Analysis
-
max time kernel
128s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2023 20:28
Static task
static1
Behavioral task
behavioral1
Sample
0.dll
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
0.dll
Resource
win10v2004-20231020-en
General
-
Target
0.dll
-
Size
364KB
-
MD5
f45a18ae5714d1aeb067f1b4f4923073
-
SHA1
e6f53d26e2734bbcb91ec828883465db3d40666d
-
SHA256
e0f7bff1502dfca58121b84627d51ff2622857fd247123b4160833a5806b2bf2
-
SHA512
bad89a98965bb21239fd644c4a0d3de4a09e51e0e4f8b24d2e158621d07730e395e287d91317b374e4443bef0ad4c919140bf36fc165b5e59a4b72a674c812f9
-
SSDEEP
6144:5HTs5cIzrLrLrLgsVJIS+Nn49MS0BqQOrCV50DErFNg/ydlb4fQ6wFMv53:uYha0QdDENg6dNoQl+vB
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3811856890-180006922-3689258494-1000\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/6c270cabc633370a
https://mazedecrypt.top/6c270cabc633370a
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt rundll32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c270cabc633370a.tmp rundll32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt rundll32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6c270cabc633370a.tmp rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 32 IoCs
description ioc Process File opened for modification C:\Program Files\CompleteCompress.mpeg rundll32.exe File opened for modification C:\Program Files\GrantMeasure.htm rundll32.exe File opened for modification C:\Program Files\MoveSelect.clr rundll32.exe File opened for modification C:\Program Files\UseTrace.js rundll32.exe File created C:\Program Files\DECRYPT-FILES.txt rundll32.exe File opened for modification C:\Program Files\CompareConnect.asp rundll32.exe File opened for modification C:\Program Files\ConvertFromReset.mpeg rundll32.exe File opened for modification C:\Program Files\UnlockNew.001 rundll32.exe File opened for modification C:\Program Files\UnprotectDismount.emz rundll32.exe File opened for modification C:\Program Files\UnregisterBackup.ps1xml rundll32.exe File opened for modification C:\Program Files\GrantStop.jpe rundll32.exe File opened for modification C:\Program Files\SelectDisconnect.rle rundll32.exe File created C:\Program Files (x86)\DECRYPT-FILES.txt rundll32.exe File opened for modification C:\Program Files\PopOut.dwg rundll32.exe File opened for modification C:\Program Files (x86)\6c270cabc633370a.tmp rundll32.exe File opened for modification C:\Program Files\CloseInvoke.clr rundll32.exe File opened for modification C:\Program Files\CopyGrant.csv rundll32.exe File opened for modification C:\Program Files\ImportGroup.tiff rundll32.exe File opened for modification C:\Program Files\ShowPublish.svg rundll32.exe File opened for modification C:\Program Files\UnpublishCheckpoint.rmi rundll32.exe File opened for modification C:\Program Files\ConvertFromResize.hta rundll32.exe File opened for modification C:\Program Files\EnableConvertFrom.xhtml rundll32.exe File opened for modification C:\Program Files\PopSuspend.jfif rundll32.exe File opened for modification C:\Program Files\TraceExit.sql rundll32.exe File opened for modification C:\Program Files\UnpublishExpand.jpeg rundll32.exe File opened for modification C:\Program Files\GrantInvoke.tif rundll32.exe File opened for modification C:\Program Files\ResolveRestore.xlt rundll32.exe File opened for modification C:\Program Files\RevokeResume.ico rundll32.exe File opened for modification C:\Program Files\StopSave.xltm rundll32.exe File opened for modification C:\Program Files\6c270cabc633370a.tmp rundll32.exe File opened for modification C:\Program Files\BlockMove.lock rundll32.exe File opened for modification C:\Program Files\SubmitHide.pub rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4428 rundll32.exe 4428 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 4808 vssvc.exe Token: SeRestorePrivilege 4808 vssvc.exe Token: SeAuditPrivilege 4808 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3920 wrote to memory of 4428 3920 rundll32.exe 88 PID 3920 wrote to memory of 4428 3920 rundll32.exe 88 PID 3920 wrote to memory of 4428 3920 rundll32.exe 88 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0.dll,#12⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4428
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD55e1dffb75373fc66ebacc5d8e5156ced
SHA118c752af3bbeaddc03e60260bee61059624fe11d
SHA2564e6d415e0cf918714152c3ab323ec24fedd3646ef1c93d4d452c2c1df56d5424
SHA5129f6bd6a869c91224beb9964e7353f84c72285dc148e1de68e4d4a3c1638a0269d636e0fe1844c1da44e1a235d68c1b628347ed25e79a4dc6245457f975d279e8