Malware Analysis Report

2024-09-22 14:32

Sample ID 230305-nlntpsfg3y
Target 4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
SHA256 4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
Tags
maze ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167

Threat Level: Known bad

The file 4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167 was found to be: Known bad.

Malicious Activity Summary

maze ransomware spyware stealer trojan

Maze

Deletes shadow copies

Modifies extensions of user files

Reads user/profile data of web browsers

Drops startup file

Sets desktop wallpaper using registry

Drops file in Program Files directory

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-03-05 11:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-05 11:29

Reported

2023-03-05 11:32

Platform

win7-20230220-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe"

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\DebugLock.tif => C:\Users\Admin\Pictures\DebugLock.tif.9DAQf C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\GrantWait.crw => C:\Users\Admin\Pictures\GrantWait.crw.9DAQf C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\LimitRename.tif => C:\Users\Admin\Pictures\LimitRename.tif.bI961 C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\SearchConvert.crw => C:\Users\Admin\Pictures\SearchConvert.crw.Eata C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\WaitInitialize.png => C:\Users\Admin\Pictures\WaitInitialize.png.opCm C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\InvokeWrite.crw => C:\Users\Admin\Pictures\InvokeWrite.crw.aykHI C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\ResetTrace.crw => C:\Users\Admin\Pictures\ResetTrace.crw.hK26 C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResolveEnable.tiff C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\ResolveEnable.tiff => C:\Users\Admin\Pictures\ResolveEnable.tiff.hK26 C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\RevokeCompress.crw => C:\Users\Admin\Pictures\RevokeCompress.crw.Eata C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertToClose.png => C:\Users\Admin\Pictures\ConvertToClose.png.oCTO C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\InstallRegister.tif => C:\Users\Admin\Pictures\InstallRegister.tif.aykHI C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Users\Admin\Pictures\RemoveEnable.tiff C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\RemoveEnable.tiff => C:\Users\Admin\Pictures\RemoveEnable.tiff.m2Cepnq C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Users\Admin\Pictures\ReadConvertFrom.tiff C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\ReadConvertFrom.tiff => C:\Users\Admin\Pictures\ReadConvertFrom.tiff.fntBMf C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\RequestFind.png => C:\Users\Admin\Pictures\RequestFind.png.m2Cepnq C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c2f0cc3c1c662fb.tmp C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\CompareInvoke.js C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\SaveRemove.hta C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\ConvertFromReceive.mpeg C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\MergeUnprotect.docm C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\ProtectGrant.wm C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\PublishShow.wmv C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\SyncPublish.wdp C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\TestTrace.easmx C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\CheckpointNew.otf C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\ConnectExit.wmf C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\ConvertFromReceive.svg C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\PushShow.txt C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\RequestExport.mpeg3 C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\UnblockCopy.ps1 C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\UnregisterStop.mhtml C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\BlockSelect.vdw C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\DismountUpdate.svgz C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\ExportCompare.htm C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\GetDisconnect.odt C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\RepairGroup.tmp C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\TestReset.ram C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\TraceConvertFrom.3gpp C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files (x86)\6c2f0cc3c1c662fb.tmp C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6c2f0cc3c1c662fb.tmp C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\BackupComplete.jpg C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\UnprotectBackup.xla C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\ClearMerge.jpeg C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\CompareWait.M2V C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\ConfirmApprove.rtf C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\DismountCopy.vsdm C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\WatchUse.pps C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6c2f0cc3c1c662fb.tmp C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\CompleteRedo.easmx C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\LimitInitialize.ini C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\UpdateTrace.ex_ C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6c2f0cc3c1c662fb.tmp C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\6c2f0cc3c1c662fb.tmp C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\DenyDisable.mpa C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\OpenHide.txt C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\RegisterWatch.txt C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\StopDeny.jpg C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe

"C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\mcrki\..\Windows\jdeg\dcp\..\..\system32\mnpi\gx\a\..\..\..\wbem\gn\..\wmic.exe" shadowcopy delete

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0xc4

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\DECRYPT-FILES.txt

Network

Country Destination Domain Proto
RU 91.218.114.4:80 tcp
RU 91.218.114.4:80 tcp
RU 91.218.114.4:80 tcp
RU 91.218.114.4:80 tcp
RU 91.218.114.4:80 tcp
RU 91.218.114.4:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.26:80 tcp

Files

memory/1992-54-0x00000000003A0000-0x00000000003FE000-memory.dmp

memory/1992-58-0x00000000003A0000-0x00000000003FE000-memory.dmp

memory/1992-60-0x00000000003A0000-0x00000000003FE000-memory.dmp

memory/1992-64-0x00000000003A0000-0x00000000003FE000-memory.dmp

C:\MSOCache\DECRYPT-FILES.txt

MD5 9af7422576b0588eec4bd5fe2ee0648e
SHA1 456d980deb47988a71e1e5a780ef4f7e45de3ac6
SHA256 f84a49a031ef54e74047bb689b3b44c44b1fdf12356faeb3794c524a521e7924
SHA512 87907c834f52661df2b246d96ca629e3dbc6517a3ed026a79a42bc351bbf68fa2b71f4f4bf92ecb59b0d70ac88e2436d63cc231f05458f56de5ae24dfeaa1f24

memory/1992-963-0x00000000003A0000-0x00000000003FE000-memory.dmp

C:\Users\Public\Desktop\DECRYPT-FILES.txt

MD5 9af7422576b0588eec4bd5fe2ee0648e
SHA1 456d980deb47988a71e1e5a780ef4f7e45de3ac6
SHA256 f84a49a031ef54e74047bb689b3b44c44b1fdf12356faeb3794c524a521e7924
SHA512 87907c834f52661df2b246d96ca629e3dbc6517a3ed026a79a42bc351bbf68fa2b71f4f4bf92ecb59b0d70ac88e2436d63cc231f05458f56de5ae24dfeaa1f24

