Analysis
-
max time kernel
178s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
16-02-2022 22:59
Static task
static1
Behavioral task
behavioral1
Sample
543f72aaf9b4e0b2b5aa1dfb01ba9ee981f012bb1ea0029f2da35f3962b1f47b.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
543f72aaf9b4e0b2b5aa1dfb01ba9ee981f012bb1ea0029f2da35f3962b1f47b.dll
Resource
win10v2004-en-20220112
General
-
Target
543f72aaf9b4e0b2b5aa1dfb01ba9ee981f012bb1ea0029f2da35f3962b1f47b.dll
-
Size
593KB
-
MD5
1f248135b858fd13de23d69df2393010
-
SHA1
5665c4e9a9c5eaf7ab7d489699fc644c6127c5d3
-
SHA256
543f72aaf9b4e0b2b5aa1dfb01ba9ee981f012bb1ea0029f2da35f3962b1f47b
-
SHA512
4a7b82fff7543ad91c398ad50a908d3cf103edda7d3d409cc47368c5c02ff0609057b92d8a4dbeac9a41c3f6355b2a0789ea2bdd7548290da3008881341be1a2
Malware Config
Extracted
C:\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/6b850caf7e9a7f18
https://mazedecrypt.top/6b850caf7e9a7f18
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\UnregisterBlock.raw => C:\Users\Admin\Pictures\UnregisterBlock.raw.JQuNaCf regsvr32.exe File renamed C:\Users\Admin\Pictures\BlockResolve.tiff => C:\Users\Admin\Pictures\BlockResolve.tiff.Dvk6h regsvr32.exe File renamed C:\Users\Admin\Pictures\StartResize.raw => C:\Users\Admin\Pictures\StartResize.raw.R8mP2A regsvr32.exe File opened for modification C:\Users\Admin\Pictures\FormatSearch.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\FormatSearch.tiff => C:\Users\Admin\Pictures\FormatSearch.tiff.EdvzXh regsvr32.exe File renamed C:\Users\Admin\Pictures\GroupTest.raw => C:\Users\Admin\Pictures\GroupTest.raw.EdvzXh regsvr32.exe File renamed C:\Users\Admin\Pictures\PingExit.raw => C:\Users\Admin\Pictures\PingExit.raw.TYHWr6K regsvr32.exe File renamed C:\Users\Admin\Pictures\PingReceive.raw => C:\Users\Admin\Pictures\PingReceive.raw.TYHWr6K regsvr32.exe File opened for modification C:\Users\Admin\Pictures\ResolveReceive.tiff regsvr32.exe File opened for modification C:\Users\Admin\Pictures\BlockResolve.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\FindCompress.raw => C:\Users\Admin\Pictures\FindCompress.raw.EdvzXh regsvr32.exe File renamed C:\Users\Admin\Pictures\ResolveReceive.tiff => C:\Users\Admin\Pictures\ResolveReceive.tiff.sTvJbDV regsvr32.exe -
Drops startup file 4 IoCs
Processes:
regsvr32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt regsvr32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b850caf7e9a7f18.tmp regsvr32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt regsvr32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6b850caf7e9a7f18.tmp regsvr32.exe -
Drops file in Program Files directory 24 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Program Files\SplitSuspend.xlsb regsvr32.exe File created C:\Program Files (x86)\DECRYPT-FILES.txt regsvr32.exe File opened for modification C:\Program Files\6b850caf7e9a7f18.tmp regsvr32.exe File opened for modification C:\Program Files\ClearStop.gif regsvr32.exe File opened for modification C:\Program Files\DenyWatch.mhtml regsvr32.exe File opened for modification C:\Program Files\ExitUninstall.3gp2 regsvr32.exe File opened for modification C:\Program Files\AddExit.wmx regsvr32.exe File opened for modification C:\Program Files\BackupConvertTo.html regsvr32.exe File opened for modification C:\Program Files\DenyUnlock.css regsvr32.exe File opened for modification C:\Program Files\MeasurePublish.bat regsvr32.exe File opened for modification C:\Program Files\MergeReceive.xltm regsvr32.exe File opened for modification C:\Program Files\SuspendOpen.bmp regsvr32.exe File opened for modification C:\Program Files\SwitchComplete.wmv regsvr32.exe File opened for modification C:\Program Files\WriteExit.xlsm regsvr32.exe File created C:\Program Files\DECRYPT-FILES.txt regsvr32.exe File opened for modification C:\Program Files\DisconnectAssert.cab regsvr32.exe File opened for modification C:\Program Files\ExportRestore.wmf regsvr32.exe File opened for modification C:\Program Files\GrantSplit.mhtml regsvr32.exe File opened for modification C:\Program Files\OutMount.ogg regsvr32.exe File opened for modification C:\Program Files (x86)\6b850caf7e9a7f18.tmp regsvr32.exe File opened for modification C:\Program Files\ConvertCheckpoint.shtml regsvr32.exe File opened for modification C:\Program Files\ExpandUnpublish.wmv regsvr32.exe File opened for modification C:\Program Files\FindRedo.easmx regsvr32.exe File opened for modification C:\Program Files\GroupImport.3g2 regsvr32.