maze | 51f987ca424efa1e278fef26c8b7f26ba44ea7aa2d19f5b4dae1d9818877fe74

General

Target

51f987ca424efa1e278fef26c8b7f26ba44ea7aa2d19f5b4dae1d9818877fe74.dll
Size

594KB
MD5

6af23009c00136a035654607fd423a24
SHA1

5375aa02c6dab85ece057a2e0d3603fc02f04f52
SHA256

51f987ca424efa1e278fef26c8b7f26ba44ea7aa2d19f5b4dae1d9818877fe74
SHA512

ed82a43c12c459bf3cf09b03d4db7399a76c7bcfc16f88eea334f4db1ec2768664900cb6a4c92e659112e7bd126ebf35eed32beb66f20c5d201ede1d4946b3db

Score

10^/10

maze ransomware trojan

Malware Config

Extracted

Path

C:\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6c2b0cc8b45c5c18 e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6c2b0cc8b45c5c18 b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- /xn8YP+KRu2fQR82dKAbjEAsM9OVLrXvy6++7EfxiV/eS3/7O2baIxI2m9s4Ypte62LqR++NZCID4+YsqymiiSjcJ12RF4LkSO9/7K2geKSi4LNaio6hhZgZWQs0Qbdjtbkj4c/ynXjVzpU9pyfiE7jgBa7DbSEoqo4Stln2Ph9XUyMnc0qAk6bBQmtASISt6J/VEX0ozbAt9NqnWllSLI46pHOomyQeCXtkP0DQRWqERcJORuvvwJu26wcYqmUN2V2w/72rySDdvjHmcJdYBnZLFxmRmEw9M+e4O9VrRRO4oJtL48s/gICkelWt5Wfq0r6/Bgt1iJtOBrfAMc5IokZgkGV+PzXnIcMh/avydabKZASc5gi20agc7D+GTi3Ag7AXLFkzPXRqUa9y1d4NwFbyM1FL+3QyjPe4F1ZTnby3L51UZAyAgD6kd6JgOCmm2x4Wkv1hAVo/XtCc1jeXjspHCtcF/9ITdaHdDsPfNXcYBjlMq8v86B3RzNRC+Xkmtf5irFRYGz1ZkDolFaHkqH+sWD2MqqE6vRTeIf1Wyt7s7H7GNrxkTWNBF7Xye2Yn8iix95Rd6c2AT3kFnL6xhVZmVfqF85fHxCclUX1UBW4ZEeKeB2lonHcXr232vPreVWVDn+XExzqRO2GyWWxJ/4NCY9mK9aGEf97e3rg1ShWSw6ujxf0oe4y77oNwZlNvPMQ1ThN8gr8dySTV7iI4pMN8OJe89rtDm013ZhP22jTeTGp8Q5WabjdBhAPCVZgnX8sj8hEm4H3UFq1mdUusXnVnORh5RlMRBPuMPbR3ynV1dUTy3r8mDnEhebulCQBUz6UVPEfmg0psLgkZB6Hb8p4qpT8LqPFY4TErNbCcNQVz3LUTMot08E34R+GbBL2azeFebrqC3g5PAXgK7avxPVdu8nNYPT0q6LvMp2GESpb7/G61xN4tP8HcgXgYCG4FHhPVJn0/EK1t4o+