Analysis
-
max time kernel
152s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2023 02:49
Static task
static1
Behavioral task
behavioral1
Sample
Sample.dll
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Sample.dll
Resource
win10v2004-20230915-en
General
-
Target
Sample.dll
-
Size
601KB
-
MD5
910aa49813ee4cc7e4fa0074db5e454a
-
SHA1
45831987fabeb7b32c70f662be8cb24e2efef1dc
-
SHA256
4218214f32f946a02b7a7bebe3059af3dd87bcd130c0469aeb21b58299e2ef9a
-
SHA512
3a726bda8119bbb45a5407703982453abca112df38921df76d57febd455c297f61c19858c40c48f155a721b460b0b5d4b410f5427980df3b8959f8969a8d24bd
-
SSDEEP
12288:yxqa4OJLt8sJ3y3/xi+aW4cJ6ANgRitRUA1qDoj2h9TY+gleOrnGLUVHso:uGCBQp3aW44cCIYBeOsMMo
Malware Config
Extracted
F:\$RECYCLE.BIN\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/6cfd0cc65ce16197
https://mazedecrypt.top/6cfd0cc65ce16197
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6cfd0cc65ce16197.tmp regsvr32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt regsvr32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6cfd0cc65ce16197.tmp regsvr32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt regsvr32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\111.bmp" regsvr32.exe -
Drops file in Program Files directory 27 IoCs
description ioc Process File opened for modification C:\Program Files\JoinAssert.bmp regsvr32.exe File opened for modification C:\Program Files\RestoreOut.avi regsvr32.exe File opened for modification C:\Program Files\WatchSend.pub regsvr32.exe File opened for modification C:\Program Files (x86)\6cfd0cc65ce16197.tmp regsvr32.exe File opened for modification C:\Program Files\SearchWait.xps regsvr32.exe File opened for modification C:\Program Files\SwitchStep.otf regsvr32.exe File opened for modification C:\Program Files\BlockMount.potx regsvr32.exe File opened for modification C:\Program Files\ExportEdit.tiff regsvr32.exe File opened for modification C:\Program Files\RegisterNew.aifc regsvr32.exe File opened for modification C:\Program Files\SearchTest.ps1 regsvr32.exe File created C:\Program Files (x86)\DECRYPT-FILES.txt regsvr32.exe File opened for modification C:\Program Files\AssertJoin.xlsm regsvr32.exe File opened for modification C:\Program Files\ImportRename.temp regsvr32.exe File opened for modification C:\Program Files\MeasureEdit.svgz regsvr32.exe File opened for modification C:\Program Files\RemoveRegister.html regsvr32.exe File opened for modification C:\Program Files\SetReceive.contact regsvr32.exe File opened for modification C:\Program Files\GrantMove.aifc regsvr32.exe File opened for modification C:\Program Files\ResolveOptimize.wmx regsvr32.exe File opened for modification C:\Program Files\ConfirmUpdate.i64 regsvr32.exe File opened for modification C:\Program Files\TestConvert.ps1xml regsvr32.exe File created C:\Program Files\DECRYPT-FILES.txt regsvr32.exe File opened for modification C:\Program Files\CompleteSelect.ppsm regsvr32.exe File opened for modification C:\Program Files\EnterSync.lock regsvr32.exe File opened for modification C:\Program Files\StartComplete.m1v regsvr32.exe File opened for modification C:\Program Files\6cfd0cc65ce16197.tmp regsvr32.exe File opened for modification C:\Program Files\SetCompare.dotx regsvr32.exe File opened for modification C:\Program Files\UnregisterClose.emz regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 500 regsvr32.exe 500 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeBackupPrivilege 1508 vssvc.exe Token: SeRestorePrivilege 1508 vssvc.exe Token: SeAuditPrivilege 1508 vssvc.exe Token: SeIncreaseQuotaPrivilege 3692 wmic.exe Token: SeSecurityPrivilege 3692 wmic.exe Token: SeTakeOwnershipPrivilege 3692 wmic.exe Token: SeLoadDriverPrivilege 3692 wmic.exe Token: SeSystemProfilePrivilege 3692 wmic.exe Token: SeSystemtimePrivilege 3692 wmic.exe Token: SeProfSingleProcessPrivilege 3692 wmic.exe Token: SeIncBasePriorityPrivilege 3692 wmic.exe Token: SeCreatePagefilePrivilege 3692 wmic.exe Token: SeBackupPrivilege 3692 wmic.exe Token: SeRestorePrivilege 3692 wmic.exe Token: SeShutdownPrivilege 3692 wmic.exe Token: SeDebugPrivilege 3692 wmic.exe Token: SeSystemEnvironmentPrivilege 3692 wmic.exe Token: SeRemoteShutdownPrivilege 3692 wmic.exe Token: SeUndockPrivilege 3692 wmic.exe Token: SeManageVolumePrivilege 3692 wmic.exe Token: 33 3692 wmic.exe Token: 34 3692 wmic.exe Token: 35 3692 wmic.exe Token: 36 3692 wmic.exe Token: SeIncreaseQuotaPrivilege 3692 wmic.exe Token: SeSecurityPrivilege 3692 wmic.exe Token: SeTakeOwnershipPrivilege 3692 wmic.exe Token: SeLoadDriverPrivilege 3692 wmic.exe Token: SeSystemProfilePrivilege 3692 wmic.exe Token: SeSystemtimePrivilege 3692 wmic.exe Token: SeProfSingleProcessPrivilege 3692 wmic.exe Token: SeIncBasePriorityPrivilege 3692 wmic.exe Token: SeCreatePagefilePrivilege 3692 wmic.exe Token: SeBackupPrivilege 3692 wmic.exe Token: SeRestorePrivilege 3692 wmic.exe Token: SeShutdownPrivilege 3692 wmic.exe Token: SeDebugPrivilege 3692 wmic.exe Token: SeSystemEnvironmentPrivilege 3692 wmic.exe Token: SeRemoteShutdownPrivilege 3692 wmic.exe Token: SeUndockPrivilege 3692 wmic.exe Token: SeManageVolumePrivilege 3692 wmic.exe Token: 33 3692 wmic.exe Token: 34 3692 wmic.exe Token: 35 3692 wmic.exe Token: 36 3692 wmic.exe Token: 33 1660 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1660 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 824 wrote to memory of 500 824 regsvr32.exe 83 PID 824 wrote to memory of 500 824 regsvr32.exe 83 PID 824 wrote to memory of 500 824 regsvr32.exe 83 PID 500 wrote to memory of 3692 500 regsvr32.exe 90 PID 500 wrote to memory of 3692 500 regsvr32.exe 90 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\Sample.dll1⤵
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\Sample.dll2⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Windows\system32\wbem\wmic.exe"C:\k\..\Windows\awihm\aukcq\..\..\system32\xxw\dwb\..\..\wbem\f\arni\..\..\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2c8 0x1501⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_0F3B7EC492364DEE840501A9A32694AC.dat
Filesize940B
MD503ac0ad603a89ab3834f6b6bdb55bbd8
SHA10e33bb3828ed99e509975eddbc01b2df38de1235
SHA2562411b32a85ece5fb7fbb89932a2a289bd6886afe1db4b3acf1031c423a49ad22
SHA51219c4dcaeabbbec9d964e595e223ecb0a74ee96f9659bd724e953de1ca3f3d9053f5e4b7d58671ada83f2c806acd23a76aaf69501fb2a038c8c7225294ff78e0b
-
Filesize
10KB
MD564955d1ce98e92ecebcc589169ddaa95
SHA186f2d69edc989153f3339f78594c196f6413cc86
SHA25629c0bf34e6bcf2a96b890128fdb36aadf9982c2229b18b38686ec92b18096808
SHA512b47dfc7d62a719bf8e54da977a83311ab6cbd7be3cf9300f5e6cbff07336264f71ace424cac178c4104da364a2f81d4aee1b7f2cabe89a30387ee1dcd2c546b3