Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
170s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
16/02/2022, 23:09
Static task
static1
Behavioral task
behavioral1
Sample
195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
Resource
win10v2004-en-20220113
General
-
Target
195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
-
Size
727KB
-
MD5
27c5ecbb94b84c315d56673a851b6cf9
-
SHA1
326f4984644aac4370c8237984fd369f1c9db29b
-
SHA256
195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9
-
SHA512
7a811abc5bc380eab6fd3e447e858c382edfba1e5088cb66065df4c393e9cc01b37bbd875b3de173fabc72f6055467e80a6a8a1b7eb8744d1a40b58877d86b32
Malware Config
Extracted
C:\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/8802099cdefd5cde
https://mazedecrypt.top/8802099cdefd5cde
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8802099cdefd5cde.tmp 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\8802099cdefd5cde.tmp 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 40 IoCs
description ioc Process File opened for modification C:\Program Files\DenyUnprotect.wma 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File created C:\Program Files\DECRYPT-FILES.txt 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\BackupConvert.wm 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\DisableReset.vsdm 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\EnterComplete.mp4 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\RenameWatch.bmp 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\WaitUndo.cfg 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\ConfirmTest.xlsb 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\FormatReceive.mpeg2 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File created C:\Program Files (x86)\DECRYPT-FILES.txt 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\8802099cdefd5cde.tmp 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\ExportExpand.wpl 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\InstallGroup.wps 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\MeasureDisconnect.midi 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\MoveSplit.mid 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\ResolveSend.m3u 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\CopyRevoke.pps 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\LockGet.otf 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\StartPublish.css 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\SubmitSearch.potx 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\WaitProtect.aif 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\WaitProtect.dib 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\WatchAssert.wav 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\GetResolve.contact 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\MountOpen.wm 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\ResizeProtect.wmv 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\SubmitRepair.ico 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\TraceEnable.mov 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files (x86)\8802099cdefd5cde.tmp 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\ConvertFromExit.tmp 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\DisableBlock.wps 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\InvokePush.otf 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\PingCompare.xht 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\ReceiveDisconnect.mpeg 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\RegisterLimit.odt 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\ResizeAssert.m3u 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\BlockRestart.ini 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\OpenMerge.DVR 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\ResetHide.vsx 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe File opened for modification C:\Program Files\UnprotectApprove.ex_ 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1952 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe 1952 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeBackupPrivilege 1040 vssvc.exe Token: SeRestorePrivilege 1040 vssvc.exe Token: SeAuditPrivilege 1040 vssvc.exe Token: SeShutdownPrivilege 1448 svchost.exe Token: SeCreatePagefilePrivilege 1448 svchost.exe Token: SeShutdownPrivilege 1448 svchost.exe Token: SeCreatePagefilePrivilege 1448 svchost.exe Token: SeShutdownPrivilege 1448 svchost.exe Token: SeCreatePagefilePrivilege 1448 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe"C:\Users\Admin\AppData\Local\Temp\195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe"1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1952
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1448