Analysis Overview
SHA256
6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af
Threat Level: Known bad
The file 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe was found to be: Known bad.
Malicious Activity Summary
Maze
Deletes shadow copies
Windows Defender anti-emulation file check
Drops startup file
Reads user/profile data of web browsers
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-09-19 12:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-19 12:29
Reported
2023-09-19 12:31
Platform
win10v2004-20230915-en
Max time kernel
86s
Max time network
94s
Command Line
Signatures
Maze
Deletes shadow copies
Windows Defender anti-emulation file check
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\aaa_TouchMeNot_.txt | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8sysfk8l.tmp | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | N/A |
| File opened for modification | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\decrypt-files.txt | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\8sysfk8l.tmp | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 488 wrote to memory of 1988 | N/A | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 488 wrote to memory of 1988 | N/A | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | C:\Windows\system32\wbem\wmic.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe
"C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\tk\..\Windows\omc\crtk\..\..\system32\h\tav\..\..\wbem\smrmv\cce\fi\..\..\..\wmic.exe" shadowcopy delete
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DECRYPT-FILES.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 91.218.114.11:80 | tcp |
Files
memory/488-0-0x0000000002480000-0x00000000024DD000-memory.dmp
memory/488-5-0x0000000002480000-0x00000000024DD000-memory.dmp
memory/488-7-0x0000000002480000-0x00000000024DD000-memory.dmp
memory/4716-8-0x000001EC5FE10000-0x000001EC5FE11000-memory.dmp
memory/4716-10-0x000001EC5FE10000-0x000001EC5FE11000-memory.dmp
memory/4716-9-0x000001EC5FE10000-0x000001EC5FE11000-memory.dmp
memory/488-12-0x0000000002480000-0x00000000024DD000-memory.dmp
memory/4716-16-0x000001EC5FE10000-0x000001EC5FE11000-memory.dmp
memory/4716-18-0x000001EC5FE10000-0x000001EC5FE11000-memory.dmp
memory/4716-19-0x000001EC5FE10000-0x000001EC5FE11000-memory.dmp
memory/4716-21-0x000001EC5FE10000-0x000001EC5FE11000-memory.dmp
memory/4716-20-0x000001EC5FE10000-0x000001EC5FE11000-memory.dmp
memory/4716-22-0x000001EC5FE10000-0x000001EC5FE11000-memory.dmp
memory/4716-23-0x000001EC5FE10000-0x000001EC5FE11000-memory.dmp
memory/488-25-0x0000000002480000-0x00000000024DD000-memory.dmp
C:\odt\DECRYPT-FILES.txt
| MD5 | eb889ac014e39c4ab3c4522303eed833 |
| SHA1 | 2209d9919b29f3734c1cfc176f31cd85a3d6bdca |
| SHA256 | cc57b095e6e2099a4d204b663bb0e80abcbfb276c276c9fbf934930c1db0ff06 |
| SHA512 | 99764530f0905fc9f1faddfc936d88f415acae29ee1672f7aaa1428a780f18a0b661d2ea5054c42fbca36d1d5c05b653f4e94eb1e7a1889c894a97ad1b269d45 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt
| MD5 | eb889ac014e39c4ab3c4522303eed833 |
| SHA1 | 2209d9919b29f3734c1cfc176f31cd85a3d6bdca |
| SHA256 | cc57b095e6e2099a4d204b663bb0e80abcbfb276c276c9fbf934930c1db0ff06 |
| SHA512 | 99764530f0905fc9f1faddfc936d88f415acae29ee1672f7aaa1428a780f18a0b661d2ea5054c42fbca36d1d5c05b653f4e94eb1e7a1889c894a97ad1b269d45 |
C:\Users\Admin\Desktop\DECRYPT-FILES.txt
| MD5 | eb889ac014e39c4ab3c4522303eed833 |
| SHA1 | 2209d9919b29f3734c1cfc176f31cd85a3d6bdca |
| SHA256 | cc57b095e6e2099a4d204b663bb0e80abcbfb276c276c9fbf934930c1db0ff06 |
| SHA512 | 99764530f0905fc9f1faddfc936d88f415acae29ee1672f7aaa1428a780f18a0b661d2ea5054c42fbca36d1d5c05b653f4e94eb1e7a1889c894a97ad1b269d45 |
memory/488-773-0x0000000002480000-0x00000000024DD000-memory.dmp