Analysis Overview
SHA256
0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f
Threat Level: Known bad
The file 0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f was found to be: Known bad.
Malicious Activity Summary
Maze
Drops startup file
Reads user/profile data of web browsers
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Modifies data under HKEY_USERS
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-16 23:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-16 23:12
Reported
2022-02-16 23:21
Platform
win7-en-20211208
Max time kernel
170s
Max time network
186s
Command Line
Signatures
Maze
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c610cc571ecaeff.tmp | C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe
"C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp |
Files
memory/1632-55-0x00000000763F1000-0x00000000763F3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-16 23:12
Reported
2022-02-16 23:21
Platform
win10v2004-en-20220112
Max time kernel
184s
Max time network
195s
Command Line
Signatures
Maze
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b850cafc6a52acc.tmp | C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6b850cafc6a52acc.tmp | C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\MusNotifyIcon.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\MusNotifyIcon.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization | C:\Windows\System32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe
"C:\Users\Admin\AppData\Local\Temp\0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
Network
| Country | Destination | Domain | Proto |
| NL | 104.80.224.57:443 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| US | 72.21.91.29:80 | tcp | |
| NL | 92.123.77.43:80 | tcp | |
| US | 72.21.91.29:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| US | 13.107.21.200:443 | tcp | |
| RU | 91.218.114.11:80 | tcp |