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_C76253F8ECBA4CDDA8595AC91DCDD323.dat

MD5 33b2ddddbd1a682c498530be14916a8c
SHA1 41c9ab2bd39db4af228af18956a2cd43583872f5
SHA256 48aa9afdf57aa72861d31bc9413e7f98a347031a7c61b9beb3e88ce843d64bf1
SHA512 f6c1224c27f645f485632610e35b8aaec9bc4997a7e0a974cd91460636c9c191911b4c6bdb5be12473ccf35483acd931a6537a3b96673e0e0e11dd7be6d5592a

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-05 11:29

Reported

2023-03-05 11:32

Platform

win10v2004-20230221-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe"

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\TraceOpen.crw => C:\Users\Admin\Pictures\TraceOpen.crw.uFRJA C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\UnlockResolve.crw => C:\Users\Admin\Pictures\UnlockResolve.crw.78POyq C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\WriteSuspend.png => C:\Users\Admin\Pictures\WriteSuspend.png.78POyq C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Users\Admin\Pictures\AddApprove.tiff C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\GroupJoin.png => C:\Users\Admin\Pictures\GroupJoin.png.2cRz C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\MeasureEdit.tif => C:\Users\Admin\Pictures\MeasureEdit.tif.2cRz C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\RegisterLimit.tif => C:\Users\Admin\Pictures\RegisterLimit.tif.rBJO C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\AddApprove.tiff => C:\Users\Admin\Pictures\AddApprove.tiff.oP07cj C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\EnablePop.tif => C:\Users\Admin\Pictures\EnablePop.tif.xwJsH9 C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File renamed C:\Users\Admin\Pictures\RestartCompress.tif => C:\Users\Admin\Pictures\RestartCompress.tif.uFRJA C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6d5d0ce044fda57d.tmp C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6d5d0ce044fda57d.tmp C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DisableComplete.ram C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\SplitPush.css C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\SubmitMove.xla C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files (x86)\6d5d0ce044fda57d.tmp C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\6d5d0ce044fda57d.tmp C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\UnprotectOut.css C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\OpenReceive.ppsm C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\InitializeWrite.ex_ C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\MeasureImport.tiff C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\RemoveDebug.xht C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\RestoreBackup.DVR C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\UndoClose.3g2 C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\WaitDebug.css C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\CheckpointGet.ps1xml C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\CompressSync.tif C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File opened for modification C:\Program Files\SkipConnect.aifc C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe

"C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\rtcto\tj\dkxqc\..\..\..\Windows\intq\..\system32\kylgh\yupck\..\..\wbem\xucj\ub\utgq\..\..\..\wmic.exe" shadowcopy delete

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x518 0x510

Network

Country Destination Domain Proto
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
RU 91.218.114.4:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
RU 91.218.114.4:80 tcp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
RU 91.218.114.4:80 tcp
RU 91.218.114.4:80 tcp
US 13.89.178.27:443 tcp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
RU 91.218.114.11:80 tcp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
RU 91.218.114.11:80 tcp
NL 8.253.208.120:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp
US 93.184.220.29:80 tcp
NL 8.253.208.120:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.32:80 tcp

Files

memory/760-133-0x00000000005B0000-0x000000000060E000-memory.dmp

memory/760-137-0x00000000005B0000-0x000000000060E000-memory.dmp

memory/760-139-0x00000000005B0000-0x000000000060E000-memory.dmp

memory/760-143-0x00000000005B0000-0x000000000060E000-memory.dmp

C:\odt\DECRYPT-FILES.txt

MD5 a593617c4ae144fe5539d6767e141b8d
SHA1 ec815aeb04bbc743013db0949784c0f1ed83dc91
SHA256 4b6866f1ed3302b108fe79b2e1142c9f561ad07a19842d4eac5ce54f335e1dbb
SHA512 2e25153b2704debf16bdd06773639e9d6da1aedb6f9ebc9ae5cad31cb98524faa55249aa104538c9001a3c09ebdabb8c230abea318496791b9d955a8e3616f0e

memory/760-876-0x00000000005B0000-0x000000000060E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_C4BA9D31D93542A79C20AED9222F0E1B.dat

MD5 9c6324a38ee9396bb7da6df8698b93bd
SHA1 9322fa2b872bd035c4549fce5517cea90fa54d92
SHA256 a434d7da1eaa06ee3ab791862fe88a291cb3f28ba06407945d1fd6461a711073
SHA512 f5c79d557520b2eb360e731e0cf0289de9405ef79b879cddec21c444aa51208308fa7d5570b9730c425d97f8e15b9d560061dc6d0953efcbca0ebcc571823232