Analysis
-
max time kernel
147s -
max time network
142s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
06-08-2020 08:04
Static task
static1
Behavioral task
behavioral1
Sample
4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe
-
Size
350KB
-
MD5
90c0d9bae24b7101eb934b5e4ad2e4f4
-
SHA1
c9ddea45341162e1d4635da3a30a01f8e8819640
-
SHA256
4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e
-
SHA512
a155644217228e19e28389529ceb864c57d6ac8229e881af7ccf38e09986995d92d8bd51e548a93d165415dc7c468cf3e2bcfb57de6c5eac19e3aa5c497bc598
Score
10/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6s8hs.dat 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.html 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6s8hs.dat 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 844 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 844 wrote to memory of 1060 844 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe 24 PID 844 wrote to memory of 1060 844 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe 24 PID 844 wrote to memory of 1060 844 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe 24 PID 844 wrote to memory of 1060 844 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe 24 PID 844 wrote to memory of 1148 844 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe 33 PID 844 wrote to memory of 1148 844 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe 33 PID 844 wrote to memory of 1148 844 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe 33 PID 844 wrote to memory of 1148 844 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe 33 -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe -
Modifies service 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\UseRedo.tif => C:\Users\Admin\Pictures\UseRedo.tif.niuvs 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe File renamed C:\Users\Admin\Pictures\CompleteRedo.png => C:\Users\Admin\Pictures\CompleteRedo.png.2NxL 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe File renamed C:\Users\Admin\Pictures\CompressNew.raw => C:\Users\Admin\Pictures\CompressNew.raw.2NxL 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe File renamed C:\Users\Admin\Pictures\DenyApprove.png => C:\Users\Admin\Pictures\DenyApprove.png.2NxL 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe File renamed C:\Users\Admin\Pictures\InstallUnblock.crw => C:\Users\Admin\Pictures\InstallUnblock.crw.KHmi2 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe File renamed C:\Users\Admin\Pictures\SetResize.raw => C:\Users\Admin\Pictures\SetResize.raw.KHmi2 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe File renamed C:\Users\Admin\Pictures\UninstallConnect.tif => C:\Users\Admin\Pictures\UninstallConnect.tif.niuvs 4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe -
Suspicious use of AdjustPrivilegeToken 83 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1060 wmic.exe Token: SeSecurityPrivilege 1060 wmic.exe Token: SeTakeOwnershipPrivilege 1060 wmic.exe Token: SeLoadDriverPrivilege 1060 wmic.exe Token: SeSystemProfilePrivilege 1060 wmic.exe Token: SeSystemtimePrivilege 1060 wmic.exe Token: SeProfSingleProcessPrivilege 1060 wmic.exe Token: SeIncBasePriorityPrivilege 1060 wmic.exe Token: SeCreatePagefilePrivilege 1060 wmic.exe Token: SeBackupPrivilege 1060 wmic.exe Token: SeRestorePrivilege 1060 wmic.exe Token: SeShutdownPrivilege 1060 wmic.exe Token: SeDebugPrivilege 1060 wmic.exe Token: SeSystemEnvironmentPrivilege 