Analysis Overview
SHA256
4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
Threat Level: Known bad
The file VirusShare_61b32a82577a7ea823ff7303ab6b4283 was found to be: Known bad.
Malicious Activity Summary
Maze
Reads user/profile data of web browsers
Drops startup file
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-07 03:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-07 03:21
Reported
2023-05-07 03:26
Platform
win10v2004-20230220-en
Max time kernel
205s
Max time network
241s
Command Line
Signatures
Maze
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6bef0cac45fde2e1.tmp | C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6bef0cac45fde2e1.tmp | C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| BE | 8.238.110.126:80 | tcp | |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| NL | 20.50.201.195:443 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp |
Files
memory/1100-133-0x0000000000600000-0x000000000065E000-memory.dmp
memory/1100-137-0x0000000000600000-0x000000000065E000-memory.dmp
memory/1100-139-0x0000000000600000-0x000000000065E000-memory.dmp
memory/1100-143-0x0000000000600000-0x000000000065E000-memory.dmp
C:\odt\DECRYPT-FILES.txt
| MD5 | 14edc0b95785d082cfa01fb706935dcb |
| SHA1 | 85d2b3aad7c0366a9397c41f050fbbcd1ed0c51e |
| SHA256 | 080d710db3d39260681e726ffd5dee92890a0acf4d0f88f48579344eb1c471f5 |
| SHA512 | 343b263b8a16091afc1032d9f2ca0235ebce32b61a31841f7c56df3ed9f6a059f6c33e70187e93c908d2c7435571fb40662a5bcd40c0edccfed4d142326159b0 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-07 03:21
Reported
2023-05-07 03:25
Platform
win7-20230220-en
Max time kernel
169s
Max time network
191s
Command Line
Signatures
Maze
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6cd10cc6b4481b5c.tmp | C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp |
Files
memory/948-54-0x0000000000220000-0x000000000027E000-memory.dmp
memory/948-58-0x0000000000220000-0x000000000027E000-memory.dmp
memory/948-60-0x0000000000220000-0x000000000027E000-memory.dmp
memory/948-66-0x0000000000220000-0x000000000027E000-memory.dmp
C:\MSOCache\DECRYPT-FILES.txt
| MD5 | 5a67fbefd837bb039acb6e1a2484fd21 |
| SHA1 | 955229b54cbf5366d034f02e83ae5eb7d2cd038a |
| SHA256 | 2d717ca4536886bdfaa29e7d8ef8ea97eae23f4365f9b57535c8365f40ec9eae |
| SHA512 | 28326547a8321cca0298680e367ff50280d1f643d84f5580cca27a29fcefa2a8360f6f635a424e1e72b028708fd49451d23672577d597d79b05493e4cbb493f7 |