Analysis
-
max time kernel
170s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
16-02-2022 23:11
Static task
static1
Behavioral task
behavioral1
Sample
0f4bd47212a084ed6f4c50adf86dae36a025ffc4dc90a827799f4c49d53de0fe.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f4bd47212a084ed6f4c50adf86dae36a025ffc4dc90a827799f4c49d53de0fe.dll
Resource
win10v2004-en-20220113
General
-
Target
0f4bd47212a084ed6f4c50adf86dae36a025ffc4dc90a827799f4c49d53de0fe.dll
-
Size
593KB
-
MD5
f5816c4519f8c36983d8836314a1c8ce
-
SHA1
1e7e30fb999e000a9495137ff4222ffd95d04c95
-
SHA256
0f4bd47212a084ed6f4c50adf86dae36a025ffc4dc90a827799f4c49d53de0fe
-
SHA512
70072c6f2fd953d5c00bdad1de49928bf6db510b5354547735a079628ca82150cadc8ece62e453f80786d7930f69fcc4adfb9dbc10cfa5653d455c90557d0898
Malware Config
Extracted
C:\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/6c2b0cc8492fd55d
https://mazedecrypt.top/6c2b0cc8492fd55d
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Drops startup file 4 IoCs
Processes:
regsvr32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt regsvr32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c2b0cc8492fd55d.tmp regsvr32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt regsvr32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6c2b0cc8492fd55d.tmp regsvr32.exe -
Drops file in Program Files directory 26 IoCs
Processes:
regsvr32.exedescription ioc process File created C:\Program Files\DECRYPT-FILES.txt regsvr32.exe File opened for modification C:\Program Files\DenyStop.xml regsvr32.exe File opened for modification C:\Program Files\OutRestore.xht regsvr32.exe File opened for modification C:\Program Files\RemoveShow.reg regsvr32.exe File opened for modification C:\Program Files\RequestStart.html regsvr32.exe File opened for modification C:\Program Files\TraceExpand.wav regsvr32.exe File opened for modification C:\Program Files\UnlockComplete.dotx regsvr32.exe File opened for modification C:\Program Files (x86)\6c2b0cc8492fd55d.tmp regsvr32.exe File opened for modification C:\Program Files\CompleteExport.ico regsvr32.exe File opened for modification C:\Program Files\DebugResolve.xml regsvr32.exe File opened for modification C:\Program Files\NewSet.nfo regsvr32.exe File opened for modification C:\Program Files\SearchSet.wps regsvr32.exe File opened for modification C:\Program Files\SelectRegister.vbs regsvr32.exe File opened for modification C:\Program Files\SuspendCompress.midi regsvr32.exe File created C:\Program Files (x86)\DECRYPT-FILES.txt regsvr32.exe File opened for modification C:\Program Files\6c2b0cc8492fd55d.tmp regsvr32.exe File opened for modification C:\Program Files\InstallOut.mpeg regsvr32.exe File opened for modification C:\Program Files\MoveSelect.dib regsvr32.exe File opened for modification C:\Program Files\SearchEdit.snd regsvr32.exe File opened for modification C:\Program Files\UndoShow.jpe regsvr32.exe File opened for modification C:\Program Files\WatchUnpublish.scf regsvr32.exe File opened for modification C:\Program Files\BlockExit.m3u regsvr32.exe File opened for modification C:\Program Files\DismountTrace.vb regsvr32.exe File opened for modification C:\Program Files\ProtectGet.mid regsvr32.exe File opened for modification C:\Program Files\ResumeUnregister.eprtx regsvr32.exe File opened for modification C:\Program Files\StopUpdate.AAC regsvr32.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
SearchApp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe -
Modifies registry class 3 IoCs
Processes:
SearchApp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\MuiCache SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" SearchApp.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 5068 regsvr32.exe 5068 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
vssvc.exesvchost.exedescription pid process Token: SeBackupPrivilege 2368 vssvc.exe Token: SeRestorePrivilege 2368 vssvc.exe Token: SeAuditPrivilege 2368 vssvc.exe Token: SeShutdownPrivilege 1808 svchost.exe Token: SeCreatePagefilePrivilege 1808 svchost.exe Token: SeShutdownPrivilege 1808 svchost.exe Token: SeCreatePagefilePrivilege 1808 svchost.exe Token: SeShutdownPrivilege 1808 svchost.exe Token: SeCreatePagefilePrivilege 1808 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SearchApp.exepid process 4480 SearchApp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3888 wrote to memory of 5068 3888 regsvr32.exe regsvr32.exe PID 3888 wrote to memory of 5068 3888 regsvr32.exe regsvr32.exe PID 3888 wrote to memory of 5068 3888 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\0f4bd47212a084ed6f4c50adf86dae36a025ffc4dc90a827799f4c49d53de0fe.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\0f4bd47212a084ed6f4c50adf86dae36a025ffc4dc90a827799f4c49d53de0fe.dll2⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1808-136-0x000002458DD20000-0x000002458DD30000-memory.dmpFilesize
64KB
-
memory/1808-137-0x000002458DD80000-0x000002458DD90000-memory.dmpFilesize
64KB
-
memory/1808-138-0x0000024590440000-0x0000024590444000-memory.dmpFilesize
16KB
-
memory/5068-130-0x0000000001270000-0x00000000012CE000-memory.dmpFilesize
376KB
-
memory/5068-134-0x0000000001200000-0x000000000125D000-memory.dmpFilesize
372KB
-
memory/5068-135-0x0000000001271000-0x00000000012AA000-memory.dmpFilesize
228KB