1060 wmic.exe Token: SeRemoteShutdownPrivilege 1060 wmic.exe Token: SeUndockPrivilege 1060 wmic.exe Token: SeManageVolumePrivilege 1060 wmic.exe Token: 33 1060 wmic.exe Token: 34 1060 wmic.exe Token: 35 1060 wmic.exe Token: SeIncreaseQuotaPrivilege 1060 wmic.exe Token: SeSecurityPrivilege 1060 wmic.exe Token: SeTakeOwnershipPrivilege 1060 wmic.exe Token: SeLoadDriverPrivilege 1060 wmic.exe Token: SeSystemProfilePrivilege 1060 wmic.exe Token: SeSystemtimePrivilege 1060 wmic.exe Token: SeProfSingleProcessPrivilege 1060 wmic.exe Token: SeIncBasePriorityPrivilege 1060 wmic.exe Token: SeCreatePagefilePrivilege 1060 wmic.exe Token: SeBackupPrivilege 1060 wmic.exe Token: SeRestorePrivilege 1060 wmic.exe Token: SeShutdownPrivilege 1060 wmic.exe Token: SeDebugPrivilege 1060 wmic.exe Token: SeSystemEnvironmentPrivilege 1060 wmic.exe Token: SeRemoteShutdownPrivilege 1060 wmic.exe Token: SeUndockPrivilege 1060 wmic.exe Token: SeManageVolumePrivilege 1060 wmic.exe Token: 33 1060 wmic.exe Token: 34 1060 wmic.exe Token: 35 1060 wmic.exe Token: SeBackupPrivilege 1752 vssvc.exe Token: SeRestorePrivilege 1752 vssvc.exe Token: SeAuditPrivilege 1752 vssvc.exe Token: SeIncreaseQuotaPrivilege 1148 wmic.exe Token: SeSecurityPrivilege 1148 wmic.exe Token: SeTakeOwnershipPrivilege 1148 wmic.exe Token: SeLoadDriverPrivilege 1148 wmic.exe Token: SeSystemProfilePrivilege 1148 wmic.exe Token: SeSystemtimePrivilege 1148 wmic.exe Token: SeProfSingleProcessPrivilege 1148 wmic.exe Token: SeIncBasePriorityPrivilege 1148 wmic.exe Token: SeCreatePagefilePrivilege 1148 wmic.exe Token: SeBackupPrivilege 1148 wmic.exe Token: SeRestorePrivilege 1148 wmic.exe Token: SeShutdownPrivilege 1148 wmic.exe Token: SeDebugPrivilege 1148 wmic.exe Token: SeSystemEnvironmentPrivilege 1148 wmic.exe Token: SeRemoteShutdownPrivilege 1148 wmic.exe Token: SeUndockPrivilege 1148 wmic.exe Token: SeManageVolumePrivilege 1148 wmic.exe Token: 33 1148 wmic.exe Token: 34 1148 wmic.exe Token: 35 1148 wmic.exe Token: SeIncreaseQuotaPrivilege 1148 wmic.exe Token: SeSecurityPrivilege 1148 wmic.exe Token: SeTakeOwnershipPrivilege 1148 wmic.exe Token: SeLoadDriverPrivilege 1148 wmic.exe Token: SeSystemProfilePrivilege 1148 wmic.exe Token: SeSystemtimePrivilege 1148 wmic.exe Token: SeProfSingleProcessPrivilege 1148 wmic.exe Token: SeIncBasePriorityPrivilege 1148 wmic.exe Token: SeCreatePagefilePrivilege 1148 wmic.exe Token: SeBackupPrivilege 1148 wmic.exe Token: SeRestorePrivilege 1148 wmic.exe Token: SeShutdownPrivilege 1148 wmic.exe Token: SeDebugPrivilege 1148 wmic.exe Token: SeSystemEnvironmentPrivilege 1148 wmic.exe Token: SeRemoteShutdownPrivilege 1148 wmic.exe Token: SeUndockPrivilege 1148 wmic.exe Token: SeManageVolumePrivilege 1148 wmic.exe Token: 33 1148 wmic.exe Token: 34 1148 wmic.exe Token: 35 1148 wmic.exe -
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe"C:\Users\Admin\AppData\Local\Temp\4e2554b448424859b508433e6c4a043718343febc7894a849f446dd197b47d1e.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Sets desktop wallpaper using registry
- Modifies extensions of user files
PID:844 -
C:\Windows\system32\wbem\wmic.exe"C:\iwjl\pxft\ia\..\..\..\Windows\f\jul\hto\..\..\..\system32\wlt\cpxij\..\..\wbem\e\l\gvv\..\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
-
C:\Windows\system32\wbem\wmic.exe"C:\v\..\Windows\eev\..\system32\otbk\kpph\rkf\..\..\..\wbem\cbb\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:1492