aznEWBzb3Bv679o2pYHoNYYuedDINGNIANrtkId7ZgmgZxOhdIk6wIDmne5yAPmMPA+WtGL/L/6J5Od9Wvijxthz7nSa6Kh67joQVlO6UkiW1TsXjCInxn2FYNB+2vl07PaeLKN6oHpAm7FEYrKfg7witn5veBJT8S9HTfcw7guOk+yGyIfsaHVuEgzXy2/J/PPmwWZlpoPQaeLCTUR/71yscwCYURDNMh85Le0z8RWHDpO5OYq4HtVsFh1gsbMfQP2yp91lFcvXrIrNQbbLnOM3wAiVT2ZwXl4wBaoJ4ZJdvLUpeajr1bUrhHM5C48uCK6bREGwQdOFeZolrk4LUOq4PSID5GEX0nHct5gqu6sfRThShadDOb9Po0OTON0QYEhLnN0cTZcVerFqt7bIwtIFK3Qg4bWnadoJK3Yu2A24PGuR6WAMC8ugTM93wfIkCEWRYH0YeLBAXkFECKBhV3rLPLmhzUe4Wvqw7FJgZ6AXJTpwR1hMN2KWwHpreyt0J4N/5UYtxqbKQoAxaLhAEMjUtWAFEEAqXHR62x5Y01jsngkgEbY+bcHA4lttIRMbdO+Bdq+ZRfH1CmwH0rLAdPLyYMPnmlyY/Y9O/eplholFZ+OJGcM8N1D6+KlNUctXwFnc+CkjFbdYJFmjkj5aKIIOSUw9ggCYFhQjJhTQBjttzaj7mY12bjIf3L5oEkG9YsEZl6We6X2964nWymrWq+HKJphthqk5WbNR5vPIF/tNk/AY2iX7S3xmiekDC5ZAwUZ061+mDD/FABzVGYOnpHXy8iKDl8eeJPX2x+n9GASb8YqRUzshxzsrxKhggX6HxZ073DBPZW1kqAm+7vieK/Px/oaJuqMvRSYrFENfYWoLkNxDBSNBA70UsJfsnMtVZ51PEj7UOraJ9ii5l5DZ7A8h8q6LMG7pBBYyPAjq8tIbXfb4zj2Ecs22eb+Cv84+A3kBVboXpF5jBGmJDyvPc86SqadgvaiXDQOtqCkERkYg3u69i6Ht5Ng+wZQ5OxhiaaKZvGC4oUxibsFcMlUwLioZ9jrh8a4qHntjqeftgh7nhf4opI+/nI6QLnLmVlvGEVVeVEwCF+dUB1dqOJ835F/Dxk1KKl1vzI7COW0/v4/oQiwDqsvJ9Z1fRKXZjQc9UTqd/Uy2CTwwD2ZLu6UXUzcJDCwJ+EYhHoyyX8PlVOLseg5ZHsYY6AtTAO6mrgi57pRUSdcCsIi1LBSbO41SebnpzWAgW9hLtG1lf5UgeZtfj0CtzxDTwkAoiNgBjADIAYgAwAGMAYwA4AGIANAA1AGMANQBjADEAOAAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAEoARABRAFAAWABPAFAAUgAAACoMbgBvAG4AZQB8AAAAMixXAGkAbgBkAG8AdwBzACAAMQAwACAARQBuAHQAZQByAHAAcgBpAHMAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEI2fABDAF8ARgBfADIAMAA0ADcAOQAvADIANgAxADgANAAxAHwARABfAFUAXwAwAC8AMAB8AAAASABQQFiJCGCJCGiJCHDU2rYOeAqAAQGKAQUyLjMuMg== ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/6c2b0cc8b45c5c18

