maze | 0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd

Analysis

max time kernel
173s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
16-02-2022 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
Size

1.0MB
MD5

be0e634d059c6d113b7874eb00daabbf
SHA1

4ba2a5d816f09e83b8b5dacb99bc26ee8ec0db46
SHA256

0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd
SHA512

00bee8ab544be1643f894c2b1375a5b014eec4d85cfd5d630918e49fc815c332eddeec5f736719a40fbe0d28a49675851fccfff94a0353ac8c976ce2c3606be7

Score

10^/10

maze ransomware spyware stealer suricata trojan

Malware Config

Extracted

Path

C:\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6c2b0cc859273d0f e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6c2b0cc859273d0f b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- CWV+/uBbH7uCmkZaRZOkskserjMvRVVNbA+AGBzUlZyiNxqPeKVoHl3ohKmkEqARc23N0WOUSqZs0pUyd7RyuNrqXHakC9ovcIH92GMpZUzU+JR/8Trtcr1Yb/Who+nkZHNZK0yJ5X8ui5M7xOtnkj8gF4oTVg2FjNLHN0QNmzFN/XXymTNdyCNrf7NHKceVBG4qiNVNd3+neYKqjbAYXrSiA9aynhISUbftX26Ew9m8tFPLPijhcDNh0raJYkfImyNRwJnyH+pzbjQhXiMPLnsCPNDCeq5I7O0n30oDgGHguDq/Suvd3kuiAE2Ts2uEfwoaISi8pPYobgGzTToNy27bzdWyS9HtsQ/CzNPNbf+tIwfwq8cnizsNSNkmlqsICS9ZDHOotXvPQ3Ha2Nq6G5aTfD0y46v9tuQ6vbpGMnKyYQ9trUmiH0zJrUG8c3NI2FMV7DFL3R7Zz5T4mNGG5kooXN9RG2E3que2T5BX1/ntDPxMMqH0e8c0J6nXvb1bqrapEP/uTqh1IurY5phnviluFkyd8zhmdxjKhuTf809/aK7YiwC9Z+Yh9WbIHOhnW/9UXqN7YVW4Wemp130SGOj37jLvjIQ92BIUKz7faTgIk4MtaOl1vSdptDojdth36HC5HG9gMaIPUBwIZhvgIVocCnHvRQO/i2+9tIb9O0aEmisVcuhS/X1Gtv+9aeNdQRyjO5wefbzco20PebFCO6MBXK2HnxNzRnlYPyAXylS4vrfvOkzzCc7ZbZ9h/iNmOMNIyNtKNpIuQGfkrbol/WEwMew0whYgN/VY9nUnPQTAD396l5bj2hXsIKDLHpXgMM7lArp16+AbOoopqT2gDuWOv1UgKYm1ReeNBRaFwe2qN9XDcoyuAvRBkLckeslSDYTMYbFQqjtdmd2U1/tPEbfwjHWBBe2SmkEg06ruJPX3V1zSnojtb5ECiK5xyX8VfTg5yuZSfcUa/PjUPhUmUansIJhD2PMbo+Vc9tsWR1ieKDR9HpnVYff0aZuGVOmJgLxCDu8lMVqZ7ixUF76Nm7Zzzc6XBZd8JYfk4/ja+Q1YGI0J++OGPxZ+NBX0cAjzzKctIm/MmPWXpuirrE8mIv9Yc/46sVrdhPcs1RVX4QPcCwENnsG3fv9KZAsrQrac98XbwwhHXtD6ZBstq4pmW+i9O5Q1cKbb7C1cQeAQpOOU1reFuWGY/Q68AzLuyT57XdmRMj1coX1aDrQyxk9G/SE/CyzPBPELBamjcpTwiiWy9ncHbJeJP0k8PnlocQJIPy5cKZwU6W+j82lJbR7+vrXgsNqts5Z26oCIJmgf3Jt1Dt30+cRyKqbl8YjJsjSRtA/NnT/pm08hX/Ay6lhXUm4m9gwt2jghLiDFIVyRRHpLEORtkhNG/hWXzPfwkuKEBSm8R2KnaWc8o5wqt9YIBulZ8zZcDbPL/d9q0jnWoDFQdc6bFPkvZcCsulpBsn1hw3+V0eV2Rg4Kxr1hA9zThlYGVD/gZ38BZ0KVvdoXSeefL2mhL9CBPG8iEseszLVjIuZbyA63CtJg3Mc2S3tR7sVvEppNeKVaYM6L9mLxvw12sn2peaW/5hYCUBqZlIfANp419SIOfYd57ak8wdE51gRlE2GawCxslLC1+c+OHvCi49OBIe5AUpTd8tJHjSKq4/UoF+aPUrmz6pSyU5Um2AuY2oQtOQO+t+9BQ9ljcDGgzqB+p/wINZ1iHiIEFBMJtdcOqPxm+lKP50cNC9YSmbwWH1LQdCzTJ1esSMl+ux/tmf67zqqqoza/JtgZPCVQK2eEiP0uRNkqjTmoQWZX4aDel6Q0YO5LLQrYLVqzLMbQXb3RZWNyykz46Ton9iJkyGa4i1IHnSXwSUCX0dYuUx9Uh9j63J4Y8gdqEbywD8usCK+aHjCUCqTHkiPpmFTStIfJ9bJPg/ET/NFJ8rERkR8KHI4QnOZK5UqQiTHez/8p/SWENKJX7mQ1FIP3K4dHUdxm4/XzYRT6Vx1JDgC/qJQ8D6JVhqHpYtCCy88eDRgY/3qG2WY8qxIA0mHCfLYsI8gcOYqH9bNRO0DT6djtNTBrfYRAmFpORJgesqLc+M9+N/KB94ujev2EiEbeLcPuwY8sdt81tKfKORyGFMKRilmYv6iBOIkRuPK1rIIMtp9TrAwq68ybMvURUgFTCfqvIOTwZdfMk4QiWS2OMfons8Mv+wX+a9sr5bZXyAFOkx72H6TCTTD5jnrSeLMA+3viyCquSAoiNgBjADIAYgAwAGMAYwA4ADUAOQAyADcAMwBkADAAZgAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAEoARABRAFAAWABPAFAAUgAAACoMbgBvAG4AZQB8AAAAMixXAGkAbgBkAG8AdwBzACAAMQAwACAARQBuAHQAZQByAHAAcgBpAHMAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEI2fABDAF8ARgBfADIAMAA0ADcAOQAvADIANgAxADgANAAxAHwARABfAFUAXwAwAC8AMAB8AAAASABQQFiJCGCJCGiJCHC237YOeAyAAQGKAQUyLjMuMQ== ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/6c2b0cc859273d0f

