Analysis
-
max time kernel
153s -
max time network
182s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11-10-2023 20:13
Static task
static1
Behavioral task
behavioral1
Sample
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
Resource
win10v2004-20230915-en
General
-
Target
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
-
Size
473KB
-
MD5
f83fb9ce6a83da58b20685c1d7e1e546
-
SHA1
01c459b549c1c2a68208d38d4ba5e36d29212a4f
-
SHA256
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
-
SHA512
934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396
-
SSDEEP
12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ
Malware Config
Extracted
C:\Users\DECRYPT-FILES.html
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xjpok.dat e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2080 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2808 wmic.exe Token: SeSecurityPrivilege 2808 wmic.exe Token: SeTakeOwnershipPrivilege 2808 wmic.exe Token: SeLoadDriverPrivilege 2808 wmic.exe Token: SeSystemProfilePrivilege 2808 wmic.exe Token: SeSystemtimePrivilege 2808 wmic.exe Token: SeProfSingleProcessPrivilege 2808 wmic.exe Token: SeIncBasePriorityPrivilege 2808 wmic.exe Token: SeCreatePagefilePrivilege 2808 wmic.exe Token: SeBackupPrivilege 2808 wmic.exe Token: SeRestorePrivilege 2808 wmic.exe Token: SeShutdownPrivilege 2808 wmic.exe Token: SeDebugPrivilege 2808 wmic.exe Token: SeSystemEnvironmentPrivilege 2808 wmic.exe Token: SeRemoteShutdownPrivilege 2808 wmic.exe Token: SeUndockPrivilege 2808 wmic.exe Token: SeManageVolumePrivilege 2808 wmic.exe Token: 33 2808 wmic.exe Token: 34 2808 wmic.exe Token: 35 2808 wmic.exe Token: SeIncreaseQuotaPrivilege 2808 wmic.exe Token: SeSecurityPrivilege 2808 wmic.exe Token: SeTakeOwnershipPrivilege 2808 wmic.exe Token: SeLoadDriverPrivilege 2808 wmic.exe Token: SeSystemProfilePrivilege 2808 wmic.exe Token: SeSystemtimePrivilege 2808 wmic.exe Token: SeProfSingleProcessPrivilege 2808 wmic.exe Token: SeIncBasePriorityPrivilege 2808 wmic.exe Token: SeCreatePagefilePrivilege 2808 wmic.exe Token: SeBackupPrivilege 2808 wmic.exe Token: SeRestorePrivilege 2808 wmic.exe Token: SeShutdownPrivilege 2808 wmic.exe Token: SeDebugPrivilege 2808 wmic.exe Token: SeSystemEnvironmentPrivilege 2808 wmic.exe Token: SeRemoteShutdownPrivilege 2808 wmic.exe Token: SeUndockPrivilege 2808 wmic.exe Token: SeManageVolumePrivilege 2808 wmic.exe Token: 33 2808 wmic.exe Token: 34 2808 wmic.exe Token: 35 2808 wmic.exe Token: SeBackupPrivilege 2940 vssvc.exe Token: SeRestorePrivilege 2940 vssvc.exe Token: SeAuditPrivilege 2940 vssvc.exe Token: SeIncreaseQuotaPrivilege 320 wmic.exe Token: SeSecurityPrivilege 320 wmic.exe Token: SeTakeOwnershipPrivilege 320 wmic.exe Token: SeLoadDriverPrivilege 320 wmic.exe Token: SeSystemProfilePrivilege 320 wmic.exe Token: SeSystemtimePrivilege 320 wmic.exe Token: SeProfSingleProcessPrivilege 320 wmic.exe Token: SeIncBasePriorityPrivilege 320 wmic.exe Token: SeCreatePagefilePrivilege 320 wmic.exe Token: SeBackupPrivilege 320 wmic.exe Token: SeRestorePrivilege 320 wmic.exe Token: SeShutdownPrivilege 320 wmic.exe Token: SeDebugPrivilege 320 wmic.exe Token: SeSystemEnvironmentPrivilege 320 wmic.exe Token: SeRemoteShutdownPrivilege 320 wmic.exe Token: SeUndockPrivilege 320 wmic.exe Token: SeManageVolumePrivilege 320 wmic.exe Token: 33 320 wmic.exe Token: 34 320 wmic.exe Token: 35 320 wmic.exe Token: SeIncreaseQuotaPrivilege 320 wmic.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2808 2080 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 28 PID 2080 wrote to memory of 2808 2080 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 28 PID 2080 wrote to memory of 2808 2080 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 28 PID 2080 wrote to memory of 2808 2080 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 28 PID 2080 wrote to memory of 320 2080 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 38 PID 2080 wrote to memory of 320 2080 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 38 PID 2080 wrote to memory of 320 2080 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 38 PID 2080 wrote to memory of 320 2080 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 38 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\system32\wbem\wmic.exe"C:\sxhn\..\Windows\whsl\mok\lx\..\..\..\system32\g\..\wbem\cn\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\system32\wbem\wmic.exe"C:\ojqu\u\..\..\Windows\cj\..\system32\mkh\..\wbem\hfsq\ogvj\vee\..\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:1020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_132DD11254E94A02A46A42A906B7C57E.dat
Filesize940B
MD5959dc1c3098e187c4853a2d2220030d0
SHA17bc065da53605ff3b210668e013176aae2f7f55f
SHA25646f041928549f033f293bb105d255e072bf200547d56c24a4ddc1e30081b1efb
SHA512dceba81f796c54669f5cea48d13d63c11077499a1d059bd75c2bacd2d748dabef4feabbe3463f90d8ee95b46f4e1d3ed595459819077cd5b59ce9530abbfb1ac
-
Filesize
6KB
MD5688083fd4f4292b7db3a1a02f3a6fe8c
SHA1b37fcbc3dcd2728ba40bdb491907c72f9d044fc7
SHA2564b300882e0f993f62b25ed9330128be265a5e8038334ab9dbadcf121bab9a0fa
SHA5126558733930dec990b23805174ac8bbaf948307c81406095e5bdd5316255e1b46b43b3fdcd6817b52eb11a3199e80cac9baee10827dc2a3557f6cea0d6be10da1