maze | 33e8cd4f3d71d9fc47417d9f4e4b8cc4cfb74a09bb98cc94e4116a85ec62fceb

General

Target

33e8cd4f3d71d9fc47417d9f4e4b8cc4cfb74a09bb98cc94e4116a85ec62fceb.exe
Size

350KB
MD5

b352d33bb98d89a440c4c40663a49e9f
SHA1

dcc899f6481c868c8c787b9430752b7dac818f8c
SHA256

33e8cd4f3d71d9fc47417d9f4e4b8cc4cfb74a09bb98cc94e4116a85ec62fceb
SHA512

ac726a5270f82fe5024fab5aa27d001ae63cc6256964bdf9b0c4398fd06981993c83bb692ea72d16ac708ce5c606debc54bb8169ea9245f593e11ce85cd65e9c

Score

10^/10

maze ransomware trojan

Malware Config

Extracted

Path

C:\DECRYPT-FILES.html

Ransom Note

<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000080; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <span class="left" style="font-size: 14px; font-weight: bold">CODE: <br>------ <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 </span> </td> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><s>0010 SYSTEM FAILURE 0010</s></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> <br> </div> <div style="text-align: center; font-size: 18px;"> <p>The only way to decrypt your files, is to buy the private key from us.</p> <p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p> <p>In order to receive the private key contact us via email: <br> <b>yourrealdecrypt@airmail.cc</b> </p> <p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <br> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">6A6dJeNB8YU+1oHWfmURbWAXleIDeX97HmnjA1zaVo9sryGH6hANrJcEf7v0WbIO+CyyzAvbFXDGr/TvpcbGRXxu22uaShZ2qfSNBXnS9u/+qtV83tyg+u8IR5NUvpZ/NeN2YDOltRYj5DVx3KylVzwVHkCwomb1HXUhJbZLiAW3p05dWQHHaY2tZb9iJl/IuauOdaS9u36ZhX935TYZgvNV0jk4sN5QepOiHHYqfe02gxba+Wj8+9aFn7JqpyF3cC4Fd5twfKex7ZlXp5gCyhWyjXbtXma6OI9LlPR+vRuB8sYGejIxAjiq3xHH3aYMD7AOZRahWg1hhktfzYOSsVyoX8TclvPzS3KORW8C8FUnIw+VvYdXejzXQ76y4Ra37nPF951SWgOzq2lI+JfkFEktJILyMyRGJGYQ9PZmSGjI/2Ud1H10CFrjkuVCvKhtfyGaqLJtj2k/YuZzCOk0AwVTPZNhAVNcb1vCYxDOVh3YGDUJNR8oeH30confeB6ORErmQyMLP1V8k56sB+3309lVs+LwznJrPnsKXPeMfE//piG9a4cxUv/NitqtN5hTBwybZ5xdD4fdCCOA8fOWrRWpO+RaGUd+Vqqy2lc3jQKU+2ZpLxK0a3xF98K48NlzdLEYsyx8Mg/J6RRVwOZ+8+q3kx9t1CEhAa/ckMnw5y3rqtcQasLubv4i6niC9JEPhsc35wY4/QzTlvRJlSZbhFbzyht6mNAKtUQr7vatSeS43eo1GCmt7EZqG41VQkYWQcRKM9N8KR3xdWO4EZOEpdmYi/MWZ8yuDNFBrwU0vdQ/3AMpWDE96c1DUjlIJsVqLXmLATxj/sN1m+sjIKO5IMgK9zJy4s1Sc2+8FFiNen2j7pB5oEqk2fvDO7CUhjA31s5tdGFE6wqMqr1OVd/ggEeJHJ2MVcBRdCqN6ko3jBFd3Q7FpKasBtFMI8X9KH1Cfyp7EhBATyJTjUYtSqED8m5Fs4DnkJLW0yf8oO8fCD0kv3MgXQ6ExyHQGXRVFzrsgMl88ObhFNYB3NutNWY7t61THjN6Ck6nTDqrZDN9tct5ZPIXEm6JX5jEZDvm69m9Dv7ZWYQu4wQ5T3vwOyxczoFwI4DDcN2rCdVhGmJEQtnBOVVhLPDq49D5i7oHRno7thxR+42P+S9/zpcW+o3iprIs0N+CGETIjLVHSO7VRrakEcRaQ2GcBfvQNZCpHUx90L4HPg5PWknePUrmav+1fv1FMYQ+1RckYYwGlr5JATpNdoMVTxBy4Qun7ig/fiajNCX+BM02K/DY88R/1tpcxC07ArFuqA6fl2IjFXR/Mby7N1AQuWXGsyVHdS/j1P+tpE18YbBsCTgsojoEcOHdzHOD/o2ScmFLmh5xlHZw1yqz6fetQ0fN3nDFXqvyUZW1wu0d8pZ3Ct5uLUmAGaaYXMcVl642N771PzYH+NIepX06HuLVFvk3qeUlOrzn944UWK6BGSM4iOaGJPpJDwYGv6qt71AZY1Xq3bNWqL5+9yY9joBUaS4A49YP89+eEQmHj2MJurmvNW/p0JF5EtBMV4NDD00OOhfeTQTb0O4/pKYyG6OiZ+KqHrr2uKwq9HYHc5zYhN04+2dWgRwwG76HCfTdIyCpByOd8ayf5Qg58TXv1M0sEYm5pBVXKUplvUtaxcgzGdL+NEZUbq8b++EtS+1Obb+4xe1azG6i2r6o7ggHO91RZM+ABv08d4NHfSndvQU3SBVVYR9wBMdIMyThY5Ih66TFy+XwQPcN1EePbslrSmfVEo9WXVRbKwQhcjSGB2G2OiJBAXh5f0jfJ++A6QjKjQaV4blYOTbU4VpePezbQbiXBfd/QYoXBsXPzrEJfSyySCsZaFWD4xv6SVmiz5DRNyhBvzwnrWOmXXcUwwQY9xA9LvXs/JmvvNsE72CccAura727qgje//R4DmjNQIwKeswVirkCku0bkdiS9DOkqOpm5bCnVxFYYq2UYMNZCFFR41rGFL8zYX6/GzHnV2weubsPz4M2evb91+pCKuIkPriZj3slyG7XeI7v6L5LpbX8036dMTXG2x7rFfn6W/2Dx1FaiNBwIoQ1WPu0IHA4QvXFS9WBFyhVgcZzS3PgSTwjpJm0IGU4QRfzsVGgULQm8fwIlQ3hpqwjOR7TOr7lvDuYdJfJvtKBvy2sarKo18edxOGwlwvEnvsNqJVOq9vKu3fqayPdv3th1pCB4QCsqPi1GWDMZPBSKBTY1ViSy7BPbgoiOAA3ADUAYwAwADkAOAAzADUAZAAxAGQAMQA5ADcAMwAAABCAYBoMQQBkAG0AaQBuAAAAIhJSAEkAQgBDAFEAVQBIAFEAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADcALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwxrq9DngDgAECigEDMS4w<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>

