Analysis
-
max time kernel
167s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
16-02-2022 23:08
Static task
static1
Behavioral task
behavioral1
Sample
20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe
Resource
win7-en-20211208
General
-
Target
20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe
-
Size
1.1MB
-
MD5
8f6cff7e69cd66e3972f916c2d3c36cb
-
SHA1
83ccdc63d41a142702d6180db78b32b1cb7340f2
-
SHA256
20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd
-
SHA512
5a9a115efe04b3637aa26089aa9d121bc907ae646c98e40b57d9900d195005197545368e5cdd4a706667aafb52799f47317872ae2557fbc076feed6a8b6e86d4
Malware Config
Extracted
C:\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/6c2b0cc844a48910
https://mazedecrypt.top/6c2b0cc844a48910
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
suricata: ET MALWARE Maze/ID Ransomware Activity
suricata: ET MALWARE Maze/ID Ransomware Activity
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompareReceive.crw => C:\Users\Admin\Pictures\CompareReceive.crw.dQ9J 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File renamed C:\Users\Admin\Pictures\CompleteClose.tif => C:\Users\Admin\Pictures\CompleteClose.tif.n4H6 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromRevoke.tiff 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File renamed C:\Users\Admin\Pictures\ConvertFromRevoke.tiff => C:\Users\Admin\Pictures\ConvertFromRevoke.tiff.n4H6 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File renamed C:\Users\Admin\Pictures\RemoveConfirm.raw => C:\Users\Admin\Pictures\RemoveConfirm.raw.gXCNl 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File renamed C:\Users\Admin\Pictures\SubmitExport.tif => C:\Users\Admin\Pictures\SubmitExport.tif.TUCs6s 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File renamed C:\Users\Admin\Pictures\SuspendSelect.tif => C:\Users\Admin\Pictures\SuspendSelect.tif.TUCs6s 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File renamed C:\Users\Admin\Pictures\CompleteExport.raw => C:\Users\Admin\Pictures\CompleteExport.raw.n4H6 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Users\Admin\Pictures\RevokeStop.tiff 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File renamed C:\Users\Admin\Pictures\RevokeStop.tiff => C:\Users\Admin\Pictures\RevokeStop.tiff.Wd9rD 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Users\Admin\Pictures\SuspendMeasure.tiff 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File renamed C:\Users\Admin\Pictures\SuspendMeasure.tiff => C:\Users\Admin\Pictures\SuspendMeasure.tiff.TUCs6s 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File renamed C:\Users\Admin\Pictures\SyncUpdate.tif => C:\Users\Admin\Pictures\SyncUpdate.tif.aTEQg3 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe -
Drops startup file 4 IoCs
Processes:
20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c2b0cc844a48910.tmp 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6c2b0cc844a48910.tmp 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe -
Drops file in Program Files directory 43 IoCs
Processes:
20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exedescription ioc process File opened for modification C:\Program Files\NewResume.docx 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files (x86)\6c2b0cc844a48910.tmp 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File created C:\Program Files\DECRYPT-FILES.txt 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\CompressImport.wax 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\GetImport.mpp 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\ProtectPop.TTS 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\SaveMerge.wdp 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\CompleteSelect.svg 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\EnableConnect.mpe 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\GroupFormat.clr 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\ExitCopy.dib 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\6c2b0cc844a48910.tmp 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\ConfirmDismount.eps 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\EnterRequest.aiff 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\MergeWatch.WTV 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\OutShow.001 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\PublishUnprotect.aif 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\SyncRead.rmi 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\UninstallUndo.vssm 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\CheckpointTest.ADT 