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 45 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4172" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.236407" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132897028915191023" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 2304 regsvr32.exe 2304 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeTiWorker.exewmic.exedescription pid process Token: SeBackupPrivilege 3760 vssvc.exe Token: SeRestorePrivilege 3760 vssvc.exe Token: SeAuditPrivilege 3760 vssvc.exe Token: SeSecurityPrivilege 1196 TiWorker.exe Token: SeRestorePrivilege 1196 TiWorker.exe Token: SeBackupPrivilege 1196 TiWorker.exe Token: SeBackupPrivilege 1196 TiWorker.exe Token: SeRestorePrivilege 1196 TiWorker.exe Token: SeSecurityPrivilege 1196 TiWorker.exe Token: SeBackupPrivilege 1196 TiWorker.exe Token: SeRestorePrivilege 1196 TiWorker.exe Token: SeSecurityPrivilege 1196 TiWorker.exe Token: SeBackupPrivilege 1196 TiWorker.exe Token: SeRestorePrivilege 1196 TiWorker.exe Token: SeSecurityPrivilege 1196 TiWorker.exe Token: SeBackupPrivilege 1196 TiWorker.exe Token: SeRestorePrivilege 1196 TiWorker.exe Token: SeSecurityPrivilege 1196 TiWorker.exe Token: SeBackupPrivilege 1196 TiWorker.exe Token: SeRestorePrivilege 1196 TiWorker.exe Token: SeSecurityPrivilege 1196 TiWorker.exe Token: SeIncreaseQuotaPrivilege 724 wmic.exe Token: SeSecurityPrivilege 724 wmic.exe Token: SeTakeOwnershipPrivilege 724 wmic.exe Token: SeLoadDriverPrivilege 724 wmic.exe Token: SeSystemProfilePrivilege 724 wmic.exe Token: SeSystemtimePrivilege 724 wmic.exe Token: SeProfSingleProcessPrivilege 724 wmic.exe Token: SeIncBasePriorityPrivilege 724 wmic.exe Token: SeCreatePagefilePrivilege 724 wmic.exe Token: SeBackupPrivilege 724 wmic.exe Token: SeRestorePrivilege 724 wmic.exe Token: SeShutdownPrivilege 724 wmic.exe Token: SeDebugPrivilege 724 wmic.exe Token: SeSystemEnvironmentPrivilege 724 wmic.exe Token: SeRemoteShutdownPrivilege 724 wmic.exe Token: SeUndockPrivilege 724 wmic.exe Token: SeManageVolumePrivilege 724 wmic.exe Token: 33 724 wmic.exe Token: 34 724 wmic.exe Token: 35 724 wmic.exe Token: 36 724 wmic.exe Token: SeBackupPrivilege 1196 TiWorker.exe Token: SeRestorePrivilege 1196 TiWorker.exe Token: SeSecurityPrivilege 1196 TiWorker.exe Token: SeIncreaseQuotaPrivilege 724 wmic.exe Token: SeSecurityPrivilege 724 wmic.exe Token: SeTakeOwnershipPrivilege 724 wmic.exe Token: SeLoadDriverPrivilege 724 wmic.exe Token: SeSystemProfilePrivilege 724 wmic.exe Token: SeSystemtimePrivilege 724 wmic.exe Token: SeProfSingleProcessPrivilege 724 wmic.exe Token: SeIncBasePriorityPrivilege 724 wmic.exe Token: SeCreatePagefilePrivilege 724 wmic.exe Token: SeBackupPrivilege 724 wmic.exe Token: SeRestorePrivilege 724 wmic.exe Token: SeShutdownPrivilege 724 wmic.exe Token: SeDebugPrivilege 724 wmic.exe Token: SeSystemEnvironmentPrivilege 724 wmic.exe Token: SeRemoteShutdownPrivilege 724 wmic.exe Token: SeUndockPrivilege 724 wmic.exe Token: SeManageVolumePrivilege 724 wmic.exe Token: 33 724 wmic.exe Token: 34 724 wmic.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 872 wrote to memory of 2304 872 regsvr32.exe regsvr32.exe PID 872 wrote to memory of 2304 872 regsvr32.exe regsvr32.exe PID 872 wrote to memory of 2304 872 regsvr32.exe regsvr32.exe PID 2304 wrote to memory of 724 2304 regsvr32.exe wmic.exe PID 2304 wrote to memory of 724 2304 regsvr32.exe wmic.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\543f72aaf9b4e0b2b5aa1dfb01ba9ee981f012bb1ea0029f2da35f3962b1f47b.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\543f72aaf9b4e0b2b5aa1dfb01ba9ee981f012bb1ea0029f2da35f3962b1f47b.dll2⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\gghls\wsra\..\..\Windows\xk\..\system32\y\x\..\..\wbem\yry\ail\yp\..\..\..\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2304-130-0x0000000003480000-0x00000000034DD000-memory.dmpFilesize
372KB
-
memory/2304-131-0x0000000004DD0000-0x0000000004E2E000-memory.dmpFilesize
376KB
-
memory/2304-135-0x0000000004DD1000-0x0000000004E0A000-memory.dmpFilesize
228KB