Malware Analysis Report

2024-09-22 14:38

Sample ID 220525-qw6tdaagd3
Target 067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b.zip
SHA256 a6998e84b935d69890ee8317d7bbd4e27c18f1e07abe6d0806384ea7fa13ce4a
Tags
maze ransomware spyware stealer suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6998e84b935d69890ee8317d7bbd4e27c18f1e07abe6d0806384ea7fa13ce4a

Threat Level: Known bad

The file 067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b.zip was found to be: Known bad.

Malicious Activity Summary

maze ransomware spyware stealer suricata trojan

Maze

suricata: ET MALWARE Maze/ID Ransomware Activity

Deletes shadow copies

Modifies extensions of user files

Drops startup file

Reads user/profile data of web browsers

Sets desktop wallpaper using registry

Drops file in Program Files directory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-05-25 13:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-25 13:37

Reported

2022-05-25 14:07

Platform

win7-20220414-en

Max time kernel

1541s

Max time network

1248s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wordupd.exe"

Signatures

Maze

trojan ransomware maze

suricata: ET MALWARE Maze/ID Ransomware Activity

suricata

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\UnblockUninstall.png => C:\Users\Admin\Pictures\UnblockUninstall.png.7ZzBSjf C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConvertToRequest.tiff C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertToRequest.tiff => C:\Users\Admin\Pictures\ConvertToRequest.tiff.K8M5R C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\InvokeExport.raw => C:\Users\Admin\Pictures\InvokeExport.raw.IN6l95 C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\RemoveConfirm.tif => C:\Users\Admin\Pictures\RemoveConfirm.tif.7ZzBSjf C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\UnlockLock.raw => C:\Users\Admin\Pictures\UnlockLock.raw.7ZzBSjf C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\AddPush.tif => C:\Users\Admin\Pictures\AddPush.tif.K8M5R C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\CompressInstall.tif => C:\Users\Admin\Pictures\CompressInstall.tif.K8M5R C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\ReceiveInvoke.raw => C:\Users\Admin\Pictures\ReceiveInvoke.raw.XkDOly C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\885e098f19647d13.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\LimitSkip.mpeg2 C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\SwitchInstall.mpa C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\DisablePublish.shtml C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\InitializeProtect.png C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\DisablePublish.vssx C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\OutRepair.iso C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\WaitRename.pptm C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files (x86)\885e098f19647d13.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\CompleteUpdate.css C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\ConnectPush.3gp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\InitializeStart.eprtx C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\ReceivePublish.docx C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\UnblockUnregister.mpp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\UndoApprove.xlsm C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\885e098f19647d13.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\AssertUnregister.ex_ C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\EnterDeny.vbe C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\885e098f19647d13.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\RevokeEnter.ppsm C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\AddExpand.xhtml C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\PublishConnect.mhtml C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\885e098f19647d13.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\MergeSync.wma C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\ResetReceive.aifc C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\DisconnectRegister.lock C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\LockImport.asx C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\PublishWait.wvx C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\DenySync.gif C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\GrantRequest.dxf C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\885e098f19647d13.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\DenyExport.doc C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\LockStep.ADTS C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\StartCompress.ods C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\wordupd.exe

"C:\Users\Admin\AppData\Local\Temp\wordupd.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\ai\..\Windows\fooy\..\system32\dpiu\tg\..\..\wbem\lk\qvy\..\..\wmic.exe" shadowcopy delete

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x180

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x40c

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x408

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x454

Network

Country Destination Domain Proto
RU 91.218.114.4:80 91.218.114.4 tcp
RU 91.218.114.4:80 91.218.114.4 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.4:80 91.218.114.4 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.37:80 91.218.114.37 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.37:80 91.218.114.37 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.79:80 tcp
RU 91.218.114.79:80 tcp
RU 91.218.114.79:80 tcp
RU 91.218.114.79:80 tcp
RU 91.218.114.79:80 tcp
RU 91.218.114.79:80 tcp

Files

memory/1980-54-0x00000000004C0000-0x0000000000561000-memory.dmp

memory/1980-55-0x0000000076C01000-0x0000000076C03000-memory.dmp

memory/1980-56-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/340-57-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-25 13:37

Reported

2022-05-25 14:03

Platform

win10v2004-20220414-en

Max time kernel

1429s

Max time network

1423s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wordupd.exe"

Signatures

Maze

trojan ransomware maze

suricata: ET MALWARE Maze/ID Ransomware Activity

suricata

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\SendSelect.png => C:\Users\Admin\Pictures\SendSelect.png.Th5u C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\ShowRestore.png => C:\Users\Admin\Pictures\ShowRestore.png.Th5u C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\TestConfirm.png => C:\Users\Admin\Pictures\TestConfirm.png.Th5u C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\FindRedo.tif => C:\Users\Admin\Pictures\FindRedo.tif.mFM1mh C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\JoinApprove.raw => C:\Users\Admin\Pictures\JoinApprove.raw.SyUuZ7 C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\MoveGroup.tif => C:\Users\Admin\Pictures\MoveGroup.tif.W7D9LWH C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\889609ac71af7fdf.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\889609ac71af7fdf.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\EnableGrant.js C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\OutMeasure.jpg C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\PublishUse.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\UndoUnpublish.js C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files (x86)\889609ac71af7fdf.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\ApproveSubmit.tiff C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\DismountUnregister.mp3 C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\UnblockTest.dotx C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\DismountReset.midi C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\FormatTest.ttc C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\NewUnlock.xlsb C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\UnpublishSave.mpeg3 C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\CompareCompress.nfo C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\JoinAdd.potx C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\UseSwitch.xlsm C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\ProtectShow.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\889609ac71af7fdf.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\UseStep.dwg C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\WatchComplete.htm C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\EnablePush.search-ms C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\PingSwitch.rmi C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\SelectRedo.cfg C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\FormatInvoke.i64 C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\SelectExport.WTV C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\StopUninstall.mhtml C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4120 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\wordupd.exe C:\Windows\system32\wbem\wmic.exe
PID 4120 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\wordupd.exe C:\Windows\system32\wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\wordupd.exe

"C:\Users\Admin\AppData\Local\Temp\wordupd.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\dnce\..\Windows\nv\e\..\..\system32\hw\..\wbem\dyg\..\wmic.exe" shadowcopy delete

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3ec 0x310

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3ec 0x310

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3ec 0x310

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3ec 0x310

Network

Country Destination Domain Proto
RU 91.218.114.4:80 91.218.114.4 tcp
RU 91.218.114.4:80 91.218.114.4 tcp
RU 91.218.114.11:80 tcp
GB 51.132.193.105:443 tcp
RU 91.218.114.4:80 91.218.114.4 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp
US 93.184.220.29:80 tcp
RU 91.218.114.11:80 tcp
US 8.253.208.112:80 tcp
US 8.253.208.112:80 tcp
US 8.253.208.112:80 tcp
US 13.107.21.200:443 tcp
RU 91.218.114.25:80 tcp
FR 2.18.109.224:443 tcp
US 104.18.24.243:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.37:80 91.218.114.37 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.37:80 91.218.114.37 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.79:80 tcp
RU 91.218.114.79:80 tcp
RU 91.218.114.79:80 tcp
RU 91.218.114.79:80 tcp

Files

memory/4120-130-0x00000000021D0000-0x0000000002271000-memory.dmp

memory/4120-131-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/5032-132-0x0000000000000000-mapping.dmp