Analysis Overview
SHA256
2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6
Threat Level: Known bad
The file 2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6 was found to be: Known bad.
Malicious Activity Summary
Maze
Deletes shadow copies
Modifies extensions of user files
Reads user/profile data of web browsers
Drops startup file
Sets desktop wallpaper using registry
Drops file in Windows directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-16 23:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-16 23:07
Reported
2022-02-16 23:15
Platform
win7-en-20211208
Max time kernel
165s
Max time network
178s
Command Line
Signatures
Maze
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\RestoreStop.png => C:\Users\Admin\Pictures\RestoreStop.png.otu16J | C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SearchSync.tiff | C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SearchSync.tiff => C:\Users\Admin\Pictures\SearchSync.tiff.otu16J | C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnblockDeny.png => C:\Users\Admin\Pictures\UnblockDeny.png.otu16J | C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConnectClose.tif => C:\Users\Admin\Pictures\ConnectClose.tif.Abrx | C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\InvokePush.tiff | C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InvokePush.tiff => C:\Users\Admin\Pictures\InvokePush.tiff.iKME3 | C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OutPublish.raw => C:\Users\Admin\Pictures\OutPublish.raw.WSmSD | C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SaveClear.tif => C:\Users\Admin\Pictures\SaveClear.tif.otu16J | C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SyncClear.crw => C:\Users\Admin\Pictures\SyncClear.crw.otu16J | C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dje5k42nw.dat | C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html | C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" | C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe
"C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe"
C:\Windows\system32\wbem\wmic.exe
"C:\on\pref\..\..\Windows\htiwe\s\..\..\system32\ylem\hktl\q\..\..\..\wbem\anrm\tgf\..\..\wmic.exe" shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\d\..\Windows\yfkb\vfml\d\..\..\..\system32\y\..\wbem\a\..\wmic.exe" shadowcopy delete
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x550
Network
| Country | Destination | Domain | Proto |
| TR | 92.63.8.47:80 | tcp | |
| TR | 92.63.8.47:80 | tcp | |
| TR | 92.63.8.47:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| TR | 92.63.8.47:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| TR | 92.63.8.47:80 | tcp | |
| RU | 92.63.194.20:80 | tcp |
Files
memory/1164-54-0x0000000076491000-0x0000000076493000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-16 23:07
Reported
2022-02-16 23:16
Platform
win10v2004-en-20220113
Max time kernel
174s
Max time network
189s
Command Line
Signatures
Maze
Deletes shadow copies
Reads user/profile data of web browsers
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4576 wrote to memory of 4324 | N/A | C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 4576 wrote to memory of 4324 | N/A | C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe | C:\Windows\system32\wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe
"C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe"
C:\Windows\system32\wbem\wmic.exe
"C:\hleqe\ryt\..\..\Windows\ts\hm\nw\..\..\..\system32\gbhwo\ag\lrv\..\..\..\wbem\ou\..\wmic.exe" shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
Network
| Country | Destination | Domain | Proto |
| NL | 88.221.144.170:80 | tcp | |
| NL | 88.221.144.170:80 | tcp | |
| TR | 92.63.8.47:80 | tcp | |
| TR | 92.63.8.47:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| RU | 92.63.194.20:80 | tcp | |
| RU | 92.63.194.20:80 | tcp |
Files
memory/3368-130-0x000001B93C570000-0x000001B93C580000-memory.dmp
memory/3368-131-0x000001B93CC20000-0x000001B93CC30000-memory.dmp
memory/3368-132-0x000001B93F2F0000-0x000001B93F2F4000-memory.dmp