maze | 138e4c4e33a36e147d296a4d9695e3adf1a33611d97e0365dd3884be1c26c60e

General

Target

138e4c4e33a36e147d296a4d9695e3adf1a33611d97e0365dd3884be1c26c60e.exe
Size

449KB
MD5

8107f019d9d6fe62a49ce7ad40fa1f7b
SHA1

8bf319aa49589558f0ff482bff805676a7fed109
SHA256

138e4c4e33a36e147d296a4d9695e3adf1a33611d97e0365dd3884be1c26c60e
SHA512

7991048cbc053d71e2d92980e516426d04ef55617e04bd00b568c2e7ebd155211dfd8af8f492614cbe056ade6fb81365dd8a1f5cc94e3dbecbd10edb60a67a61

Score

10^/10

maze ransomware trojan

Malware Config

Extracted

Path

C:\DECRYPT-FILES.html

Ransom Note

<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000080; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <span class="left" style="font-size: 14px; font-weight: bold">CODE: <br>------ <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 </span> </td> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><s>0010 SYSTEM FAILURE 0010</s></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> <br> </div> <div style="text-align: center; font-size: 18px;"> <p>The only way to decrypt your files, is to buy the private key from us.</p> <p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p> <p>In order to receive the private key contact us via email: <br> <b>getmyfilesback@airmail.cc</b> </p> <p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <br> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">XPgBLHUp1bDZmusEKuv3qVhzTZ2hwRFCcu6lSqRcBdVnK+/zsL/FFw8HPbLjXcbdLLnUFmFmmBMriBNxd+xfh4NlHNCRY5xYpr9BqfhybmOCQLjwhb8sp3kaa8zRWUN0uKarG4HQk7gEihw6rfk7leqFXxI8wVFdMZcQgEIkwEkOuB1xXporJBZkKX337sQ67EJx6UHucOH8g6ftII9mqo+r31Pw8lUy/QJqCHQlOo9ylLeHGnR4C1SZWIlZK2QR0hIDrdx3K/NHhmt91uPm4dl8j5ozFXmvNbPZu9d63QGtIDh8MSvLcGBAumNiyLvjvBOC+P7Fjh8UGrviCqDt0QLvMWsGgUUz8xfBr7SBH8GvReYcA7V4we1DTt+ziVBG/Ee2sNIa7xbUhq2eM/e3R34651pggpqwkUDnHELl7BePUjQPWQdUStrA1VvoczDamDgqkxe+aVU2spZxJi0ucsI47O7tvs7zgV1VxN2KS6yrIFMMKbPK35mRFlp1SKAycRBKNUltT5xfmMXtFtjcq4NMoOlWCx5B7lci+pgDwbjl7L9Ezx44mcVQvHjFfSxtoDOGuqDCgYLuIIeErzMxdfrGR6Q/6Nw4drw1IV/4vRe3YnQQwXOUm3sLmfy0tMxxxAe9MhUDyfJAzhYItG2Wq3dv7w1N5j3E9yPBucbxx4meOsMVUgUu4SylKAopuCNqTaCbjwrlUTZpWTItt7CmIKOXEaqhMCjWQW3qHg3lFshAWAfsfpLsTAvTB6qb14KtEE+WMWmhL2uNOVvzlW4suS6QOCATyRa2xbpOF0LJL2cz0Lx4PWYjvI+nPd4m6foXD4LlzYXYkNwLvYCyQcPvC4Lkg8M/8aU07pjcCNU3gwANyLF9FruugAPmA4WaFCOwFIT9k2aJHVwmjVMIfLpmoN4ciIxq8NT2SvNfoBAC4w0ViCazlN77NcD7QAVGrKWijS2HxQ9TM8DRS9Go762/LTi5NeogI81h10BPEUmgcpoypr0p3PAqwO2gf/Czn4v7hi/3jKVz3RFdXCCrVuixkk/auF+C+KHappySqpuIDLc9iXrSICyFd9PQ+7Xj9ZmRE9jjfJMZbWqHZxrseK/6heRfp5VyYDbeLyGcDdmxAvFpSSdprSQsnsGJtU/MCjYkv4Dnh+5Jj6CV50XqOu9rfp/4/1DgKyOM3B8EXJej7YStXP+hJwsb5+KDDSqjCgCW8rWYOgicrUGg0o1KihcnK7CvQSlongkS1bpDwxn9ubF6/ai9m7d95X6g6xdgFy5ZwEYoSjG5h/X6sOTdkw0a6MzlKWX7NStWyXlR2mvCsyRW6wcRHrtVGla0yFeEzjLZuCkeP7HkTzm4qLDVzZaibgNZIyCXm0z1y/4k6bfI8vh4is5r/fU6c9QrJZ371QvZU2bgoT4DwxnHPck0kP1dqqx2plkYlGGAMH56YFQD5Esh5qsSPICTx0DS1YmjXcmz/Ddiww5G81XNKqxQRByuAkvivnB/efc71b9yy405H5lHBVR77sAwEUQv90cHYKvgKn9X4iMbowoKs0aMYkCB3t329+46zymN+ilKRWq/rRG3FJyWPH988dCbX/KLU476fkbPKu7Ogu66T1M2vr0Z2m81q28070ZFajVv46KBxF2O6DiAaSCih6pdINJCdjiwiqvVwKfAPW4OvD7qVVug5iCeWQ4XJn8eVqQPZeF+9SdWWF5rRWM965bQJsM9+v7im/o2oQOyHr8JjRnwBeI5j4HiLFBIh9qRWElVUhj+/5Hd7rOe11rxLnY5T4PV9q/qvYSdM2nqWyBev6oug6TsrkqGHGeDnRPNQ9oH+06hlv8WUcheUCZN6AamNi4OP2Q1p3LJHJNMg1J3ShQLmrH4QpdEPRZlq9VcIQezWqQCsMPXqCUWXhzM/Vf7Cm+I/0oWkIcNIvDuXCYR9cKnGUuSHTj5q54ZzxJ3BxUZxDDqmB6yG9j+Cz2mYcib/hLDg1t0AqpWMZv0BBYpreFcKeYaJjRRKZspHxgKdFYRIeWeJ1YwTmbF9Q3u7j0i9fN6ixqbU5TzQKjMpeX5b7B3uLWFBF1ja2cVJdhTro7hvBvwBHmiIH0MIgjeku2b2Fu8Y7TUHtYeUVPDrFxO7DAevZQzhZ2D4JlWebuF5/gp/aJnjRCwHxsn+KfB8s2ZAhEos4tIKZew1kABoiZwOs9O7t2aQEK6qNji3v6OQGlBQxBDd6XsVOFFLvvU6t9a55Uz35lfb4xHeAoiOAA3ADUAYwAwADkAOAAzAGQAYgBlADMANwA2ADAAMAAAABCAYBoMQQBkAG0AaQBuAAAAIhJSAEkAQgBDAFEAVQBIAFEAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA4ADEALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwo4O7DngBgAEBigEIMC45Lm9mZmw=<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>

Emails

<b>getmyfilesback@airmail.cc</b>

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 45 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.218841"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4092"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132897036521392847"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

138e4c4e33a36e147d296a4d9695e3adf1a33611d97e0365dd3884be1c26c60e.exe

pid	process
312	138e4c4e33a36e147d296a4d9695e3adf1a33611d97e0365dd3884be1c26c60e.exe
312	138e4c4e33a36e147d296a4d9695e3adf1a33611d97e0365dd3884be1c26c60e.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

wmic.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2276	wmic.exe
Token: SeSecurityPrivilege	2276	wmic.exe
Token: SeTakeOwnershipPrivilege	2276	wmic.exe
Token: SeLoadDriverPrivilege	2276	wmic.exe
Token: SeSystemProfilePrivilege	2276	wmic.exe
Token: SeSystemtimePrivilege	2276	wmic.exe
Token: SeProfSingleProcessPrivilege	2276	wmic.exe
Token: SeIncBasePriorityPrivilege	2276	wmic.exe
Token: SeCreatePagefilePrivilege	2276	wmic.exe
Token: SeBackupPrivilege	2276	wmic.exe
Token: SeRestorePrivilege	2276	wmic.exe
Token: SeShutdownPrivilege	2276	wmic.exe
Token: SeDebugPrivilege	2276	wmic.exe
Token: SeSystemEnvironmentPrivilege	2276	wmic.exe
Token: SeRemoteShutdownPrivilege	2276	wmic.exe
Token: SeUndockPrivilege	2276	wmic.exe
Token: SeManageVolumePrivilege	2276	wmic.exe
Token: 33	2276	wmic.exe
Token: 34	2276	wmic.exe
Token: 35	2276	wmic.exe
Token: 36	2276	wmic.exe
Token: SeIncreaseQuotaPrivilege	2276	wmic.exe
Token: SeSecurityPrivilege	2276	wmic.exe
Token: SeTakeOwnershipPrivilege	2276	wmic.exe
Token: SeLoadDriverPrivilege	2276	wmic.exe
Token: SeSystemProfilePrivilege	2276	wmic.exe
Token: SeSystemtimePrivilege	2276	wmic.exe
Token: SeProfSingleProcessPrivilege	2276	wmic.exe
Token: SeIncBasePriorityPrivilege	2276	wmic.exe
Token: SeCreatePagefilePrivilege	2276	wmic.exe
Token: SeBackupPrivilege	2276	wmic.exe
Token: SeRestorePrivilege	2276	wmic.exe
Token: SeShutdownPrivilege	2276	wmic.exe
Token: SeDebugPrivilege	2276	wmic.exe
Token: SeSystemEnvironmentPrivilege	2276	wmic.exe
Token: SeRemoteShutdownPrivilege	2276	wmic.exe
Token: SeUndockPrivilege	2276	wmic.exe
Token: SeManageVolumePrivilege	2276	wmic.exe
Token: 33	2276	wmic.exe
Token: 34	2276	wmic.exe
Token: 35	2276	wmic.exe
Token: 36	2276	wmic.exe
Token: SeBackupPrivilege	2636	vssvc.exe
Token: SeRestorePrivilege	2636	vssvc.exe
Token: SeAuditPrivilege	2636	vssvc.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

138e4c4e33a36e147d296a4d9695e3adf1a33611d97e0365dd3884be1c26c60e.exe

description	pid	process	target process
PID 312 wrote to memory of 2276	312	138e4c4e33a36e147d296a4d9695e3adf1a33611d97e0365dd3884be1c26c60e.exe	wmic.exe
PID 312 wrote to memory of 2276	312	138e4c4e33a36e147d296a4d9695e3adf1a33611d97e0365dd3884be1c26c60e.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\138e4c4e33a36e147d296a4d9695e3adf1a33611d97e0365dd3884be1c26c60e.exe
"C:\Users\Admin\AppData\Local\Temp\138e4c4e33a36e147d296a4d9695e3adf1a33611d97e0365dd3884be1c26c60e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:312

C:\Windows\system32\wbem\wmic.exe
"C:\id\yio\..\..\Windows\eo\o\du\..\..\..\system32\j\r\..\..\wbem\j\rwry\wdoqr\..\..\..\wmic.exe" shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:3980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/312-133-0x00000000023F0000-0x0000000002449000-memory.dmp

Filesize
356KB

Download
memory/312-136-0x00000000023F0000-0x0000000002449000-memory.dmp

Filesize
356KB

Download
memory/312-137-0x00000000023F0000-0x0000000002449000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads