Analysis Overview
SHA256
22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0
Threat Level: Known bad
The file 22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0 was found to be: Known bad.
Malicious Activity Summary
Maze
Deletes shadow copies
Modifies extensions of user files
Reads user/profile data of web browsers
Drops startup file
Sets desktop wallpaper using registry
Drops file in Windows directory
Drops file in Program Files directory
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-16 23:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-16 23:08
Reported
2022-02-16 23:18
Platform
win7-en-20211208
Max time kernel
163s
Max time network
181s
Command Line
Signatures
Maze
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ExitWait.crw => C:\Users\Admin\Pictures\ExitWait.crw.x0eG | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ExpandConvertTo.png => C:\Users\Admin\Pictures\ExpandConvertTo.png.IEZ4 | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResumeBackup.tif => C:\Users\Admin\Pictures\ResumeBackup.tif.blNlG | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SyncRestore.tif => C:\Users\Admin\Pictures\SyncRestore.tif.jgZVlX | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConnectInvoke.tiff | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConnectInvoke.tiff => C:\Users\Admin\Pictures\ConnectInvoke.tiff.hv7ng1 | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertFromUse.png => C:\Users\Admin\Pictures\ConvertFromUse.png.hv7ng1 | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\NewSuspend.tif => C:\Users\Admin\Pictures\NewSuspend.tif.IEZ4 | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SetMerge.crw => C:\Users\Admin\Pictures\SetMerge.crw.tCYI9r | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\TestCopy.crw => C:\Users\Admin\Pictures\TestCopy.crw.jgZVlX | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CheckpointPush.raw => C:\Users\Admin\Pictures\CheckpointPush.raw.rnhp6 | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\892e099c951f85bc.tmp | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | N/A |
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1548 wrote to memory of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1548 wrote to memory of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1548 wrote to memory of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1548 wrote to memory of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | C:\Windows\system32\wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe
"C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\ajqpk\..\Windows\dtox\oaoa\..\..\system32\rijci\wof\rmhli\..\..\..\wbem\hv\kqmsm\a\..\..\..\wmic.exe" shadowcopy delete
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
Network
| Country | Destination | Domain | Proto |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp |
Files
memory/1548-54-0x0000000076451000-0x0000000076453000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-16 23:08
Reported
2022-02-16 23:19
Platform
win10v2004-en-20220113
Max time kernel
166s
Max time network
181s
Command Line
Signatures
Maze
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe
"C:\Users\Admin\AppData\Local\Temp\22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| RU | 91.218.114.4:80 | tcp | |
| DE | 67.24.27.254:80 | tcp | |
| DE | 67.24.27.254:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp |
Files
memory/1720-131-0x000001929B120000-0x000001929B130000-memory.dmp
memory/1720-130-0x000001929AB60000-0x000001929AB70000-memory.dmp
memory/1720-132-0x000001929D7E0000-0x000001929D7E4000-memory.dmp