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\EnableAdd.css 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\UnpublishStop.vsdm 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\WatchTrace.xla 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\ResumeFormat.zip 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\SelectClose.csv 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\TestSave.mp2v 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\WatchReset.mpg 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\AssertClose.mp3 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\OpenHide.ogg 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\ExitMerge.jpe 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\FindDebug.tmp 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\GrantCompare.mpv2 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\NewRepair.txt 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\RevokeOptimize.potm 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\SetConvert.7z 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\BackupSubmit.emz 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\EnterRegister.mpa 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\TraceReset.emf 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\SetUnpublish.ADTS 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\SwitchDisable.shtml 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File created C:\Program Files (x86)\DECRYPT-FILES.txt 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\ResolveResume.wma 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe File opened for modification C:\Program Files\SaveWrite.3gp 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exepid process 3484 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe 3484 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
vssvc.exewmic.exeAUDIODG.EXEdescription pid process Token: SeBackupPrivilege 2368 vssvc.exe Token: SeRestorePrivilege 2368 vssvc.exe Token: SeAuditPrivilege 2368 vssvc.exe Token: SeIncreaseQuotaPrivilege 664 wmic.exe Token: SeSecurityPrivilege 664 wmic.exe Token: SeTakeOwnershipPrivilege 664 wmic.exe Token: SeLoadDriverPrivilege 664 wmic.exe Token: SeSystemProfilePrivilege 664 wmic.exe Token: SeSystemtimePrivilege 664 wmic.exe Token: SeProfSingleProcessPrivilege 664 wmic.exe Token: SeIncBasePriorityPrivilege 664 wmic.exe Token: SeCreatePagefilePrivilege 664 wmic.exe Token: SeBackupPrivilege 664 wmic.exe Token: SeRestorePrivilege 664 wmic.exe Token: SeShutdownPrivilege 664 wmic.exe Token: SeDebugPrivilege 664 wmic.exe Token: SeSystemEnvironmentPrivilege 664 wmic.exe Token: SeRemoteShutdownPrivilege 664 wmic.exe Token: SeUndockPrivilege 664 wmic.exe Token: SeManageVolumePrivilege 664 wmic.exe Token: 33 664 wmic.exe Token: 34 664 wmic.exe Token: 35 664 wmic.exe Token: 36 664 wmic.exe Token: SeIncreaseQuotaPrivilege 664 wmic.exe Token: SeSecurityPrivilege 664 wmic.exe Token: SeTakeOwnershipPrivilege 664 wmic.exe Token: SeLoadDriverPrivilege 664 wmic.exe Token: SeSystemProfilePrivilege 664 wmic.exe Token: SeSystemtimePrivilege 664 wmic.exe Token: SeProfSingleProcessPrivilege 664 wmic.exe Token: SeIncBasePriorityPrivilege 664 wmic.exe Token: SeCreatePagefilePrivilege 664 wmic.exe Token: SeBackupPrivilege 664 wmic.exe Token: SeRestorePrivilege 664 wmic.exe Token: SeShutdownPrivilege 664 wmic.exe Token: SeDebugPrivilege 664 wmic.exe Token: SeSystemEnvironmentPrivilege 664 wmic.exe Token: SeRemoteShutdownPrivilege 664 wmic.exe Token: SeUndockPrivilege 664 wmic.exe Token: SeManageVolumePrivilege 664 wmic.exe Token: 33 664 wmic.exe Token: 34 664 wmic.exe Token: 35 664 wmic.exe Token: 36 664 wmic.exe Token: 33 3292 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3292 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exedescription pid process target process PID 3484 wrote to memory of 664 3484 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe wmic.exe PID 3484 wrote to memory of 664 3484 20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe"C:\Users\Admin\AppData\Local\Temp\20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\rj\m\hosa\..\..\..\Windows\o\kbwpe\hjwq\..\..\..\system32\s\bqa\..\..\wbem\tly\cxv\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x444 0x4081⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3484-130-0x0000000000886000-0x0000000000903000-memory.dmpFilesize
500KB
-
memory/3484-131-0x0000000000886000-0x0000000000903000-memory.dmpFilesize
500KB
-
memory/3484-132-0x00000000007D0000-0x000000000082E000-memory.dmpFilesize
376KB
-
memory/3484-136-0x00000000007D1000-0x000000000080A000-memory.dmpFilesize
228KB