https://mazedecrypt.top/6c2b0cc859273d0f

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description	pid	Process	procid_target
PID 1896 created 3544	1896	WerFault.exe	100

suricata: ET MALWARE Maze/ID Ransomware Activity
suricata: ET MALWARE Maze/ID Ransomware Activity
suricata

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\SelectRemove.png => C:\Users\Admin\Pictures\SelectRemove.png.FrkXB	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File renamed	C:\Users\Admin\Pictures\StartSuspend.raw => C:\Users\Admin\Pictures\StartSuspend.raw.R5bpV7	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File renamed	C:\Users\Admin\Pictures\UnpublishResume.png => C:\Users\Admin\Pictures\UnpublishResume.png.R5bpV7	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File renamed	C:\Users\Admin\Pictures\WriteSuspend.png => C:\Users\Admin\Pictures\WriteSuspend.png.WFiM	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File renamed	C:\Users\Admin\Pictures\DenyOut.tif => C:\Users\Admin\Pictures\DenyOut.tif.tO7vMk	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File renamed	C:\Users\Admin\Pictures\DismountReset.crw => C:\Users\Admin\Pictures\DismountReset.crw.jwFSp9	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File renamed	C:\Users\Admin\Pictures\ImportConvert.raw => C:\Users\Admin\Pictures\ImportConvert.raw.jwFSp9	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File renamed	C:\Users\Admin\Pictures\MoveClose.raw => C:\Users\Admin\Pictures\MoveClose.raw.u3ZToR1	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe

Drops startup file 4 IoCs

Processes:

0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c2b0cc859273d0f.tmp	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6c2b0cc859273d0f.tmp	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 21 IoCs

Processes:

