Malware Analysis Report

2024-09-22 14:43

Sample ID 230507-dwry1aab65
Target VirusShare_61b32a82577a7ea823ff7303ab6b4283
SHA256 4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
Tags
maze ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167

Threat Level: Known bad

The file VirusShare_61b32a82577a7ea823ff7303ab6b4283 was found to be: Known bad.

Malicious Activity Summary

maze ransomware spyware stealer trojan

Maze

Reads user/profile data of web browsers

Drops startup file

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-05-07 03:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-07 03:21

Reported

2023-05-07 03:26

Platform

win10v2004-20230220-en

Max time kernel

205s

Max time network

241s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe"

Signatures

Maze

trojan ransomware maze

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6bef0cac45fde2e1.tmp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6bef0cac45fde2e1.tmp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\SuspendResize.mhtml C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\UnlockCompress.mhtml C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\FormatEnable.docx C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\MeasureImport.jpe C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\InitializeFind.xml C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\PushJoin.html C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\DismountPing.mp4v C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\FindSend.xps C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\ReceiveInstall.ocx C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\SuspendUnprotect.dwg C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\UseCheckpoint.ocx C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\EnterStart.mpeg3 C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\ExitRename.xml C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\GrantNew.vdx C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\GrantUnprotect.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\RemoveLock.tif C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files (x86)\6bef0cac45fde2e1.tmp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\6bef0cac45fde2e1.tmp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
BE 8.238.110.126:80 tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
NL 20.50.201.195:443 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 52.152.110.14:443 tcp
RU 91.218.114.4:80 tcp
US 52.152.110.14:443 tcp
RU 91.218.114.4:80 tcp
US 52.152.110.14:443 tcp
RU 91.218.114.11:80 tcp
US 52.152.110.14:443 tcp
RU 91.218.114.11:80 tcp
US 52.152.110.14:443 tcp
RU 91.218.114.25:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
RU 91.218.114.25:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.26:80 tcp

Files

memory/1100-133-0x0000000000600000-0x000000000065E000-memory.dmp

memory/1100-137-0x0000000000600000-0x000000000065E000-memory.dmp

memory/1100-139-0x0000000000600000-0x000000000065E000-memory.dmp

memory/1100-143-0x0000000000600000-0x000000000065E000-memory.dmp

C:\odt\DECRYPT-FILES.txt

MD5 14edc0b95785d082cfa01fb706935dcb
SHA1 85d2b3aad7c0366a9397c41f050fbbcd1ed0c51e
SHA256 080d710db3d39260681e726ffd5dee92890a0acf4d0f88f48579344eb1c471f5
SHA512 343b263b8a16091afc1032d9f2ca0235ebce32b61a31841f7c56df3ed9f6a059f6c33e70187e93c908d2c7435571fb40662a5bcd40c0edccfed4d142326159b0

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-07 03:21

Reported

2023-05-07 03:25

Platform

win7-20230220-en

Max time kernel

169s

Max time network

191s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe"

Signatures

Maze

trojan ransomware maze

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6cd10cc6b4481b5c.tmp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\MountExpand.vstx C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\RevokeConvertFrom.dib C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\SetExpand.odt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\SkipPop.wpl C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\DenyRevoke.7z C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\JoinImport.wav C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\CopySearch.mov C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\DenyFind.jtx C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\HideSwitch.mp3 C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\NewResume.wm C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\RestartOpen.vsdm C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\RevokeInvoke.dib C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\CompletePush.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\ConvertFromRestart.wpl C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\SaveSend.xlt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6cd10cc6b4481b5c.tmp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\SubmitTest.php C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\AssertBlock.M2T C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\ConvertFromMove.001 C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\RemoveClear.vsd C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\RepairReset.gif C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\UsePublish.search-ms C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6cd10cc6b4481b5c.tmp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\RegisterExpand.001 C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\SaveRepair.au3 C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\SendWatch.odt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\StepSelect.cfg C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6cd10cc6b4481b5c.tmp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\6cd10cc6b4481b5c.tmp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\ExportSkip.cab C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\ReceiveHide.svg C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files (x86)\6cd10cc6b4481b5c.tmp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\UninstallRename.rm C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\FormatSearch.pptx C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\ResolveInitialize.vssm C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\DisconnectPop.mpeg3 C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\MountUninstall.ex_ C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
RU 91.218.114.4:80 tcp
RU 91.218.114.4:80 tcp
RU 91.218.114.4:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp

Files

memory/948-54-0x0000000000220000-0x000000000027E000-memory.dmp

memory/948-58-0x0000000000220000-0x000000000027E000-memory.dmp

memory/948-60-0x0000000000220000-0x000000000027E000-memory.dmp

memory/948-66-0x0000000000220000-0x000000000027E000-memory.dmp

C:\MSOCache\DECRYPT-FILES.txt

MD5 5a67fbefd837bb039acb6e1a2484fd21
SHA1 955229b54cbf5366d034f02e83ae5eb7d2cd038a
SHA256 2d717ca4536886bdfaa29e7d8ef8ea97eae23f4365f9b57535c8365f40ec9eae
SHA512 28326547a8321cca0298680e367ff50280d1f643d84f5580cca27a29fcefa2a8360f6f635a424e1e72b028708fd49451d23672577d597d79b05493e4cbb493f7