Analysis Overview
SHA256
4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
Threat Level: Known bad
The file 4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167 was found to be: Known bad.
Malicious Activity Summary
Maze
Deletes shadow copies
Modifies extensions of user files
Reads user/profile data of web browsers
Drops startup file
Sets desktop wallpaper using registry
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Modifies registry class
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-15 11:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-15 11:24
Reported
2023-02-15 11:27
Platform
win7-20220812-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Maze
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\SelectRead.png => C:\Users\Admin\Pictures\SelectRead.png.mCh5tp7 | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MountGet.crw => C:\Users\Admin\Pictures\MountGet.crw.fVOHX91 | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\PopReceive.tiff | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PopReceive.tiff => C:\Users\Admin\Pictures\PopReceive.tiff.mCh5tp7 | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6cc30cc3a534c1ad.tmp | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\jt1CIl4_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.jt1CIl4 | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.jt1CIl4\ = "jt1CIl4_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\jt1CIl4_auto_file\shell\open | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\jt1CIl4_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\jt1CIl4_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\jt1CIl4_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\jt1CIl4_auto_file\shell\open\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
"C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\h\..\Windows\enbh\nniu\..\..\system32\nwf\sch\..\..\wbem\ug\laf\bs\..\..\..\wmic.exe" shadowcopy delete
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e4
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SwitchClear.css.jt1CIl4
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\SwitchClear.css.jt1CIl4"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -url C:\Users\Admin\Desktop\SwitchClear.css.jt1CIl4
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="224.0.89696998\922366129" -parentBuildID 20200403170909 -prefsHandle 1476 -prefMapHandle 1252 -prefsLen 1 -prefMapSize 215966 -appdir "C:\Program Files\Mozilla Firefox\browser" - 224 "\\.\pipe\gecko-crash-server-pipe.224" 1216 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="224.6.1396584644\716256779" -childID 1 -isForBrowser -prefsHandle 1812 -prefMapHandle 1808 -prefsLen 1138 -prefMapSize 215966 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 224 "\\.\pipe\gecko-crash-server-pipe.224" 1916 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="224.13.518744384\1021619839" -childID 2 -isForBrowser -prefsHandle 1876 -prefMapHandle 1872 -prefsLen 1172 -prefMapSize 215966 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 224 "\\.\pipe\gecko-crash-server-pipe.224" 2208 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="224.20.1076030175\1814424290" -childID 3 -isForBrowser -prefsHandle 5620 -prefMapHandle 5616 -prefsLen 1508 -prefMapSize 215966 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 224 "\\.\pipe\gecko-crash-server-pipe.224" 5632 tab
Network
| Country | Destination | Domain | Proto |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| N/A | 127.0.0.1:49178 | tcp | |
| N/A | 127.0.0.1:49180 | tcp | |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 54.186.134.37:443 | location.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | locprod2-elb-us-west-2.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | locprod2-elb-us-west-2.prod.mozaws.net | udp |
| N/A | 127.0.0.1:49182 | tcp | |
| N/A | 127.0.0.1:49184 | tcp | |
| US | 8.8.8.8:53 | cs9.wac.phicdn.net | udp |
| US | 8.8.8.8:53 | cs9.wac.phicdn.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 35.241.9.150:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | a1887.dscq.akamai.net | udp |
| US | 8.8.8.8:53 | search.services.mozilla.com | udp |
| US | 8.8.8.8:53 | normandy.cdn.mozilla.net | udp |
| US | 34.160.46.54:443 | search.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | a1887.dscq.akamai.net | udp |
| US | 35.201.103.21:443 | normandy.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | normandy-cdn.services.mozilla.com | udp |
| US | 8.8.8.8:53 | normandy-cdn.services.mozilla.com | udp |
| US | 8.8.8.8:53 | search.r53-2.services.mozilla.com | udp |
| US | 8.8.8.8:53 | search.r53-2.services.mozilla.com | udp |
| NL | 88.221.25.162:80 | a1887.dscq.akamai.net | tcp |
| US | 8.8.8.8:53 | classify-client.services.mozilla.com | udp |
