Analysis
-
max time kernel
168s -
max time network
175s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
16-02-2022 23:13
Static task
static1
Behavioral task
behavioral1
Sample
04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
Resource
win10v2004-en-20220113
General
-
Target
04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
-
Size
2MB
-
MD5
54c9a5fc6149007e9b727fcccdafbbd4
-
SHA1
503f44e1634b7cfad812c7be2a15f0fe4d9a1b58
-
SHA256
04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e
-
SHA512
d79c19c5ce44881790abdb1caf654286ab8eefc5e7baf2c9ff13a58a97a004713015ba1539819ace212e505227e2b11e503c7bd14aeaab013bc77557bb02943e
Malware Config
Extracted
Path |
C:\DECRYPT-FILES.txt |
Family |
maze |
Ransom Note | Attention! ---------------------------- | What happened? ---------------------------- All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps. ---------------------------- | How to get my files back? ---------------------------- The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/892e099ca81afa11 e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/892e099ca81afa11 b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer! If you have any problems our friendly support team is always here to assist you in a live chat! ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- Or/RDB79/XdVl2yTb8n4xsfOqY3AQg5VY5ZC47bZLLXbbbJKgakTGc1+cgQxnaTsTB/ZhcisfPOWbDGsHVqKoi4fVwaK5gkfOlurgaWvMI1eu8Yo0wsCT9NxQXPRu2eWBwZJY2PUp+hNS7NPk7XJVdsSf1dbPRVj3Os0R1Tr4aCz4Ocm30UkRHhy5uviA1Mg5PmxZokarVpOU4WudJ1hcJobtO2fiVCiTVeCRQdAcDckFKy8yGX8E6IwOB6ho67dkM8qqNJTSZpd2xazku3z/BJlwricjhpWsC74zgBnMX5+uJGsmXK+sgJtA5R75aYkalMGIfzjeGRl2p8Rw6WtrdFud+GVIwrP0H+kIf83WH2PWD7zDPHZYVRyaXTB54RSNwWF9qX5vt9NU79v8SYaBOJfT3SwHtEES1+frm3a80q//4oQx9x3GvNfzCA/vem+YxMa1p1TV8M+GPBxP/P3wTZbwuk0DHxSg3oXQ5C2fxOZQInq3/zRvTbZte8QODNNsZqwewE+mcgHBTOzIVY9VmYcwev9PHa///joAJQ2uETwTD8+TUxtL9/6wiTwiKp+H7sbGjzgY/OLAzObQvziEbHeLTbMbKX3BVvGWshgivL/VXEmH7EZffssF/KYnR/lTKwvpcTuSnBxyj491afCzAePMgihfmpC9sV3JlMFxduk8cn2n/3fC25OSg9k1aQ7KxzqlywmxDvaJsw80VOIKa1AIH9Ejz8w8I2nmUGzDTLPVktnYSh20M4/MQrKUbgwIgIqbasJJojeYne4eeb4OVVcyJeRlyI+L4XVadTaONnO+9lUiJueDGvOdBSPUdyV1rXymn6x0wJUnpEylP4E9q0UeWESvy57Jq4MDQ6QRHc4DXQjPy6/o2NqVDoXi8hDPC7ZKwzO6/+u64WBVTBXhcB//+wDuzQdatyW1dazYI+iFIs492LRdGjqZmDIHO7164YMSMckLPOZoYPPxvCKhh7eyoYAlnkQklY8Xnu4MChg5jGn541bt31muIUxk8WOfQgDDH6QM0qKG/jdybtsRAzPuxt3rTiRQ2uJyDduonX38sbmmc7fnBHpRJePVnr+b3ng43T8ypzZiBYMqlKYJj8qfKSIHukV/hwLiuv7nS9BhM071b1+yB9j3GK4D8S+9zxPfRtE3qWuxLBdEdYbAGNzVZD8t4gN/A5XWsN6UdaEi2Gh9ekmcAvKCr6nq701pjOq5o9VggIwoZiCWmQQ8HktD8AgaMNwCIW+stPI9MevRpQFiaQcLmEmc1CAtkNyRc4lwcTz01Ptw88fGvz4McqG9RtPV/Iby/b2CK/lyRQynnWeeqoVsJ5rlXn6e+F3ILoh3wo/kxRbA0ZHAR/gIz1iMcpJsKhKGnLB/SQ92dga0VllnDCDA0vkjudiNEBqHSB1P8kj2OSNgRPJ/qPyNMUhnmGy8ni24OqzueZEPmyEjjk11LH97462X7H4aMpV4QG0bWuCt/jVuUygEfxxqqbPo1vFPYLM8K98WTgzXPYDqCNIkn6xBApqx+EuVDSs2QPqws1LE8yJsebKePVqzuzKxPweCOk4dyxgZROVAlMTny58IYwPtYszZksR9jNFjQftFmINWe8ypBWsbaqzX+wgO5NLervJP6q+wKRsm90ymSReWTvFNr9WIe9oFSHZLJz+QzWORVLVe9UUqy8cMFVwmY9i0dnBucXUy5E0lfxvcxh8smuBaIfORmmQe8827rPdWZuy6pehnRLUrbRRRaryK5Uvvtbcym/Joc/E32YZcljdIzGLVY5QvC/Jh2uhl+nUgniJ7wyQcS3zmihiSWBtt+FFFZ3z6URUs8o8IHS0bSr+aVGEw2gUH/HnvBYObkFLdhpbb4IrDMlpBoZ65EACJRZrfojY9ffMgbjK8RDRuGlv5Y7sdPb3hF4f7NsAxOc/taiYw1n6mPAYdmlLa/iJVBzI2yKBsQOzK7thY54CWtkvjBfZ+3uQryyyGQhQcZivE8RydHBLdNCL+E3T8rIB6fop76/Y4+HvyiHQw+PWW2pcNgEE78tRlvlVc3dMLbXKJ4fIOdzjM6St4xB0S2xy60+AywPCvRwD8N7yoLQrAPI1RdCfgKxu9eilBZmw7RGOrsh6nqiksdGeRJMNRhY8u0GULbvvaW0zVmBjWgIzaBLUVzd9f9k7BEbBGa6ZoXtePQZrP+QOgvr69mXtQHo7rO/6a8yTjCmj+qy8Zvad+ATTeq/UKpBsPDiTSYH/i7lSAgoiOAA5ADIAZQAwADkAOQBjAGEAOAAxAGEAZgBhADEAMQAAABCAYBoMQQBkAG0AaQBuAAAAIhJWAFEAVgBWAE8AQQBKAEsAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADkALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwsfzae3gNgAECigEFMi4xLjE= ---END MAZE KEY--- |
URLs |
http://aoacugmutagkwctu.onion/892e099ca81afa11 https://mazedecrypt.top/892e099ca81afa11 |
