Malware Analysis Report

2024-09-22 14:43

Sample ID 230925-j6aqcsfb37
Target f83fb9ce6a83da58b20685c1d7e1e546.zip
SHA256 77b2731ff3c7a14b8b962ea387c41293415b3478e73973888851991105777560
Tags
maze ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

77b2731ff3c7a14b8b962ea387c41293415b3478e73973888851991105777560

Threat Level: Known bad

The file f83fb9ce6a83da58b20685c1d7e1e546.zip was found to be: Known bad.

Malicious Activity Summary

maze ransomware spyware stealer trojan

Maze

Deletes shadow copies

Reads user/profile data of web browsers

Drops startup file

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-09-25 08:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-25 08:16

Reported

2023-09-25 10:24

Platform

win7-20230831-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rprk85vp7.dat C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\4Ax2_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\4Ax2_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\.4Ax2 C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\.4Ax2\ = "4Ax2_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\4Ax2_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\4Ax2_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\4Ax2_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\4Ax2_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe C:\Windows\system32\wbem\wmic.exe
PID 1916 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe C:\Windows\system32\wbem\wmic.exe
PID 1916 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe C:\Windows\system32\wbem\wmic.exe
PID 1916 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe C:\Windows\system32\wbem\wmic.exe
PID 1916 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe C:\Windows\system32\wbem\wmic.exe
PID 1916 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe C:\Windows\system32\wbem\wmic.exe
PID 1916 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe C:\Windows\system32\wbem\wmic.exe
PID 1916 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe C:\Windows\system32\wbem\wmic.exe
PID 572 wrote to memory of 1996 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 572 wrote to memory of 1996 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 572 wrote to memory of 1996 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 572 wrote to memory of 1996 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"

C:\Windows\system32\wbem\wmic.exe

"C:\jcjwk\j\..\..\Windows\l\..\system32\nwjci\vcls\..\..\wbem\o\..\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\x\df\p\..\..\..\Windows\qbvqm\alw\..\..\system32\ybg\..\wbem\grd\..\wmic.exe" shadowcopy delete

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\GroupRevoke.wma.4Ax2

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\GroupRevoke.wma.4Ax2"

Network

Country Destination Domain Proto
TR 92.63.8.47:80 tcp
TR 92.63.8.47:80 tcp
TR 92.63.8.47:80 tcp
TR 92.63.8.47:80 tcp
TR 92.63.8.47:80 tcp
TR 92.63.8.47:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.37.100:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.37.100:80 tcp
PL 92.63.37.100:80 tcp
PL 92.63.37.100:80 tcp
PL 92.63.37.100:80 tcp
PL 92.63.37.100:80 tcp
RU 92.63.194.20:80 92.63.194.20 tcp
RU 92.63.194.20:80 92.63.194.20 tcp
SI 92.63.17.245:80 92.63.17.245 tcp
PL 92.63.32.55:80 tcp
PL 92.63.32.55:80 tcp
PL 92.63.32.55:80 tcp
TR 92.63.11.151:80 tcp
RU 92.63.194.20:80 92.63.194.20 tcp
SI 92.63.17.245:80 92.63.17.245 tcp
PL 92.63.32.55:80 tcp

Files

memory/1916-0-0x0000000000180000-0x00000000001D9000-memory.dmp

memory/1916-1-0x0000000000540000-0x000000000059B000-memory.dmp

memory/1916-6-0x0000000000540000-0x000000000059B000-memory.dmp

memory/1916-10-0x0000000000540000-0x000000000059B000-memory.dmp

memory/1916-14-0x0000000000540000-0x000000000059B000-memory.dmp

C:\Users\DECRYPT-FILES.html

MD5 5c0f52f4f89609b9f8a41cbd4ac84b64
SHA1 d6bf7f59f8ea4aa312e6f260930a55b9710b3767
SHA256 7d717c0034d41a2411919beef0dec4b3c0bff2879e79b7d4d25f4053a6e7a22e
SHA512 6c3063c4bedfbfaea05538d142235fdfb6c239ecd1f7e8edc7a27b73a859ecdc4d1bc7091974196dbdffe3f8f22556635b642f1b45ae40372c5c77d248342523

memory/1916-1780-0x0000000000540000-0x000000000059B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_ED66E6A8328745CF89A50A716B5CA0B8.dat

MD5 e3f3f89380c9ee6aee108491e9b98715
SHA1 56760b5ad12929d05381044ad1913d9bcd2322f9
SHA256 d60e0bbc5098fafc765f35affc549addc029c87a7402ab29a28f9a39a46fd992
SHA512 bc045e29760ece914d02d85f84affca262a9bce866c84acd8c42f124d45e325fd82337f002ac6faad390388fdc80541f20dee028dd0876a768072718896da077