0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe

description	ioc	Process
File created	C:\Program Files\DECRYPT-FILES.txt	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Program Files\ApproveUnblock.odt	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Program Files\EditUninstall.asp	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Program Files\ResolveGet.avi	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Program Files (x86)\6c2b0cc859273d0f.tmp	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Program Files\EnableBackup.potm	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Program Files\PopUninstall.dxf	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Program Files\UninstallConvertFrom.3gp2	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Program Files\UseRemove.avi	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Program Files\WaitConnect.xls	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Program Files\OptimizePublish.mhtml	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Program Files\ReceiveExpand.vb	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Program Files\RequestFormat.dotm	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Program Files\SendGroup.vsd	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File created	C:\Program Files (x86)\DECRYPT-FILES.txt	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Program Files\6c2b0cc859273d0f.tmp	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Program Files\CopyStart.asp	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Program Files\DismountRemove.css	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Program Files\GroupMount.mov	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Program Files\HideDisconnect.edrwx	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
File opened for modification	C:\Program Files\InvokeRequest.eprtx	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
3216	3544	WerFault.exe	100
2884	3544	WerFault.exe	100

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchApp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 36 IoCs

Processes:

SearchApp.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "5764"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2687"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2257"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "792"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "792"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "792"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2687"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "7616"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2687"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "7616"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "5764"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "7616"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2257"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2257"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "5764"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe

pid	Process
4032	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
4032	0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

vssvc.exesvchost.exeSearchApp.exe

description	pid	Process
Token: SeBackupPrivilege	484	vssvc.exe
Token: SeRestorePrivilege	484	vssvc.exe
Token: SeAuditPrivilege	484	vssvc.exe
Token: SeShutdownPrivilege	276	svchost.exe
Token: SeCreatePagefilePrivilege	276	svchost.exe
Token: SeShutdownPrivilege	276	svchost.exe
Token: SeCreatePagefilePrivilege	276	svchost.exe
Token: SeShutdownPrivilege	276	svchost.exe
Token: SeCreatePagefilePrivilege	276	svchost.exe
Token: SeTakeOwnershipPrivilege	3544	SearchApp.exe
Token: SeRestorePrivilege	3544	SearchApp.exe
Token: SeTakeOwnershipPrivilege	3544	SearchApp.exe
Token: SeRestorePrivilege	3544	SearchApp.exe
Token: SeTakeOwnershipPrivilege	3544	SearchApp.exe
Token: SeRestorePrivilege	3544	SearchApp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SearchApp.exe

pid	Process
3544	SearchApp.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

WerFault.exeSearchApp.exe

description	pid	Process	procid_target
PID 1896 wrote to memory of 3544	1896	WerFault.exe	100
PID 1896 wrote to memory of 3544	1896	WerFault.exe	100
PID 3544 wrote to memory of 2884	3544	SearchApp.exe	110
PID 3544 wrote to memory of 2884	3544	SearchApp.exe	110
PID 3544 wrote to memory of 2884	3544	SearchApp.exe	110

C:\Users\Admin\AppData\Local\Temp\0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe
"C:\Users\Admin\AppData\Local\Temp\0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:276

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3544 -s 4504
  2⤵
  - Program crash
  PID:3216
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3544 -s 4504
  2⤵
  - Program crash
  PID:2884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:2176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 3544 -ip 3544
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/276-140-0x000001A8DB5A0000-0x000001A8DB5B0000-memory.dmp

Filesize
64KB

Download
memory/276-141-0x000001A8DBC20000-0x000001A8DBC30000-memory.dmp

Filesize
64KB

Download
memory/276-142-0x000001A8DE320000-0x000001A8DE324000-memory.dmp

Filesize
16KB

Download
memory/2176-145-0x000001FC06350000-0x000001FC06354000-memory.dmp

Filesize
16KB

Download
memory/4032-133-0x0000000000E56000-0x0000000000ED3000-memory.dmp

Filesize
500KB

Download
memory/4032-134-0x0000000000F40000-0x0000000000F9E000-memory.dmp

Filesize
376KB

Download
memory/4032-138-0x0000000000E56000-0x0000000000ED3000-memory.dmp

Filesize
500KB

Download
memory/4032-139-0x0000000000F41000-0x0000000000F7A000-memory.dmp

Filesize
228KB

Download