https://mazedecrypt.top/6c2b0cc8b45c5c18

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

regsvr32.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\InitializeExit.tiff	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\InitializeExit.tiff => C:\Users\Admin\Pictures\InitializeExit.tiff.M5PHyq	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\ResolveInvoke.png => C:\Users\Admin\Pictures\ResolveInvoke.png.Bkr5	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\UpdateShow.tif => C:\Users\Admin\Pictures\UpdateShow.tif.wIe12	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\ApproveNew.crw => C:\Users\Admin\Pictures\ApproveNew.crw.VAjIj	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\AssertUnlock.crw => C:\Users\Admin\Pictures\AssertUnlock.crw.VAjIj	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\ClearReset.raw => C:\Users\Admin\Pictures\ClearReset.raw.VAjIj	regsvr32.exe

Drops startup file 4 IoCs

Processes:

regsvr32.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6c2b0cc8b45c5c18.tmp	regsvr32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c2b0cc8b45c5c18.tmp	regsvr32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt	regsvr32.exe

Drops file in Program Files directory 25 IoCs

Processes:

regsvr32.exe

description	ioc	process
File opened for modification	C:\Program Files\OpenMount.pub	regsvr32.exe
File opened for modification	C:\Program Files\SetResolve.mp2	regsvr32.exe
File created	C:\Program Files\DECRYPT-FILES.txt	regsvr32.exe
File opened for modification	C:\Program Files\6c2b0cc8b45c5c18.tmp	regsvr32.exe
File opened for modification	C:\Program Files\ConfirmUnblock.htm	regsvr32.exe
File opened for modification	C:\Program Files\EditPop.pptm	regsvr32.exe
File opened for modification	C:\Program Files\EnableJoin.wma	regsvr32.exe
File opened for modification	C:\Program Files\ExportCheckpoint.MOD	regsvr32.exe
File opened for modification	C:\Program Files\WatchUnprotect.bat	regsvr32.exe
File opened for modification	C:\Program Files\CloseExit.mp4	regsvr32.exe
File opened for modification	C:\Program Files\LockClear.tiff	regsvr32.exe
File opened for modification	C:\Program Files\PingOptimize.mpeg	regsvr32.exe
File opened for modification	C:\Program Files\SetStop.ico	regsvr32.exe
File opened for modification	C:\Program Files\SwitchUnregister.pptm	regsvr32.exe
File opened for modification	C:\Program Files\ApproveRemove.pps	regsvr32.exe
File opened for modification	C:\Program Files\ApproveResolve.mp2	regsvr32.exe
File opened for modification	C:\Program Files\BlockUndo.zip	regsvr32.exe
File opened for modification	C:\Program Files\FormatRequest.3gp2	regsvr32.exe
File opened for modification	C:\Program Files (x86)\6c2b0cc8b45c5c18.tmp	regsvr32.exe
File opened for modification	C:\Program Files\InstallWrite.mhtml	regsvr32.exe
File opened for modification	C:\Program Files\ResizeSearch.xlsb	regsvr32.exe
File opened for modification	C:\Program Files\SplitRestart.bat	regsvr32.exe
File opened for modification	C:\Program Files\SwitchSubmit.html	regsvr32.exe
File opened for modification	C:\Program Files\UpdateUnblock.vsx	regsvr32.exe
File created	C:\Program Files (x86)\DECRYPT-FILES.txt	regsvr32.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchApp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies registry class 30 IoCs

Processes:

SearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1702"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2258"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2258"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "5820"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "5820"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2258"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "5820"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "173"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1702"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1702"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

2008 regsvr32.exe
2008 regsvr32.exe

pid	process
2008	regsvr32.exe
2008	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vssvc.exewmic.exe

description	pid	process
Token: SeBackupPrivilege	2604	vssvc.exe
Token: SeRestorePrivilege	2604	vssvc.exe
Token: SeAuditPrivilege	2604	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4420	wmic.exe
Token: SeSecurityPrivilege	4420	wmic.exe
Token: SeTakeOwnershipPrivilege	4420	wmic.exe
Token: SeLoadDriverPrivilege	4420	wmic.exe
Token: SeSystemProfilePrivilege	4420	wmic.exe
Token: SeSystemtimePrivilege	4420	wmic.exe
Token: SeProfSingleProcessPrivilege	4420	wmic.exe
Token: SeIncBasePriorityPrivilege	4420	wmic.exe
Token: SeCreatePagefilePrivilege	4420	wmic.exe
Token: SeBackupPrivilege	4420	wmic.exe
Token: SeRestorePrivilege	4420	wmic.exe
Token: SeShutdownPrivilege	4420	wmic.exe
Token: SeDebugPrivilege	4420	wmic.exe
Token: SeSystemEnvironmentPrivilege	4420	wmic.exe
Token: SeRemoteShutdownPrivilege	4420	wmic.exe
Token: SeUndockPrivilege	4420	wmic.exe
Token: SeManageVolumePrivilege	4420	wmic.exe
Token: 33	4420	wmic.exe
Token: 34	4420	wmic.exe
Token: 35	4420	wmic.exe
Token: 36	4420	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SearchApp.exe

pid process

4088 SearchApp.exe

pid	process
4088	SearchApp.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1804 wrote to memory of 2008	1804	regsvr32.exe	regsvr32.exe
PID 1804 wrote to memory of 2008	1804	regsvr32.exe	regsvr32.exe
PID 1804 wrote to memory of 2008	1804	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 4420	2008	regsvr32.exe	wmic.exe
PID 2008 wrote to memory of 4420	2008	regsvr32.exe	wmic.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\51f987ca424efa1e278fef26c8b7f26ba44ea7aa2d19f5b4dae1d9818877fe74.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\51f987ca424efa1e278fef26c8b7f26ba44ea7aa2d19f5b4dae1d9818877fe74.dll
2⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\system32\wbem\wmic.exe
"C:\f\drvhp\j\..\..\..\Windows\wdpc\eviik\yuftj\..\..\..\system32\xfgr\..\wbem\kdllt\rq\..\..\wmic.exe" shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1276-136-0x000001F9B0540000-0x000001F9B0550000-memory.dmp

Filesize
64KB

Download
memory/1276-137-0x000001F9B05A0000-0x000001F9B05B0000-memory.dmp

Filesize
64KB

Download
memory/1276-138-0x000001F9B34C0000-0x000001F9B34C4000-memory.dmp

Filesize
16KB

Download
memory/2008-130-0x00000000007C0000-0x000000000081D000-memory.dmp

Filesize
372KB

Download
memory/2008-131-0x0000000002050000-0x00000000020AE000-memory.dmp

Filesize
376KB

Download
memory/2008-135-0x0000000002051000-0x000000000208A000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads