vssvc.exe
Token: SeRestorePrivilege	328	vssvc.exe
Token: SeAuditPrivilege	328	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2408	wmic.exe
Token: SeSecurityPrivilege	2408	wmic.exe
Token: SeTakeOwnershipPrivilege	2408	wmic.exe
Token: SeLoadDriverPrivilege	2408	wmic.exe
Token: SeSystemProfilePrivilege	2408	wmic.exe
Token: SeSystemtimePrivilege	2408	wmic.exe
Token: SeProfSingleProcessPrivilege	2408	wmic.exe
Token: SeIncBasePriorityPrivilege	2408	wmic.exe
Token: SeCreatePagefilePrivilege	2408	wmic.exe
Token: SeBackupPrivilege	2408	wmic.exe
Token: SeRestorePrivilege	2408	wmic.exe
Token: SeShutdownPrivilege	2408	wmic.exe
Token: SeDebugPrivilege	2408	wmic.exe
Token: SeSystemEnvironmentPrivilege	2408	wmic.exe
Token: SeRemoteShutdownPrivilege	2408	wmic.exe
Token: SeUndockPrivilege	2408	wmic.exe
Token: SeManageVolumePrivilege	2408	wmic.exe
Token: 33	2408	wmic.exe
Token: 34	2408	wmic.exe
Token: 35	2408	wmic.exe
Token: 36	2408	wmic.exe

Deletes shadow copies 2 TTPs 2 IoCs

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2936	wmic.exe
2408	wmic.exe

Maze
Maze is a file encrypting virus and also a successor to ChaCha.
trojan ransomware maze

Drops startup file 6 IoCs

description	ioc	Process
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e3a0hzcka.dat	33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html	33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e3a0hzcka.dat	33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\e3a0hzcka.dat	33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.html	33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\e3a0hzcka.dat	33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp"	33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe

C:\Users\Admin\AppData\Local\Temp\33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe
"C:\Users\Admin\AppData\Local\Temp\33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops startup file
- Sets desktop wallpaper using registry
PID:4988
- C:\Windows\system32\wbem\wmic.exe
  "C:\r\c\..\..\Windows\i\..\system32\eb\mddtt\..\..\wbem\vluu\wf\k\..\..\..\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Deletes shadow copies
  PID:2936
- C:\Windows\system32\wbem\wmic.exe
  "C:\ae\tfk\..\..\Windows\x\r\..\..\system32\rhl\gyec\..\..\wbem\ms\un\j\..\..\..\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Deletes shadow copies
  PID:2408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact