Malware Analysis Report

2024-09-22 14:41

Sample ID 220216-26t34sebh8
Target 0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f
SHA256 0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f
Tags
maze ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f

Threat Level: Known bad

The file 0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f was found to be: Known bad.

Malicious Activity Summary

maze ransomware spyware stealer trojan

Maze

Drops startup file

Reads user/profile data of web browsers

Drops file in Program Files directory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Modifies data under HKEY_USERS

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-02-16 23:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-16 23:12

Reported

2022-02-16 23:21

Platform

win7-en-20211208

Max time kernel

170s

Max time network

186s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe"

Signatures

Maze

trojan ransomware maze

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c610cc571ecaeff.tmp C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\ConnectDebug.m1v C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\ResumeRepair.dot C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\SkipConfirm.svg C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files (x86)\6c610cc571ecaeff.tmp C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6c610cc571ecaeff.tmp C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6c610cc571ecaeff.tmp C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\BackupDismount.odp C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\InitializeApprove.3g2 C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\RestartSplit.mpeg C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\StopGrant.mp4 C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\ConnectDebug.pub C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\WaitUnlock.ogg C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\SaveOpen.vbe C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\PingSubmit.midi C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\ResetConvertTo.ps1xml C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\SkipFind.mp4 C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\UninstallDismount.tif C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6c610cc571ecaeff.tmp C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\EnterFind.vsdx C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\DebugRegister.WTV C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\6c610cc571ecaeff.tmp C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\ConvertFind.gif C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\NewRestore.docm C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\CompressUnblock.xlsx C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\NewUnlock.vssx C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\RestoreBlock.ps1xml C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\RemoveEnable.M2TS C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\RepairComplete.mpp C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\SyncConvert.mov C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\GetResume.wmf C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe

"C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
RU 91.218.114.4:80 tcp
RU 91.218.114.4:80 tcp
RU 91.218.114.4:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp

Files

memory/1632-55-0x00000000763F1000-0x00000000763F3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-16 23:12

Reported

2022-02-16 23:21

Platform

win10v2004-en-20220112

Max time kernel

184s

Max time network

195s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe"

Signatures

Maze

trojan ransomware maze

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b850cafc6a52acc.tmp C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6b850cafc6a52acc.tmp C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\JoinDisable.ini C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\PopUnlock.wm C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\SplitOpen.emf C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files (x86)\6b850cafc6a52acc.tmp C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\InstallRegister.vb C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\6b850cafc6a52acc.tmp C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\TestBlock.ocx C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\PopClear.nfo C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\ExitInstall.dxf C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\SearchHide.svg C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\StepPublish.htm C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A
File opened for modification C:\Program Files\DisableConfirm.nfo C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization C:\Windows\System32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe

"C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

Network

Country Destination Domain Proto
NL 104.80.224.57:443 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
US 72.21.91.29:80 tcp
NL 92.123.77.43:80 tcp
US 72.21.91.29:80 tcp
RU 91.218.114.4:80 tcp
RU 91.218.114.4:80 tcp
US 13.107.21.200:443 tcp
RU 91.218.114.11:80 tcp

Files

N/A