maze | 3935efdd48fc122e4b10c068f06c53e4360aeabdba3b70c7958af79a208fda58

Analysis

max time kernel
162s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
16-02-2022 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3935efdd48fc122e4b10c068f06c53e4360aeabdba3b70c7958af79a208fda58.dll
Size

592KB
MD5

365d6a237322d9e9423c139618010221
SHA1

3f025bc6ad85e19a259c38e224ccd8e482645126
SHA256

3935efdd48fc122e4b10c068f06c53e4360aeabdba3b70c7958af79a208fda58
SHA512

4fa65fb387532b1e04e94b9d8996c937cd90205094b7e168d8feda1d28ae9b871b4e3eb10ceced13c49fea5daabd9d0a7a280c838ba4e2472c94e7ef29f8bc94

Score

10^/10

maze ransomware trojan

Malware Config

Extracted

Path

C:\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6c2b0cc8d9154c1a e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6c2b0cc8d9154c1a b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- BOotYiqpQe7VdhSwpci3utpOXuPLW2Ae/qlo40IgfI21Fvtn9pTxe7KAEY4OPN7xLNDZU8h5bC9Dp77dGGgotMLKRXQrcFG8/OHMiV97zdKFDNAl1xc9MCcPVK+CInn7Nnrf/RCmXWDL56iJ5rnAgEoU1iU931Q+y2nV6mV8AoJI2TYNBdWqU4GRRQctow3AulHPPqKDBnGvDootxAzT+TsJpV/RuXkzpYVA95djWZbJTJY2+lawJxQIB6GTxv3Jw/F2VuCy7jfQeLjC3sSyAEzFEsTysRP8GhO7/JA1GRfnavk/dNSecmViBRtc7wf0tr9kpKgDVP6h2G1GKg6PzKBzw+iZ28lcc6g0zFizZtexWwJnoT5znIE3OVeOm9vIlxCEko6bQayYm+PQKz7lR+krpmmeNd8fkEc8HMB/Z30XMbinHtqxctat95LFjWxbXqHi36QYin5yahcdpWHdpnMZwtlAOP8HKRTs51Y9C8lb+oVesMSTcqhR8trNP35Wm1CEJdyvj3L8dE0Bp7ZeEnWZKzsWajwIRWq0yvKrARcQ4gPchhAV5ktJPVOGvDuwzOz7YXEDcHmP8Iv+f+bijNYmetzr+W/kuck68xoBiXI/J77qawLeycPtyU2Er2d9LsqlZ9kfYwHGY6MdJ63kpOw31+/Jd168DYPIGT2B04OUxY7QEb1IWYBoZ/Pj2q0snpZhQmh5ifs7Cqjy230nJt6SunLE/F751gNbW0n2256j3E6jQIPowvgIn2Q8nLz2Z5Q2v3hm1kM5h7ksOaD7YfS3BLPotzhXSXpmT+5u03IwfoR4sUTRsgZAT3NOOBBygz7fN0hqvSadbHqnwo5cm2+bB5vfyo/XGwQMdkE7cppRLz76aTvrWY4XI6ququ98oWCIfBIOAyQT8H8jnnTMuj2odUIKeBNGmwMKQruBaT6WyGAifCbK3CzkI4UK4+Z4KYwDa20exHU7mH+gvxE59PXvexn3yOVOq+1PNUACAuj+BiriLK1YTbVibRKUKYJhprYWEDySV7jl5pNV37cKfVxjswboJxjpnbcJwj5CxxNStrfiITRXpE8d55DWvVxbA1LgPjA1oJCKb0VjCuMbBRnSwI53s/OcMWQTKcFMhU41sGBXZ5y+SwBA06TwTITDC/uGdrPVYdzgf+ADwhT+UOZbJve4j1OYEqCNPa7f0soGxUhvnzZc0psLNbu5ymFlH5gLXrmTVZUmJPqNdRK4sOcw41ui3X+7UMCsSH5pMDXY2akzFdmfo8QHGDK1WmX1VPjqCwp/TmzDiKJFhmLDiwFiM96pNz5JPThi61g8Ygp+TBYWm7qHz0BeHX5oy0f6pF3gV2o0owxhtXgPovBS2NA+P5/hhREoU2Cp9SOnBbWIBIuR58CoHcta3EiSzQ9t9R+Q/m3JHTLVpzxVI2JtJnYs/95iwpRXi4iguRZ1PWsjRnidi73HsSHO2AWqF+bCK3lpBIgAfAjuhLzDWP96Z4h9No77WHQlGMRzhVgR4lgUsZvwL7U2ZvKWC8KsB+VFD8acbXDf5bv9BDdedEEr+91XDmynHquDIwBmwM/u9bvwbEhjydkKzQBt9we5ItlJ7Newk3VPpPiLHTjxtdBsi081kHSJID6jC07JxhRn0XD2jXwp6Wm5dFhIlCM6OUP0wVlIjZYmlgy2xJtPig28FABt2p7Jtf5+xyLmUsXbYBQB8HxzfG5iL+oOwMUutvX5y/0oPgOAqThp2CNzxEODN/T4GzUnWc5mRB8UZwL6gQvAl1m5Zu230yTLNeb7dp8qdfLdlcFBZYrBTOZ1vesZ3W/T3C7//K1+d88JPcvk6CejooKRL2HEnOu7ZAMpVH3fLUtOFrW+lbDcybl0IvlBvXLuUKjU9qIPB4H/c+3T1zFmuqoe4Y3WKU/xqaL+rYy89OMhalHlPRh1rHm1FjLaA65mTBE//CLjQW+GGhX/nB1JGxXv8HdmdQww+BYXGC9NlV0qUkooeI0tJ/EgCV+iYPcMkKTdTwONppznfrml+jui10h4bO2R5xOJbIEa6jvvshfoaWSIVuAA/bjbtlgEdJ57QCBxK/+4/CCZq/FXY9N2npL3du2t4Gy3CYZ6GJALdc5ruOUXfXXy3wfgnNR30+iuDuQqDlOpYWWr7uFsztqdBy+ddi5qSpYzl2n96U367eGfgmh6i9yaa1VNC65jEJQ0dlw18eHZG2UwdfPlsorUiSaEJ6pfHtpLZ8EDnwZ+mlnYegoiNgBjADIAYgAwAGMAYwA4AGQAOQAxADUANABjADEAYQAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAEoARABRAFAAWABPAFAAUgAAACoMbgBvAG4AZQB8AAAAMixXAGkAbgBkAG8AdwBzACAAMQAwACAARQBuAHQAZQByAHAAcgBpAHMAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEI2fABDAF8ARgBfADIAMAA0ADcAOQAvADIANgAxADgANAAxAHwARABfAFUAXwAwAC8AMAB8AAAASABQQFiJCGCJCGiJCHDTnrcOeA+AAQGKAQUyLjMuMg== ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/6c2b0cc8d9154c1a

