Malware Analysis Report

2024-09-22 14:43

Sample ID 231012-p6yp3sch62
Target 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe
SHA256 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af
Tags
maze ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af

Threat Level: Known bad

The file 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe was found to be: Known bad.

Malicious Activity Summary

maze ransomware spyware stealer trojan

Maze

Deletes shadow copies

Windows Defender anti-emulation file check

Drops startup file

Reads user/profile data of web browsers

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-10-12 12:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 12:57

Reported

2023-10-16 03:42

Platform

win10v2004-20230915-en

Max time kernel

170s

Max time network

180s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe"

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Windows Defender anti-emulation file check

Description Indicator Process Target
File opened (read-only) C:\aaa_TouchMeNot_.txt C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5vxz0.tmp C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\5vxz0.tmp C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\5vxz0.tmp C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\JoinAssert.bmp C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files (x86)\5vxz0.tmp C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\CompleteSelect.ppsm C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\GrantMove.aifc C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\SetCompare.dotx C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\ExportEdit.tiff C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\MeasureEdit.svgz C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\RemoveRegister.html C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\ResolveOptimize.wmx C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\TestConvert.ps1xml C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\WatchSend.pub C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\ImportRename.temp C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\RegisterNew.aifc C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\StartComplete.m1v C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\BlockMount.potx C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\EnterSync.lock C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\SwitchStep.otf C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\ConfirmUpdate.i64 C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\RestoreOut.avi C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\SetReceive.contact C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\UnregisterClose.emz C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\AssertJoin.xlsm C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\SearchTest.ps1 C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\SearchWait.xps C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe

"C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\lqcnq\wg\oq\..\..\..\Windows\jy\..\system32\afik\pdmcn\rlx\..\..\..\wbem\fb\oexer\lvab\..\..\..\wmic.exe" shadowcopy delete

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 126.209.247.8.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
RU 91.218.114.4:80 91.218.114.4 tcp
US 8.8.8.8:53 4.114.218.91.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
RU 91.218.114.4:80 91.218.114.4 tcp
RU 91.218.114.11:80 91.218.114.11 tcp
RU 91.218.114.11:80 91.218.114.11 tcp
RU 91.218.114.25:80 91.218.114.25 tcp
RU 91.218.114.26:80 tcp
US 8.8.8.8:53 11.114.218.91.in-addr.arpa udp
US 8.8.8.8:53 25.114.218.91.in-addr.arpa udp
RU 91.218.114.26:80 tcp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
RU 91.218.114.4:80 91.218.114.4 tcp
RU 91.218.114.11:80 91.218.114.11 tcp
RU 91.218.114.25:80 91.218.114.25 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.31:80 tcp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp
RU 91.218.114.31:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.37:80 91.218.114.37 tcp
RU 91.218.114.38:80 tcp
US 8.8.8.8:53 37.114.218.91.in-addr.arpa udp
RU 91.218.114.31:80 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp

Files

memory/5100-0-0x0000000000CD0000-0x0000000000D2D000-memory.dmp

memory/5100-5-0x0000000000CD0000-0x0000000000D2D000-memory.dmp

memory/5100-7-0x0000000000CD0000-0x0000000000D2D000-memory.dmp

memory/5100-8-0x0000000000CD0000-0x0000000000D2D000-memory.dmp

memory/5100-12-0x0000000000CD0000-0x0000000000D2D000-memory.dmp

C:\$Recycle.Bin\DECRYPT-FILES.txt

MD5 a3ec0f3fac005b100860d9340e5a939c
SHA1 ecff713ad9d548b5442b40ca1a64fdb327627527
SHA256 0eaeaa113927f69844e18ef301c2a0e7a0ecd30cd298dd60a23c1ce7feb178ad
SHA512 6fcf98c2751e7c34cd495f7587329ba0b068ee670facc29c71af494d909c339d8291c5552e39ce4d83422b78618a0c326707c920589dd3c451e5ce42dd7d7bca

memory/5100-769-0x0000000000CD0000-0x0000000000D2D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 12:57

Reported

2023-10-16 03:42

Platform

win7-20230831-en

Max time kernel

157s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe"

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Windows Defender anti-emulation file check

Description Indicator Process Target
File opened (read-only) C:\aaa_TouchMeNot_.txt C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sg6bwrs.tmp C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\PushInvoke.cab C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\RenameUnprotect.m4v C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\StepUnprotect.m1v C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\JoinDisable.cfg C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\MoveSkip.wav C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\UpdateJoin.mov C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\SubmitCompare.mp2v C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sg6bwrs.tmp C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\MoveSubmit.xps C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\SaveSet.wpl C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\UninstallLimit.mpeg C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\SplitMerge.mpg C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\sg6bwrs.tmp C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files (x86)\sg6bwrs.tmp C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\ExportWrite.htm C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\MergeRestore.xsl C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\RemoveRename.docx C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\ResumeInitialize.mhtml C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\sg6bwrs.tmp C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\SwitchReset.wps C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\UndoLimit.m4a C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\InstallLimit.ttc C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files\RestoreReceive.pps C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sg6bwrs.tmp C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe

"C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\wfvdb\..\Windows\u\..\system32\ne\..\wbem\svul\xjic\..\..\wmic.exe" shadowcopy delete

Network

Country Destination Domain Proto
RU 91.218.114.4:80 91.218.114.4 tcp
RU 91.218.114.4:80 91.218.114.4 tcp
RU 91.218.114.11:80 91.218.114.11 tcp
RU 91.218.114.11:80 91.218.114.11 tcp
RU 91.218.114.25:80 91.218.114.25 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.4:80 91.218.114.4 tcp
RU 91.218.114.11:80 91.218.114.11 tcp
RU 91.218.114.25:80 91.218.114.25 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.37:80 91.218.114.37 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.37:80 91.218.114.37 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.77:80 tcp

Files

memory/1820-0-0x0000000000180000-0x00000000001DD000-memory.dmp

memory/1820-5-0x0000000000180000-0x00000000001DD000-memory.dmp

memory/1820-7-0x0000000000180000-0x00000000001DD000-memory.dmp

memory/1820-11-0x0000000000180000-0x00000000001DD000-memory.dmp

C:\Users\DECRYPT-FILES.txt

MD5 66ef1014cc66a5f28bac3edc38b37238
SHA1 ca57d5eabe24a903ccbf53b216b45dfac8e384d3
SHA256 805040519533462a8f0e1016371aaafd6422d9c15ce4494726a0738e9cf998e6
SHA512 2ee58e756191e170747d0ffd26a09a823153961d9b63da86869ba69be18611fb404c259a89d468093063f5688abb01c657b09d07f5c6aea05c91ed6e82de38f1

memory/1820-823-0x0000000000180000-0x00000000001DD000-memory.dmp