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies ⋅ 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files ⋅ 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\RepairEdit.tiff 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File renamed C:\Users\Admin\Pictures\RepairEdit.tiff => C:\Users\Admin\Pictures\RepairEdit.tiff.mabJ9hx 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File renamed C:\Users\Admin\Pictures\RestoreSwitch.png => C:\Users\Admin\Pictures\RestoreSwitch.png.mabJ9hx 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File renamed C:\Users\Admin\Pictures\StopSync.crw => C:\Users\Admin\Pictures\StopSync.crw.mabJ9hx 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Users\Admin\Pictures\TestPing.tiff 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File renamed C:\Users\Admin\Pictures\TestPing.tiff => C:\Users\Admin\Pictures\TestPing.tiff.SFt7lQ6 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File renamed C:\Users\Admin\Pictures\PingShow.png => C:\Users\Admin\Pictures\PingShow.png.PxlN0X 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe -
Drops startup file ⋅ 2 IoCs
Processes:
04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\892e099ca81afa11.tmp 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe -
Reads user/profile data of web browsers ⋅ 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry ⋅ 2 TTPs 1 IoCs
Processes:
04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe -
Drops file in Program Files directory ⋅ 47 IoCs
Processes:
04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exedescription ioc process File opened for modification C:\Program Files\CompleteConvert.dxf 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\EnterBlock.xlsb 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\RestartDismount.mhtml 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\StepDeny.vst 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\SkipOpen.mp4 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\SubmitReset.wps 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\892e099ca81afa11.tmp 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\AddCompare.wmv 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\CopyOpen.png 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\InvokeCopy.dwfx 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\MeasureGroup.xlsm 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\OutUnpublish.jpg 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\UnblockRemove.docx 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\892e099ca81afa11.tmp 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\ApproveSplit.asx 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\ConfirmDisable.vsdx 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\CopyMove.DVR 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\EnableSubmit.ocx 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\FormatBackup.wmf 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\RevokeSwitch.pub 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\MoveUndo.vbs 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\PopEnable.mid 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File created C:\Program Files\DECRYPT-FILES.txt 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\BackupGet.mp3 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\RegisterUnprotect.vdx 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\TraceBlock.png 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\892e099ca81afa11.tmp 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\ConfirmUndo.bmp 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\ConvertFromMeasure.vb 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\MoveRestore.3gp 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\PingCopy.bmp 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\RegisterStart.ppt 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\ShowGet.mpp 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\ExitDebug.vb 