https://mazedecrypt.top/6c2b0cc8d9154c1a

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1540 created 2156	1540	WerFault.exe	101

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\EnterCompress.crw => C:\Users\Admin\Pictures\EnterCompress.crw.s1nGYZ	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\SearchGroup.crw => C:\Users\Admin\Pictures\SearchGroup.crw.r0kG	regsvr32.exe
File opened for modification	C:\Users\Admin\Pictures\UseFind.tiff	regsvr32.exe
File opened for modification	C:\Users\Admin\Pictures\AssertConvert.tiff	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\AssertConvert.tiff => C:\Users\Admin\Pictures\AssertConvert.tiff.9bKmsO	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\SaveTest.raw => C:\Users\Admin\Pictures\SaveTest.raw.r0kG	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\UseFind.tiff => C:\Users\Admin\Pictures\UseFind.tiff.r0kG	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\CloseRequest.raw => C:\Users\Admin\Pictures\CloseRequest.raw.9bKmsO	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\JoinRename.raw => C:\Users\Admin\Pictures\JoinRename.raw.wJTITg0	regsvr32.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c2b0cc8d9154c1a.tmp	regsvr32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6c2b0cc8d9154c1a.tmp	regsvr32.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\111.bmp"	regsvr32.exe

Drops file in Program Files directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\SubmitGroup.M2TS	regsvr32.exe
File opened for modification	C:\Program Files\UnprotectRevoke.vbs	regsvr32.exe
File opened for modification	C:\Program Files (x86)\6c2b0cc8d9154c1a.tmp	regsvr32.exe
File opened for modification	C:\Program Files\AssertLock.txt	regsvr32.exe
File opened for modification	C:\Program Files\CompressClear.jtx	regsvr32.exe
File opened for modification	C:\Program Files\HideCompare.dib	regsvr32.exe
File opened for modification	C:\Program Files\RegisterUndo.css	regsvr32.exe
File opened for modification	C:\Program Files\ConvertMount.scf	regsvr32.exe
File opened for modification	C:\Program Files\FindRename.dxf	regsvr32.exe
File opened for modification	C:\Program Files\LockRemove.tiff	regsvr32.exe
File opened for modification	C:\Program Files\PingUnprotect.vb	regsvr32.exe
File opened for modification	C:\Program Files\6c2b0cc8d9154c1a.tmp	regsvr32.exe
File opened for modification	C:\Program Files\BackupUpdate.rar	regsvr32.exe
File opened for modification	C:\Program Files\CompleteCopy.vst	regsvr32.exe
File opened for modification	C:\Program Files\ConvertGet.vbe	regsvr32.exe
File opened for modification	C:\Program Files\UnpublishSet.html	regsvr32.exe
File opened for modification	C:\Program Files\RevokeSet.docx	regsvr32.exe
File opened for modification	C:\Program Files\SetUndo.au	regsvr32.exe
File opened for modification	C:\Program Files\ShowSwitch.jpg	regsvr32.exe
File opened for modification	C:\Program Files\StopInstall.fon	regsvr32.exe
File opened for modification	C:\Program Files\ClearTest.ram	regsvr32.exe
File opened for modification	C:\Program Files\OpenPublish.ini	regsvr32.exe
File opened for modification	C:\Program Files\ResumeCopy.cfg	regsvr32.exe
File opened for modification	C:\Program Files\ShowPop.xml	regsvr32.exe
File created	C:\Program Files\DECRYPT-FILES.txt	regsvr32.exe
File opened for modification	C:\Program Files\AssertConfirm.7z	regsvr32.exe
File opened for modification	C:\Program Files\ExpandSearch.mpa	regsvr32.exe
File opened for modification	C:\Program Files\UnblockPop.wmf	regsvr32.exe
File created	C:\Program Files (x86)\DECRYPT-FILES.txt	regsvr32.exe
File opened for modification	C:\Program Files\AddAssert.i64	regsvr32.exe
File opened for modification	C:\Program Files\CompleteUnpublish.TTS	regsvr32.exe
File opened for modification	C:\Program Files\ConnectSelect.m3u	regsvr32.exe
File opened for modification	C:\Program Files\ShowStart.gif	regsvr32.exe
File opened for modification	C:\Program Files\ConfirmResize.vdw	regsvr32.exe
File opened for modification	C:\Program Files\GroupSplit.mpeg2	regsvr32.exe
File opened for modification	C:\Program Files\ConvertFromClose.png	regsvr32.exe
File opened for modification	C:\Program Files\GroupJoin.MOD	regsvr32.exe
File opened for modification	C:\Program Files\MoveMerge.mp2v	regsvr32.exe
File opened for modification	C:\Program Files\OutUpdate.xsl	regsvr32.exe
File opened for modification	C:\Program Files\ConfirmReceive.vsdx	regsvr32.exe
File opened for modification	C:\Program Files\PingHide.gif	regsvr32.exe
File opened for modification	C:\Program Files\ShowConfirm.reg	regsvr32.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3384	2156	WerFault.exe	101
3636	2156	WerFault.exe	101

