Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
29-10-2023 20:28
Static task
static1
Behavioral task
behavioral1
Sample
0.dll
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
0.dll
Resource
win10v2004-20231020-en
General
-
Target
0.dll
-
Size
364KB
-
MD5
f45a18ae5714d1aeb067f1b4f4923073
-
SHA1
e6f53d26e2734bbcb91ec828883465db3d40666d
-
SHA256
e0f7bff1502dfca58121b84627d51ff2622857fd247123b4160833a5806b2bf2
-
SHA512
bad89a98965bb21239fd644c4a0d3de4a09e51e0e4f8b24d2e158621d07730e395e287d91317b374e4443bef0ad4c919140bf36fc165b5e59a4b72a674c812f9
-
SSDEEP
6144:5HTs5cIzrLrLrLgsVJIS+Nn49MS0BqQOrCV50DErFNg/ydlb4fQ6wFMv53:uYha0QdDENg6dNoQl+vB
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3618187007-3650799920-3290345941-1000\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/6b930cc385fe346b
https://mazedecrypt.top/6b930cc385fe346b
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt rundll32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b930cc385fe346b.tmp rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 43 IoCs
description ioc Process File opened for modification C:\Program Files\ClearInstall.odp rundll32.exe File opened for modification C:\Program Files\GroupInitialize.mpeg rundll32.exe File opened for modification C:\Program Files\PublishBlock.DVR rundll32.exe File opened for modification C:\Program Files\ResetAssert.css rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6b930cc385fe346b.tmp rundll32.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt rundll32.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6b930cc385fe346b.tmp rundll32.exe File opened for modification C:\Program Files\6b930cc385fe346b.tmp rundll32.exe File opened for modification C:\Program Files\ExpandRead.jpeg rundll32.exe File opened for modification C:\Program Files\ExportAssert.bmp rundll32.exe File opened for modification C:\Program Files\GroupCompare.7z rundll32.exe File opened for modification C:\Program Files\MountHide.reg rundll32.exe File opened for modification C:\Program Files\SearchHide.vbs rundll32.exe File opened for modification C:\Program Files\RemoveRegister.avi rundll32.exe File opened for modification C:\Program Files\SyncNew.scf rundll32.exe File opened for modification C:\Program Files\EnableReceive.shtml rundll32.exe File opened for modification C:\Program Files\EnterRestart.001 rundll32.exe File opened for modification C:\Program Files\FormatStop.txt rundll32.exe File opened for modification C:\Program Files\InvokeDeny.rmi rundll32.exe File opened for modification C:\Program Files\LockRestart.ini rundll32.exe File opened for modification C:\Program Files\MoveStop.cab rundll32.exe File opened for modification C:\Program Files\UpdateUninstall.wps rundll32.exe File opened for modification C:\Program Files\BlockTrace.emf rundll32.exe File opened for modification C:\Program Files\ImportConvertFrom.vstx rundll32.exe File opened for modification C:\Program Files\SendConvertTo.wdp rundll32.exe File opened for modification C:\Program Files\UseResolve.dib rundll32.exe File opened for modification C:\Program Files (x86)\6b930cc385fe346b.tmp rundll32.exe File opened for modification C:\Program Files\UndoSubmit.raw rundll32.