C:\Users\Admin\Desktop\GroupRevoke.wma.4Ax2

MD5 5e3323fcbdaaed6cde4f9c8595b709b0
SHA1 85de5ace9b5656896caa48739a29d99bae2f3d31
SHA256 2999075bc0f46094cf80bef5d78722a582604674a52c6d11abfdc5d8d24f33fe
SHA512 36f4fc530cba38ad77be4a33b1f5b5c591b53de14f193639220e5ece671f973af4149446ea6062e66f1f0c73004aadc5a9be6c144cfce87912b355825a87ef89

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 edd75ab59496847a2d0c8e73982f7a1c
SHA1 51cc13fc90e9e09b5f7e5b496aefc9a220354022
SHA256 bebeb0e653ee953d98bdb0e9b5cc6a6ff0b6d90917f717cf86a2d74ead849394
SHA512 46040d0d34591cadea5fe2742a0051f5250bba3730d37a2fac34381fe466f68cb08f786796cb2f5172ac640db441a0b754aea12cb07715350f1e66669571dfd8

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-25 08:16

Reported

2023-09-25 10:24

Platform

win10v2004-20230915-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tdn6imu0w.dat C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.html C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\tdn6imu0w.dat C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"

C:\Windows\system32\wbem\wmic.exe

"C:\p\uiuxv\klmfu\..\..\..\Windows\ua\..\system32\i\ucukl\..\..\wbem\ky\uor\d\..\..\..\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\t\morjo\..\..\Windows\ruflo\xkoc\..\..\system32\r\..\wbem\fgl\jw\oyx\..\..\..\wmic.exe" shadowcopy delete

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x304 0x308

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
TR 92.63.8.47:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
TR 92.63.8.47:80 tcp
TR 92.63.8.47:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.37.100:80 tcp
TR 92.63.8.47:80 tcp
PL 92.63.37.100:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.37.100:80 tcp
RU 92.63.194.20:80 92.63.194.20 tcp
RU 92.63.194.20:80 92.63.194.20 tcp
SI 92.63.17.245:80 92.63.17.245 tcp
US 8.8.8.8:53 20.194.63.92.in-addr.arpa udp
PL 92.63.32.55:80 tcp
US 8.8.8.8:53 245.17.63.92.in-addr.arpa udp
PL 92.63.32.55:80 tcp
TR 92.63.11.151:80 tcp
PL 92.63.37.100:80 tcp
TR 92.63.11.151:80 tcp
RU 92.63.194.20:80 92.63.194.20 tcp
SI 92.63.17.245:80 92.63.17.245 tcp
PL 92.63.32.55:80 tcp
PL 92.63.32.55:80 tcp
TR 92.63.11.151:80 tcp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp

Files

memory/4632-0-0x0000000002B90000-0x0000000002BE9000-memory.dmp

memory/4632-1-0x0000000002D30000-0x0000000002D8B000-memory.dmp

memory/4632-6-0x0000000002D30000-0x0000000002D8B000-memory.dmp

memory/4632-10-0x0000000002D30000-0x0000000002D8B000-memory.dmp

memory/4632-11-0x0000000002D30000-0x0000000002D8B000-memory.dmp

memory/4632-15-0x0000000002D30000-0x0000000002D8B000-memory.dmp

C:\odt\DECRYPT-FILES.html

MD5 112e6e70d90a92e067b81fff517ad5b6
SHA1 e142476f4d07bdfffaa6a42d89a3d3bb0f61f1c6
SHA256 c5168fe3ce0582e934f9395e425e272e140d188b0df7a4da97500b8a9b57370a
SHA512 1bbcce91759e1ac7dcb2d80c718e8557911e8afc8ba694fd523df6c45a7ceae599a3dfe710edbbe41028781bfcfbcd1881c447396466d170e99d9c6031b04690

memory/4632-5327-0x0000000002D30000-0x0000000002D8B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_8E7D15DCE096497CAA7E089555ED9DAA.dat

MD5 c6e08dc6a6b73b710daae3e80c18e847
SHA1 33f598376bbbabbd8827763bf71424d692655241
SHA256 8911185b28c1f6b1e28a6d6e396e1d0880c07f7dda48ce745f925720351c8194
SHA512 98b15c2d06feec5f54765372015ef0b24d544927d6f695788251136325c8a871d045094cd8877d319f9236916bfe759433134d479f88ec574d3f65660a21f6c8