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "6539"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2688"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2254"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2254"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "6539"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2254"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "879"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2688"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "879"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2688"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "6539"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "879"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4732	regsvr32.exe
4732	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeBackupPrivilege	4788	vssvc.exe
Token: SeRestorePrivilege	4788	vssvc.exe
Token: SeAuditPrivilege	4788	vssvc.exe
Token: SeShutdownPrivilege	4200	svchost.exe
Token: SeCreatePagefilePrivilege	4200	svchost.exe
Token: SeShutdownPrivilege	4200	svchost.exe
Token: SeCreatePagefilePrivilege	4200	svchost.exe
Token: SeShutdownPrivilege	4200	svchost.exe
Token: SeCreatePagefilePrivilege	4200	svchost.exe
Token: SeIncreaseQuotaPrivilege	300	wmic.exe
Token: SeSecurityPrivilege	300	wmic.exe
Token: SeTakeOwnershipPrivilege	300	wmic.exe
Token: SeLoadDriverPrivilege	300	wmic.exe
Token: SeSystemProfilePrivilege	300	wmic.exe
Token: SeSystemtimePrivilege	300	wmic.exe
Token: SeProfSingleProcessPrivilege	300	wmic.exe
Token: SeIncBasePriorityPrivilege	300	wmic.exe
Token: SeCreatePagefilePrivilege	300	wmic.exe
Token: SeBackupPrivilege	300	wmic.exe
Token: SeRestorePrivilege	300	wmic.exe
Token: SeShutdownPrivilege	300	wmic.exe
Token: SeDebugPrivilege	300	wmic.exe
Token: SeSystemEnvironmentPrivilege	300	wmic.exe
Token: SeRemoteShutdownPrivilege	300	wmic.exe
Token: SeUndockPrivilege	300	wmic.exe
Token: SeManageVolumePrivilege	300	wmic.exe
Token: 33	300	wmic.exe
Token: 34	300	wmic.exe
Token: 35	300	wmic.exe
Token: 36	300	wmic.exe
Token: SeIncreaseQuotaPrivilege	300	wmic.exe
Token: SeSecurityPrivilege	300	wmic.exe
Token: SeTakeOwnershipPrivilege	300	wmic.exe
Token: SeLoadDriverPrivilege	300	wmic.exe
Token: SeSystemProfilePrivilege	300	wmic.exe
Token: SeSystemtimePrivilege	300	wmic.exe
Token: SeProfSingleProcessPrivilege	300	wmic.exe
Token: SeIncBasePriorityPrivilege	300	wmic.exe
Token: SeCreatePagefilePrivilege	300	wmic.exe
Token: SeBackupPrivilege	300	wmic.exe
Token: SeRestorePrivilege	300	wmic.exe
Token: SeShutdownPrivilege	300	wmic.exe
Token: SeDebugPrivilege	300	wmic.exe
Token: SeSystemEnvironmentPrivilege	300	wmic.exe
Token: SeRemoteShutdownPrivilege	300	wmic.exe
Token: SeUndockPrivilege	300	wmic.exe
Token: SeManageVolumePrivilege	300	wmic.exe
Token: 33	300	wmic.exe
Token: 34	300	wmic.exe
Token: 35	300	wmic.exe
Token: 36	300	wmic.exe
Token: SeTakeOwnershipPrivilege	2156	SearchApp.exe
Token: SeRestorePrivilege	2156	SearchApp.exe
Token: SeTakeOwnershipPrivilege	2156	SearchApp.exe
Token: SeRestorePrivilege	2156	SearchApp.exe
Token: SeTakeOwnershipPrivilege	2156	SearchApp.exe
Token: SeRestorePrivilege	2156	SearchApp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2156	SearchApp.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 4732	1012	regsvr32.exe	82
PID 1012 wrote to memory of 4732	1012	regsvr32.exe	82
PID 1012 wrote to memory of 4732	1012	regsvr32.exe	82
PID 4732 wrote to memory of 300	4732	regsvr32.exe	99
PID 4732 wrote to memory of 300	4732	regsvr32.exe	99
PID 1540 wrote to memory of 2156	1540	WerFault.exe	101
PID 1540 wrote to memory of 2156	1540	WerFault.exe	101
PID 2156 wrote to memory of 3384	2156	SearchApp.exe	108
PID 2156 wrote to memory of 3384	2156	SearchApp.exe	108
PID 2156 wrote to memory of 3384	2156	SearchApp.exe	108

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3935efdd48fc122e4b10c068f06c53e4360aeabdba3b70c7958af79a208fda58.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\3935efdd48fc122e4b10c068f06c53e4360aeabdba3b70c7958af79a208fda58.dll
  2⤵
  - Modifies extensions of user files
  - Drops startup file
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\system32\wbem\wmic.exe
    "C:\obfkp\xj\..\..\Windows\asbji\..\system32\lbkj\wngb\..\..\wbem\knkbr\hhiig\..\..\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:300

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2156 -s 4460
  2⤵
  - Program crash
  PID:3384
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2156 -s 4460
  2⤵
  - Program crash
  PID:3636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 2156 -ip 2156
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/400-141-0x000001DBA55D0000-0x000001DBA55D4000-memory.dmp

Filesize
16KB

Download
memory/4200-136-0x0000029B1A560000-0x0000029B1A570000-memory.dmp

Filesize
64KB

Download
memory/4200-137-0x0000029B1AC20000-0x0000029B1AC30000-memory.dmp

Filesize
64KB

Download
memory/4200-138-0x0000029B1D2E0000-0x0000029B1D2E4000-memory.dmp

Filesize
16KB

Download
memory/4732-130-0x00000000007D0000-0x000000000082D000-memory.dmp

Filesize
372KB

Download
memory/4732-134-0x00000000006B0000-0x000000000070D000-memory.dmp

Filesize
372KB

Download
memory/4732-135-0x00000000007D1000-0x0000000000809000-memory.dmp

Filesize
224KB

Download