Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2023 12:57
Static task
static1
Behavioral task
behavioral1
Sample
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
Resource
win10v2004-20230915-en
General
-
Target
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
-
Size
473KB
-
MD5
f83fb9ce6a83da58b20685c1d7e1e546
-
SHA1
01c459b549c1c2a68208d38d4ba5e36d29212a4f
-
SHA256
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
-
SHA512
934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396
-
SSDEEP
12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-1926387074-3400613176-3566796709-1000\DECRYPT-FILES.html
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.html e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\lrsdu8.dat e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lrsdu8.dat e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4112 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 4112 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3596 wmic.exe Token: SeSecurityPrivilege 3596 wmic.exe Token: SeTakeOwnershipPrivilege 3596 wmic.exe Token: SeLoadDriverPrivilege 3596 wmic.exe Token: SeSystemProfilePrivilege 3596 wmic.exe Token: SeSystemtimePrivilege 3596 wmic.exe Token: SeProfSingleProcessPrivilege 3596 wmic.exe Token: SeIncBasePriorityPrivilege 3596 wmic.exe Token: SeCreatePagefilePrivilege 3596 wmic.exe Token: SeBackupPrivilege 3596 wmic.exe Token: SeRestorePrivilege 3596 wmic.exe Token: SeShutdownPrivilege 3596 wmic.exe Token: SeDebugPrivilege 3596 wmic.exe Token: SeSystemEnvironmentPrivilege 3596 wmic.exe Token: SeRemoteShutdownPrivilege 3596 wmic.exe Token: SeUndockPrivilege 3596 wmic.exe Token: SeManageVolumePrivilege 3596 wmic.exe Token: 33 3596 wmic.exe Token: 34 3596 wmic.exe Token: 35 3596 wmic.exe Token: 36 3596 wmic.exe Token: SeIncreaseQuotaPrivilege 3596 wmic.exe Token: SeSecurityPrivilege 3596 wmic.exe Token: SeTakeOwnershipPrivilege 3596 wmic.exe Token: SeLoadDriverPrivilege 3596 wmic.exe Token: SeSystemProfilePrivilege 3596 wmic.exe Token: SeSystemtimePrivilege 3596 wmic.exe Token: SeProfSingleProcessPrivilege 3596 wmic.exe Token: SeIncBasePriorityPrivilege 3596 wmic.exe Token: SeCreatePagefilePrivilege 3596 wmic.exe Token: SeBackupPrivilege 3596 wmic.exe Token: SeRestorePrivilege 3596 wmic.exe Token: SeShutdownPrivilege 3596 wmic.exe Token: SeDebugPrivilege 3596 wmic.exe Token: SeSystemEnvironmentPrivilege 3596 wmic.exe Token: SeRemoteShutdownPrivilege 3596 wmic.exe Token: SeUndockPrivilege 3596 wmic.exe Token: SeManageVolumePrivilege 3596 wmic.exe Token: 33 3596 wmic.exe Token: 34 3596 wmic.exe Token: 35 3596 wmic.exe Token: 36 3596 wmic.exe Token: SeBackupPrivilege 324 vssvc.exe Token: SeRestorePrivilege 324 vssvc.exe Token: SeAuditPrivilege 324 vssvc.exe Token: SeIncreaseQuotaPrivilege 3732 wmic.exe Token: SeSecurityPrivilege 3732 wmic.exe Token: SeTakeOwnershipPrivilege 3732 wmic.exe Token: SeLoadDriverPrivilege 3732 wmic.exe Token: SeSystemProfilePrivilege 3732 wmic.exe Token: SeSystemtimePrivilege 3732 wmic.exe Token: SeProfSingleProcessPrivilege 3732 wmic.exe Token: SeIncBasePriorityPrivilege 3732 wmic.exe Token: SeCreatePagefilePrivilege 3732 wmic.exe Token: SeBackupPrivilege 3732 wmic.exe Token: SeRestorePrivilege 3732 wmic.exe Token: SeShutdownPrivilege 3732 wmic.exe Token: SeDebugPrivilege 3732 wmic.exe Token: SeSystemEnvironmentPrivilege 3732 wmic.exe Token: SeRemoteShutdownPrivilege 3732 wmic.exe Token: SeUndockPrivilege 3732 wmic.exe Token: SeManageVolumePrivilege 3732 wmic.exe Token: 33 3732 wmic.exe Token: 34 3732 wmic.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4112 wrote to memory of 3596 4112 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 91 PID 4112 wrote to memory of 3596 4112 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 91 PID 4112 wrote to memory of 3732 4112 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 98 PID 4112 wrote to memory of 3732 4112 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 98 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\system32\wbem\wmic.exe"C:\boc\h\..\..\Windows\mgk\vcyb\wlof\..\..\..\system32\bsoor\..\wbem\rdwt\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3596
-
-
C:\Windows\system32\wbem\wmic.exe"C:\roi\f\..\..\Windows\gym\jbp\bgs\..\..\..\system32\rxdx\towq\oo\..\..\..\wbem\jfiru\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3732
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:324
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x50c 0x5181⤵PID:4816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_663B792BA4244A8F90BF6757AA16C40C.dat
Filesize940B
MD5837c542dcb57b09390d4a917e3ab2e28
SHA1eb9137b6b8f21a4047d2eb6a5c7d87e96d015162
SHA25667a203cbce251f8bf584752d51db335e3c1890a3603a4774f945b30668524656
SHA512810e26a5d8c137369df589f13af9fd997b0850367ccbc8a6a53797c0009a5bee2951548521621016ac7a37f1f71df29ebbc0143ec0bafedca7a4048a0b70a613
-
Filesize
6KB
MD5a6612820d92995ed19026af677995b80
SHA1ff4211863d976b7894bd56626cd81d9bb3d46744
SHA25696136f79081fd12e039e7541cb46c6d8d84058a27c5fc28febfac9b0388e435c
SHA512ab56c25809f0e268c2f60a3289e43ed8dc371f64a69230cf43d77bd1b203fb62002ec406bbe99bd6821ae676cf8980f98bde566ee5cd94fc56e860b3aac8c653