Analysis
-
max time kernel
161s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
16-02-2022 23:11
Static task
static1
Behavioral task
behavioral1
Sample
1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe
Resource
win10v2004-en-20220112
General
-
Target
1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe
-
Size
366KB
-
MD5
2332f770b014f21bcc63c7bee50d543a
-
SHA1
21ef6f89c9604acdd15ec430343ada05640cb869
-
SHA256
1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da
-
SHA512
294a23b72d0a0c19071e96c5e2743e54f959788e8e4c7fd1122bbed988460ddcf9ec063f604f1d6d98968d45c16ee237caac1a8641f8bd4c500e5e6d7fcd6d91
Malware Config
Extracted
C:\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/6c610cc5ebdfae1e
https://mazedecrypt.top/6c610cc5ebdfae1e
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\InstallUnregister.tiff 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File renamed C:\Users\Admin\Pictures\InstallUnregister.tiff => C:\Users\Admin\Pictures\InstallUnregister.tiff.rvTCpp 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File renamed C:\Users\Admin\Pictures\SelectSearch.tif => C:\Users\Admin\Pictures\SelectSearch.tif.uHj4 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File renamed C:\Users\Admin\Pictures\WaitExit.raw => C:\Users\Admin\Pictures\WaitExit.raw.lGRo 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File renamed C:\Users\Admin\Pictures\ExitTrace.png => C:\Users\Admin\Pictures\ExitTrace.png.b4VUME 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Users\Admin\Pictures\ExportSearch.tiff 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File renamed C:\Users\Admin\Pictures\ExportSearch.tiff => C:\Users\Admin\Pictures\ExportSearch.tiff.b4VUME 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe -
Drops startup file 2 IoCs
Processes:
1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c610cc5ebdfae1e.tmp 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\111.bmp" 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe -
Drops file in Program Files directory 36 IoCs
Processes:
1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exedescription ioc process File opened for modification C:\Program Files\EditPing.avi 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\ReadCompress.jpeg 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\UnprotectFormat.svg 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File created C:\Program Files\DECRYPT-FILES.txt 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\CheckpointLimit.avi 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\DenyCompress.gif 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\ProtectGroup.zip 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\UndoPublish.cr2 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\ExportApprove.php 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\JoinOpen.ppt 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\SearchSkip.odt 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\TraceGrant.scf 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6c610cc5ebdfae1e.tmp 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\SearchCompress.docm 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\6c610cc5ebdfae1e.tmp 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\CloseTrace.mid 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\DisableLimit.wps 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\InstallUnblock.mp3 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\MeasureAdd.vbs 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\OutImport.doc 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\RequestPublish.html 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File created C:\Program Files (x86)\DECRYPT-FILES.txt 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\OutConvertTo.rmi 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\UninstallUndo.xhtml 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files (x86)\6c610cc5ebdfae1e.tmp 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6c610cc5ebdfae1e.tmp 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\FindUndo.clr 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\MoveSave.001 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\NewStart.ppsm 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\StartCopy.gif 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\UnregisterSelect.pps 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6c610cc5ebdfae1e.tmp 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe File opened for modification C:\Program Files\CompleteUnblock.png 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exepid process 1032 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
vssvc.exewmic.exeAUDIODG.EXEdescription pid process Token: SeBackupPrivilege 552 vssvc.exe Token: SeRestorePrivilege 552 vssvc.exe Token: SeAuditPrivilege 552 vssvc.exe Token: SeIncreaseQuotaPrivilege 2016 wmic.exe Token: SeSecurityPrivilege 2016 wmic.exe Token: SeTakeOwnershipPrivilege 2016 wmic.exe Token: SeLoadDriverPrivilege 2016 wmic.exe Token: SeSystemProfilePrivilege 2016 wmic.exe Token: SeSystemtimePrivilege 2016 wmic.exe Token: SeProfSingleProcessPrivilege 2016 wmic.exe Token: SeIncBasePriorityPrivilege 2016 wmic.exe Token: SeCreatePagefilePrivilege 2016 wmic.exe Token: SeBackupPrivilege 2016 wmic.exe Token: SeRestorePrivilege 2016 wmic.exe Token: SeShutdownPrivilege 2016 wmic.exe Token: SeDebugPrivilege 2016 wmic.exe Token: SeSystemEnvironmentPrivilege 2016 wmic.exe Token: SeRemoteShutdownPrivilege 2016 wmic.exe Token: SeUndockPrivilege 2016 wmic.exe Token: SeManageVolumePrivilege 2016 wmic.exe Token: 33 2016 wmic.exe Token: 34 2016 wmic.exe Token: 35 2016 wmic.exe Token: SeIncreaseQuotaPrivilege 2016 wmic.exe Token: SeSecurityPrivilege 2016 wmic.exe Token: SeTakeOwnershipPrivilege 2016 wmic.exe Token: SeLoadDriverPrivilege 2016 wmic.exe Token: SeSystemProfilePrivilege 2016 wmic.exe Token: SeSystemtimePrivilege 2016 wmic.exe Token: SeProfSingleProcessPrivilege 2016 wmic.exe Token: SeIncBasePriorityPrivilege 2016 wmic.exe Token: SeCreatePagefilePrivilege 2016 wmic.exe Token: SeBackupPrivilege 2016 wmic.exe Token: SeRestorePrivilege 2016 wmic.exe Token: SeShutdownPrivilege 2016 wmic.exe Token: SeDebugPrivilege 2016 wmic.exe Token: SeSystemEnvironmentPrivilege 2016 wmic.exe Token: SeRemoteShutdownPrivilege 2016 wmic.exe Token: SeUndockPrivilege 2016 wmic.exe Token: SeManageVolumePrivilege 2016 wmic.exe Token: 33 2016 wmic.exe Token: 34 2016 wmic.exe Token: 35 2016 wmic.exe Token: 33 1712 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1712 AUDIODG.EXE Token: 33 1712 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1712 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exedescription pid process target process PID 1032 wrote to memory of 2016 1032 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe wmic.exe PID 1032 wrote to memory of 2016 1032 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe wmic.exe PID 1032 wrote to memory of 2016 1032 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe wmic.exe PID 1032 wrote to memory of 2016 1032 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe"C:\Users\Admin\AppData\Local\Temp\1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\ut\w\uenfh\..\..\..\Windows\vl\..\system32\y\uips\n\..\..\..\wbem\mjy\vyn\rcc\..\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0xc41⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1032-55-0x0000000075F91000-0x0000000075F93000-memory.dmpFilesize
8KB