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt rundll32.exe File created C:\Program Files\DECRYPT-FILES.txt rundll32.exe File opened for modification C:\Program Files\CopyUndo.bin rundll32.exe File opened for modification C:\Program Files\FindDisconnect.xltm rundll32.exe File opened for modification C:\Program Files\RestartTest.tiff rundll32.exe File opened for modification C:\Program Files\RevokeUnpublish.vsdx rundll32.exe File opened for modification C:\Program Files\ShowSync.eprtx rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6b930cc385fe346b.tmp rundll32.exe File opened for modification C:\Program Files\RemoveSplit.contact rundll32.exe File opened for modification C:\Program Files\SuspendPop.vb rundll32.exe File opened for modification C:\Program Files\HideMove.htm rundll32.exe File opened for modification C:\Program Files\ProtectRedo.vsd rundll32.exe File opened for modification C:\Program Files\ResetDeny.001 rundll32.exe File created C:\Program Files (x86)\DECRYPT-FILES.txt rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 368 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeBackupPrivilege 2724 vssvc.exe Token: SeRestorePrivilege 2724 vssvc.exe Token: SeAuditPrivilege 2724 vssvc.exe Token: SeIncreaseQuotaPrivilege 2416 wmic.exe Token: SeSecurityPrivilege 2416 wmic.exe Token: SeTakeOwnershipPrivilege 2416 wmic.exe Token: SeLoadDriverPrivilege 2416 wmic.exe Token: SeSystemProfilePrivilege 2416 wmic.exe Token: SeSystemtimePrivilege 2416 wmic.exe Token: SeProfSingleProcessPrivilege 2416 wmic.exe Token: SeIncBasePriorityPrivilege 2416 wmic.exe Token: SeCreatePagefilePrivilege 2416 wmic.exe Token: SeBackupPrivilege 2416 wmic.exe Token: SeRestorePrivilege 2416 wmic.exe Token: SeShutdownPrivilege 2416 wmic.exe Token: SeDebugPrivilege 2416 wmic.exe Token: SeSystemEnvironmentPrivilege 2416 wmic.exe Token: SeRemoteShutdownPrivilege 2416 wmic.exe Token: SeUndockPrivilege 2416 wmic.exe Token: SeManageVolumePrivilege 2416 wmic.exe Token: 33 2416 wmic.exe Token: 34 2416 wmic.exe Token: 35 2416 wmic.exe Token: SeIncreaseQuotaPrivilege 2416 wmic.exe Token: SeSecurityPrivilege 2416 wmic.exe Token: SeTakeOwnershipPrivilege 2416 wmic.exe Token: SeLoadDriverPrivilege 2416 wmic.exe Token: SeSystemProfilePrivilege 2416 wmic.exe Token: SeSystemtimePrivilege 2416 wmic.exe Token: SeProfSingleProcessPrivilege 2416 wmic.exe Token: SeIncBasePriorityPrivilege 2416 wmic.exe Token: SeCreatePagefilePrivilege 2416 wmic.exe Token: SeBackupPrivilege 2416 wmic.exe Token: SeRestorePrivilege 2416 wmic.exe Token: SeShutdownPrivilege 2416 wmic.exe Token: SeDebugPrivilege 2416 wmic.exe Token: SeSystemEnvironmentPrivilege 2416 wmic.exe Token: SeRemoteShutdownPrivilege 2416 wmic.exe Token: SeUndockPrivilege 2416 wmic.exe Token: SeManageVolumePrivilege 2416 wmic.exe Token: 33 2416 wmic.exe Token: 34 2416 wmic.exe Token: 35 2416 wmic.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2132 wrote to memory of 368 2132 rundll32.exe 28 PID 2132 wrote to memory of 368 2132 rundll32.exe 28 PID 2132 wrote to memory of 368 2132 rundll32.exe 28 PID 2132 wrote to memory of 368 2132 rundll32.exe 28 PID 2132 wrote to memory of 368 2132 rundll32.exe 28 PID 2132 wrote to memory of 368 2132 rundll32.exe 28 PID 2132 wrote to memory of 368 2132 rundll32.exe 28 PID 368 wrote to memory of 2416 368 rundll32.exe 33 PID 368 wrote to memory of 2416 368 rundll32.exe 33 PID 368 wrote to memory of 2416 368 rundll32.exe 33 PID 368 wrote to memory of 2416 368 rundll32.exe 33 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0.dll,#12⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\system32\wbem\wmic.exe"C:\cv\e\..\..\Windows\jfhe\w\..\..\system32\exl\wgw\bxlnj\..\..\..\wbem\ifvm\ixmt\m\..\..\..\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD53855935c6776197480aee4c2479ae2e5
SHA1e1c251af57c0e32f65349af2b2d339c63a43775d
SHA2565719e7909be7db185fdae67ee84e3794a4d060aafbb6f6b8ed54f9f14a99e179
SHA512e3499ee3a9100cecae14207466ab63ac0fdcdfd4f7f2f641adf5fa455808054d18b73f24437b78d88f2b3d51913a08d2bbcad748c59d67bd9cd78d5ff71482aa