| US | 34.98.75.36:443 | classify-client.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod-classifyclient.normandy.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod-classifyclient.normandy.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 54.191.140.199:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 44.228.230.125:443 | push.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| NL | 88.221.25.162:80 | a1887.dscq.akamai.net | tcp |
| RU | 91.218.114.11:80 | tcp | |
| US | 8.8.8.8:53 | snippets.cdn.mozilla.net | udp |
| NL | 65.9.86.64:443 | snippets.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | d228z91au11ukj.cloudfront.net | udp |
| US | 8.8.8.8:53 | d228z91au11ukj.cloudfront.net | udp |
| US | 8.8.8.8:53 | accounts.firefox.com | udp |
| US | 35.164.137.251:443 | accounts.firefox.com | tcp |
| US | 8.8.8.8:53 | accounts.firefox.com | udp |
| US | 8.8.8.8:53 | accounts.firefox.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | www.wikipedia.org | udp |
| US | 8.8.8.8:53 | star-mini.c10r.facebook.com | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | dyna.wikimedia.org | udp |
| US | 8.8.8.8:53 | star-mini.c10r.facebook.com | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | www.reddit.com | udp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 8.8.8.8:53 | reddit.map.fastly.net | udp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 8.8.8.8:53 | reddit.map.fastly.net | udp |
| US | 8.8.8.8:53 | dyna.wikimedia.org | udp |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.26:80 | tcp |
Files
memory/1720-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp
memory/1720-55-0x00000000004E0000-0x000000000053E000-memory.dmp
memory/1720-59-0x00000000004E0000-0x000000000053E000-memory.dmp
memory/1720-61-0x00000000004E1000-0x000000000051A000-memory.dmp
memory/1188-62-0x0000000000000000-mapping.dmp
memory/1536-63-0x000007FEFB7D1000-0x000007FEFB7D3000-memory.dmp
C:\Users\Admin\Desktop\SwitchClear.css.jt1CIl4
| MD5 | cc8c1ae2b1edd55518d6353e1725eaa6 |
| SHA1 | ac7918fb1acd7688c0c4d5e92ea7118e8d638535 |
| SHA256 | a71bcdf8c96da5282a6240bd0018ac99309ad821c67bdf5b9047051b8063b196 |
| SHA512 | 9740c569bb230c00ea854fba5a1b97234e716f4aa2cce41bcf47ff16919123fe0be6eb6bc55a7d263fa892b66808548a47987995762331d75e7f2b2d1e1f429a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Pending Pings\DECRYPT-FILES.txt
| MD5 | 07ee80612a5ce9ab526cfa29c9c0d2d0 |
| SHA1 | 93919668076513d9c7fd4c6e646d39da0f4f2096 |
| SHA256 | 39152c75bcefaa460c3501b3999461054eaab4f6f7aec37c5a7336760219ecd8 |
| SHA512 | 74b5d511e5ec2bde3a7f31f917c890b260204549cfc121b9deec0a0f2cee298d32cad01bc2a29695ec02cb11f20d0227ede9fa0f547ecae1399fec709ee78ba9 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-15 11:24
Reported
2023-02-15 11:27
Platform
win10v2004-20221111-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Maze
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\DisconnectGet.crw => C:\Users\Admin\Pictures\DisconnectGet.crw.16ain | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DismountSearch.png => C:\Users\Admin\Pictures\DismountSearch.png.16ain | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\LockMeasure.crw => C:\Users\Admin\Pictures\LockMeasure.crw.JVjqbz | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RenameEnable.raw => C:\Users\Admin\Pictures\RenameEnable.raw.3g8hKq | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\BackupConvertTo.tiff | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BackupConvertTo.tiff => C:\Users\Admin\Pictures\BackupConvertTo.tiff.FER3 | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SaveEnter.tiff | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SaveEnter.tiff => C:\Users\Admin\Pictures\SaveEnter.tiff.3g8hKq | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\TestFormat.png => C:\Users\Admin\Pictures\TestFormat.png.6OjbqJF | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6bed0cae75af675b.tmp | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6bed0cae75af675b.tmp | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1332 wrote to memory of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1332 wrote to memory of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | C:\Windows\system32\wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
"C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\gvqaw\..\Windows\pnah\..\system32\lm\elib\..\..\wbem\paf\..\wmic.exe" shadowcopy delete
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b0 0x4b8
Network
| Country | Destination | Domain | Proto |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.32:80 | 91.218.114.32 | tcp |
| RU | 91.218.114.32:80 | 91.218.114.32 | tcp |
| RU | 91.218.114.37:80 | 91.218.114.37 | tcp |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.32:80 | 91.218.114.32 | tcp |
| RU | 91.218.114.37:80 | 91.218.114.37 | tcp |
| RU | 91.218.114.38:80 | tcp |
Files
memory/1332-132-0x00000000006F0000-0x000000000074E000-memory.dmp
memory/1332-136-0x00000000006F0000-0x000000000074E000-memory.dmp
memory/1332-138-0x00000000006F1000-0x000000000072A000-memory.dmp
memory/1476-139-0x0000000000000000-mapping.dmp