Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-08-2021 06:46
Static task
static1
Behavioral task
behavioral1
Sample
f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exe
-
Size
351KB
-
MD5
345d140139d2d11713b06f1cd9a5669e
-
SHA1
ca3c843964caa54471c136e8fc36bcb3534c1432
-
SHA256
f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74
-
SHA512
4e2f2424bb47bbb93972b37fa2657d51f43a5061c7318637cda56bb48ea5fde4277f6a06a4b9e7855a20adbd1eb7ba2444686550fed624428986dc30ea9245c9
Score
10/10
Malware Config
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exedescription ioc Process File renamed C:\Users\Admin\Pictures\InstallProtect.tif => C:\Users\Admin\Pictures\InstallProtect.tif.Y0cnVK7 f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exe File renamed C:\Users\Admin\Pictures\StopUninstall.tif => C:\Users\Admin\Pictures\StopUninstall.tif.5WZvmtG f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exe -
Drops startup file 4 IoCs
Processes:
f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ikcvc5.dat f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.html f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ikcvc5.dat f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exepid Process 4000 f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exe 4000 f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exevssvc.exewmic.exedescription pid Process Token: SeIncreaseQuotaPrivilege 3520 wmic.exe Token: SeSecurityPrivilege 3520 wmic.exe Token: SeTakeOwnershipPrivilege 3520 wmic.exe Token: SeLoadDriverPrivilege 3520 wmic.exe Token: SeSystemProfilePrivilege 3520 wmic.exe Token: SeSystemtimePrivilege 3520 wmic.exe Token: SeProfSingleProcessPrivilege 3520 wmic.exe Token: SeIncBasePriorityPrivilege 3520 wmic.exe Token: SeCreatePagefilePrivilege 3520 wmic.exe Token: SeBackupPrivilege 3520 wmic.exe Token: SeRestorePrivilege 3520 wmic.exe Token: SeShutdownPrivilege 3520 wmic.exe Token: SeDebugPrivilege 3520 wmic.exe Token: SeSystemEnvironmentPrivilege 3520 wmic.exe Token: SeRemoteShutdownPrivilege 3520 wmic.exe Token: SeUndockPrivilege 3520 wmic.exe Token: SeManageVolumePrivilege 3520 wmic.exe Token: 33 3520 wmic.exe Token: 34 3520 wmic.exe Token: 35 3520 wmic.exe Token: 36 3520 wmic.exe Token: SeIncreaseQuotaPrivilege 3520 wmic.exe Token: SeSecurityPrivilege 3520 wmic.exe Token: SeTakeOwnershipPrivilege 3520 wmic.exe Token: SeLoadDriverPrivilege 3520 wmic.exe Token: SeSystemProfilePrivilege 3520 wmic.exe Token: SeSystemtimePrivilege 3520 wmic.exe Token: SeProfSingleProcessPrivilege 3520 wmic.exe Token: SeIncBasePriorityPrivilege 3520 wmic.exe Token: SeCreatePagefilePrivilege 3520 wmic.exe Token: SeBackupPrivilege 3520 wmic.exe Token: SeRestorePrivilege 3520 wmic.exe Token: SeShutdownPrivilege 3520 wmic.exe Token: SeDebugPrivilege 3520 wmic.exe Token: SeSystemEnvironmentPrivilege 3520 wmic.exe Token: SeRemoteShutdownPrivilege 3520 wmic.exe Token: SeUndockPrivilege 3520 wmic.exe Token: SeManageVolumePrivilege 3520 wmic.exe Token: 33 3520 wmic.exe Token: 34 3520 wmic.exe Token: 35 3520 wmic.exe Token: 36 3520 wmic.exe Token: SeBackupPrivilege 3844 vssvc.exe Token: SeRestorePrivilege 3844 vssvc.exe Token: SeAuditPrivilege 3844 vssvc.exe Token: SeIncreaseQuotaPrivilege 3848 wmic.exe Token: SeSecurityPrivilege 3848 wmic.exe Token: SeTakeOwnershipPrivilege 3848 wmic.exe Token: SeLoadDriverPrivilege 3848 wmic.exe Token: SeSystemProfilePrivilege 3848 wmic.exe Token: SeSystemtimePrivilege 3848 wmic.exe Token: SeProfSingleProcessPrivilege 3848 wmic.exe Token: SeIncBasePriorityPrivilege 3848 wmic.exe Token: SeCreatePagefilePrivilege 3848 wmic.exe Token: SeBackupPrivilege 3848 wmic.exe Token: SeRestorePrivilege 3848 wmic.exe Token: SeShutdownPrivilege 3848 wmic.exe Token: SeDebugPrivilege 3848 wmic.exe Token: SeSystemEnvironmentPrivilege 3848 wmic.exe Token: SeRemoteShutdownPrivilege 3848 wmic.exe Token: SeUndockPrivilege 3848 wmic.exe Token: SeManageVolumePrivilege 3848 wmic.exe Token: 33 3848 wmic.exe Token: 34 3848 wmic.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exedescription pid Process procid_target PID 4000 wrote to memory of 3520 4000 f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exe 75 PID 4000 wrote to memory of 3520 4000 f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exe 75 PID 4000 wrote to memory of 3848 4000 f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exe 80 PID 4000 wrote to memory of 3848 4000 f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exe"C:\Users\Admin\AppData\Local\Temp\f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74.bin.bin.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\system32\wbem\wmic.exe"C:\r\cgqt\b\..\..\..\Windows\kb\yd\..\..\system32\umxxo\vni\..\..\wbem\vbkef\wha\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3520
-
-
C:\Windows\system32\wbem\wmic.exe"C:\dbq\edbhf\..\..\Windows\cyupr\bgxm\nlx\..\..\..\system32\hul\tmh\khm\..\..\..\wbem\uaatw\xiqtp\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3848
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3844
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4101⤵PID:2716