Emails

<b>yourrealdecrypt@airmail.cc</b>

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in Windows directory 3 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4084"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4200"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.128866"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4188"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132897032299850701"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.111115"	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

33e8cd4f3d71d9fc47417d9f4e4b8cc4cfb74a09bb98cc94e4116a85ec62fceb.exe

pid	process
1560	33e8cd4f3d71d9fc47417d9f4e4b8cc4cfb74a09bb98cc94e4116a85ec62fceb.exe
1560	33e8cd4f3d71d9fc47417d9f4e4b8cc4cfb74a09bb98cc94e4116a85ec62fceb.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exevssvc.exeTiWorker.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2692	wmic.exe
Token: SeSecurityPrivilege	2692	wmic.exe
Token: SeTakeOwnershipPrivilege	2692	wmic.exe
Token: SeLoadDriverPrivilege	2692	wmic.exe
Token: SeSystemProfilePrivilege	2692	wmic.exe
Token: SeSystemtimePrivilege	2692	wmic.exe
Token: SeProfSingleProcessPrivilege	2692	wmic.exe
Token: SeIncBasePriorityPrivilege	2692	wmic.exe
Token: SeCreatePagefilePrivilege	2692	wmic.exe
Token: SeBackupPrivilege	2692	wmic.exe
Token: SeRestorePrivilege	2692	wmic.exe
Token: SeShutdownPrivilege	2692	wmic.exe
Token: SeDebugPrivilege	2692	wmic.exe
Token: SeSystemEnvironmentPrivilege	2692	wmic.exe
Token: SeRemoteShutdownPrivilege	2692	wmic.exe
Token: SeUndockPrivilege	2692	wmic.exe
Token: SeManageVolumePrivilege	2692	wmic.exe
Token: 33	2692	wmic.exe
Token: 34	2692	wmic.exe
Token: 35	2692	wmic.exe
Token: 36	2692	wmic.exe
Token: SeIncreaseQuotaPrivilege	2692	wmic.exe
Token: SeSecurityPrivilege	2692	wmic.exe
Token: SeTakeOwnershipPrivilege	2692	wmic.exe
Token: SeLoadDriverPrivilege	2692	wmic.exe
Token: SeSystemProfilePrivilege	2692	wmic.exe
Token: SeSystemtimePrivilege	2692	wmic.exe
Token: SeProfSingleProcessPrivilege	2692	wmic.exe
Token: SeIncBasePriorityPrivilege	2692	wmic.exe
Token: SeCreatePagefilePrivilege	2692	wmic.exe
Token: SeBackupPrivilege	2692	wmic.exe
Token: SeRestorePrivilege	2692	wmic.exe
Token: SeShutdownPrivilege	2692	wmic.exe
Token: SeDebugPrivilege	2692	wmic.exe
Token: SeSystemEnvironmentPrivilege	2692	wmic.exe
Token: SeRemoteShutdownPrivilege	2692	wmic.exe
Token: SeUndockPrivilege	2692	wmic.exe
Token: SeManageVolumePrivilege	2692	wmic.exe
Token: 33	2692	wmic.exe
Token: 34	2692	wmic.exe
Token: 35	2692	wmic.exe
Token: 36	2692	wmic.exe
Token: SeBackupPrivilege	1288	vssvc.exe
Token: SeRestorePrivilege	1288	vssvc.exe
Token: SeAuditPrivilege	1288	vssvc.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

33e8cd4f3d71d9fc47417d9f4e4b8cc4cfb74a09bb98cc94e4116a85ec62fceb.exe

description	pid	process	target process
PID 1560 wrote to memory of 2692	1560	33e8cd4f3d71d9fc47417d9f4e4b8cc4cfb74a09bb98cc94e4116a85ec62fceb.exe	wmic.exe
PID 1560 wrote to memory of 2692	1560	33e8cd4f3d71d9fc47417d9f4e4b8cc4cfb74a09bb98cc94e4116a85ec62fceb.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\33e8cd4f3d71d9fc47417d9f4e4b8cc4cfb74a09bb98cc94e4116a85ec62fceb.exe
"C:\Users\Admin\AppData\Local\Temp\33e8cd4f3d71d9fc47417d9f4e4b8cc4cfb74a09bb98cc94e4116a85ec62fceb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\system32\wbem\wmic.exe
"C:\ypowu\inlli\..\..\Windows\f\..\system32\nhvac\a\..\..\wbem\bf\..\wmic.exe" shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2320