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\ProtectStep.vsw 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\UnlockUndo.scf 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files (x86)\892e099ca81afa11.tmp 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\892e099ca81afa11.tmp 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\CompressShow.xlsm 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\DenyTest.inf 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\ExportEnable.pcx 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\HideSet.dwfx 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File opened for modification C:\Program Files\SplitRepair.vstx 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File created C:\Program Files (x86)\DECRYPT-FILES.txt 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe -
Suspicious behavior: EnumeratesProcesses ⋅ 1 IoCs
Processes:
04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exepid process 832 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe -
Suspicious use of AdjustPrivilegeToken ⋅ 43 IoCs
Processes:
vssvc.exewmic.exedescription pid process Token: SeBackupPrivilege 1376 vssvc.exe Token: SeRestorePrivilege 1376 vssvc.exe Token: SeAuditPrivilege 1376 vssvc.exe Token: SeIncreaseQuotaPrivilege 1528 wmic.exe Token: SeSecurityPrivilege 1528 wmic.exe Token: SeTakeOwnershipPrivilege 1528 wmic.exe Token: SeLoadDriverPrivilege 1528 wmic.exe Token: SeSystemProfilePrivilege 1528 wmic.exe Token: SeSystemtimePrivilege 1528 wmic.exe Token: SeProfSingleProcessPrivilege 1528 wmic.exe Token: SeIncBasePriorityPrivilege 1528 wmic.exe Token: SeCreatePagefilePrivilege 1528 wmic.exe Token: SeBackupPrivilege 1528 wmic.exe Token: SeRestorePrivilege 1528 wmic.exe Token: SeShutdownPrivilege 1528 wmic.exe Token: SeDebugPrivilege 1528 wmic.exe Token: SeSystemEnvironmentPrivilege 1528 wmic.exe Token: SeRemoteShutdownPrivilege 1528 wmic.exe Token: SeUndockPrivilege 1528 wmic.exe Token: SeManageVolumePrivilege 1528 wmic.exe Token: 33 1528 wmic.exe Token: 34 1528 wmic.exe Token: 35 1528 wmic.exe Token: SeIncreaseQuotaPrivilege 1528 wmic.exe Token: SeSecurityPrivilege 1528 wmic.exe Token: SeTakeOwnershipPrivilege 1528 wmic.exe Token: SeLoadDriverPrivilege 1528 wmic.exe Token: SeSystemProfilePrivilege 1528 wmic.exe Token: SeSystemtimePrivilege 1528 wmic.exe Token: SeProfSingleProcessPrivilege 1528 wmic.exe Token: SeIncBasePriorityPrivilege 1528 wmic.exe Token: SeCreatePagefilePrivilege 1528 wmic.exe Token: SeBackupPrivilege 1528 wmic.exe Token: SeRestorePrivilege 1528 wmic.exe Token: SeShutdownPrivilege 1528 wmic.exe Token: SeDebugPrivilege 1528 wmic.exe Token: SeSystemEnvironmentPrivilege 1528 wmic.exe Token: SeRemoteShutdownPrivilege 1528 wmic.exe Token: SeUndockPrivilege 1528 wmic.exe Token: SeManageVolumePrivilege 1528 wmic.exe Token: 33 1528 wmic.exe Token: 34 1528 wmic.exe Token: 35 1528 wmic.exe -
Suspicious use of WriteProcessMemory ⋅ 4 IoCs
Processes:
04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exedescription pid process target process PID 832 wrote to memory of 1528 832 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe wmic.exe PID 832 wrote to memory of 1528 832 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe wmic.exe PID 832 wrote to memory of 1528 832 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe wmic.exe PID 832 wrote to memory of 1528 832 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe"C:\Users\Admin\AppData\Local\Temp\04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe"Modifies extensions of user filesDrops startup fileSets desktop wallpaper using registryDrops file in Program Files directorySuspicious behavior: EnumeratesProcessesSuspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\kl\du\uy\..\..\..\Windows\tvc\deg\wd\..\..\..\system32\wlh\..\wbem\eewx\..\wmic.exe" shadowcopy deleteSuspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Initial Access
Lateral Movement
Persistence
Privilege Escalation