Malware Analysis Report

2024-09-22 14:40

Sample ID 220216-23689sebf5
Target 2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6
SHA256 2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6
Tags
maze ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6

Threat Level: Known bad

The file 2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6 was found to be: Known bad.

Malicious Activity Summary

maze ransomware spyware stealer trojan

Maze

Deletes shadow copies

Modifies extensions of user files

Reads user/profile data of web browsers

Drops startup file

Sets desktop wallpaper using registry

Drops file in Windows directory

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-02-16 23:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-16 23:07

Reported

2022-02-16 23:15

Platform

win7-en-20211208

Max time kernel

165s

Max time network

178s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe"

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\RestoreStop.png => C:\Users\Admin\Pictures\RestoreStop.png.otu16J C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe N/A
File opened for modification C:\Users\Admin\Pictures\SearchSync.tiff C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe N/A
File renamed C:\Users\Admin\Pictures\SearchSync.tiff => C:\Users\Admin\Pictures\SearchSync.tiff.otu16J C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe N/A
File renamed C:\Users\Admin\Pictures\UnblockDeny.png => C:\Users\Admin\Pictures\UnblockDeny.png.otu16J C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe N/A
File renamed C:\Users\Admin\Pictures\ConnectClose.tif => C:\Users\Admin\Pictures\ConnectClose.tif.Abrx C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe N/A
File opened for modification C:\Users\Admin\Pictures\InvokePush.tiff C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe N/A
File renamed C:\Users\Admin\Pictures\InvokePush.tiff => C:\Users\Admin\Pictures\InvokePush.tiff.iKME3 C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe N/A
File renamed C:\Users\Admin\Pictures\OutPublish.raw => C:\Users\Admin\Pictures\OutPublish.raw.WSmSD C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe N/A
File renamed C:\Users\Admin\Pictures\SaveClear.tif => C:\Users\Admin\Pictures\SaveClear.tif.otu16J C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe N/A
File renamed C:\Users\Admin\Pictures\SyncClear.crw => C:\Users\Admin\Pictures\SyncClear.crw.otu16J C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dje5k42nw.dat C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe

"C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe"

C:\Windows\system32\wbem\wmic.exe

"C:\on\pref\..\..\Windows\htiwe\s\..\..\system32\ylem\hktl\q\..\..\..\wbem\anrm\tgf\..\..\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\d\..\Windows\yfkb\vfml\d\..\..\..\system32\y\..\wbem\a\..\wmic.exe" shadowcopy delete

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x550

Network

Country Destination Domain Proto
TR 92.63.8.47:80 tcp
TR 92.63.8.47:80 tcp
TR 92.63.8.47:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.37.100:80 tcp
TR 92.63.8.47:80 tcp
PL 92.63.37.100:80 tcp
PL 92.63.37.100:80 tcp
TR 92.63.8.47:80 tcp
RU 92.63.194.20:80 tcp

Files

memory/1164-54-0x0000000076491000-0x0000000076493000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-16 23:07

Reported

2022-02-16 23:16

Platform

win10v2004-en-20220113

Max time kernel

174s

Max time network

189s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe"

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe

"C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe"

C:\Windows\system32\wbem\wmic.exe

"C:\hleqe\ryt\..\..\Windows\ts\hm\nw\..\..\..\system32\gbhwo\ag\lrv\..\..\..\wbem\ou\..\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

Network

Country Destination Domain Proto
NL 88.221.144.170:80 tcp
NL 88.221.144.170:80 tcp
TR 92.63.8.47:80 tcp
TR 92.63.8.47:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.37.100:80 tcp
PL 92.63.37.100:80 tcp
RU 92.63.194.20:80 tcp
RU 92.63.194.20:80 tcp

Files

memory/3368-130-0x000001B93C570000-0x000001B93C580000-memory.dmp

memory/3368-131-0x000001B93CC20000-0x000001B93CC30000-memory.dmp

memory/3368-132-0x000001B93F2F0000-0x000001B93F2F4000-memory.dmp