Analysis Overview
SHA256
1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78
Threat Level: Known bad
The file 1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78 was found to be: Known bad.
Malicious Activity Summary
Maze
Deletes shadow copies
Modifies extensions of user files
Drops startup file
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
Drops file in Windows directory
Drops file in Program Files directory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-16 23:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-16 23:10
Reported
2022-02-16 23:18
Platform
win7-en-20211208
Max time kernel
162s
Max time network
184s
Command Line
Signatures
Maze
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ExpandUnpublish.tif => C:\Users\Admin\Pictures\ExpandUnpublish.tif.TUQF | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\NewConnect.png => C:\Users\Admin\Pictures\NewConnect.png.xbUwC | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RequestCopy.png => C:\Users\Admin\Pictures\RequestCopy.png.w1fkt | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SyncRead.raw => C:\Users\Admin\Pictures\SyncRead.raw.fN5U5 | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\892e099ca10b6bc9.tmp | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | N/A |
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1084 wrote to memory of 836 | N/A | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1084 wrote to memory of 836 | N/A | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1084 wrote to memory of 836 | N/A | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1084 wrote to memory of 836 | N/A | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | C:\Windows\system32\wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe
"C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\s\xglq\gk\..\..\..\Windows\n\..\system32\wvh\vuodp\vsng\..\..\..\wbem\pr\lxbwa\..\..\wmic.exe" shadowcopy delete
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
Network
| Country | Destination | Domain | Proto |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.11:80 | tcp |
Files
memory/1084-54-0x0000000001E50000-0x0000000001EFA000-memory.dmp
memory/1084-55-0x0000000075341000-0x0000000075343000-memory.dmp
memory/1084-56-0x0000000000400000-0x00000000004AA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-16 23:10
Reported
2022-02-16 23:18
Platform
win10v2004-en-20220113
Max time kernel
169s
Max time network
182s
Command Line
Signatures
Maze
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\NewEdit.raw => C:\Users\Admin\Pictures\NewEdit.raw.hIQN | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SetPop.tiff | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SetPop.tiff => C:\Users\Admin\Pictures\SetPop.tiff.WqFr | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UninstallRestart.raw => C:\Users\Admin\Pictures\UninstallRestart.raw.WqFr | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8802099ca916561b.tmp | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\8802099ca916561b.tmp | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1312 wrote to memory of 3848 | N/A | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1312 wrote to memory of 3848 | N/A | C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe | C:\Windows\system32\wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe
"C:\Users\Admin\AppData\Local\Temp\1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmic.exe
"C:\um\lbyp\..\..\Windows\tj\wchd\..\..\system32\jks\xauhq\..\..\wbem\ibuy\mqeuj\bheaf\..\..\..\wmic.exe" shadowcopy delete
Network
| Country | Destination | Domain | Proto |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| US | 8.8.8.8:53 | www.bing.com | udp |
| US | 204.79.197.200:443 | www.bing.com | tcp |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.4:80 | tcp |
Files
memory/1312-130-0x0000000000630000-0x00000000006DA000-memory.dmp
memory/1312-131-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/1932-132-0x0000013FC9560000-0x0000013FC9570000-memory.dmp
memory/1932-133-0x0000013FC9B20000-0x0000013FC9B30000-memory.dmp
memory/1932-134-0x0000013FCC1E0000-0x0000013FCC1E4000-memory.dmp