Malware Analysis Report

2024-09-22 14:43

Sample ID 231029-y83lgsba43
Target 0.dll
SHA256 e0f7bff1502dfca58121b84627d51ff2622857fd247123b4160833a5806b2bf2
Tags
maze ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0f7bff1502dfca58121b84627d51ff2622857fd247123b4160833a5806b2bf2

Threat Level: Known bad

The file 0.dll was found to be: Known bad.

Malicious Activity Summary

maze ransomware spyware stealer trojan

Maze

Deletes shadow copies

Reads user/profile data of web browsers

Drops startup file

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-10-29 20:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-29 20:28

Reported

2023-10-29 20:31

Platform

win7-20231023-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0.dll,#1

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b930cc385fe346b.tmp C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\ClearInstall.odp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\GroupInitialize.mpeg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\PublishBlock.DVR C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ResetAssert.css C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6b930cc385fe346b.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6b930cc385fe346b.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\6b930cc385fe346b.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ExpandRead.jpeg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ExportAssert.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\GroupCompare.7z C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\MountHide.reg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\SearchHide.vbs C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\RemoveRegister.avi C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\SyncNew.scf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\EnableReceive.shtml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\EnterRestart.001 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\FormatStop.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\InvokeDeny.rmi C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\LockRestart.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\MoveStop.cab C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\UpdateUninstall.wps C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\BlockTrace.emf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ImportConvertFrom.vstx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\SendConvertTo.wdp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\UseResolve.dib C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\6b930cc385fe346b.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\UndoSubmit.raw C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\CopyUndo.bin C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\FindDisconnect.xltm C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\RestartTest.tiff C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\RevokeUnpublish.vsdx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ShowSync.eprtx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6b930cc385fe346b.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\RemoveSplit.contact C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\SuspendPop.vb C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\HideMove.htm C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ProtectRedo.vsd C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ResetDeny.001 C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0.dll,#1

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\cv\e\..\..\Windows\jfhe\w\..\..\system32\exl\wgw\bxlnj\..\..\..\wbem\ifvm\ixmt\m\..\..\..\wmic.exe" shadowcopy delete

Network

N/A

Files

F:\$RECYCLE.BIN\S-1-5-21-3618187007-3650799920-3290345941-1000\DECRYPT-FILES.txt

MD5 3855935c6776197480aee4c2479ae2e5
SHA1 e1c251af57c0e32f65349af2b2d339c63a43775d
SHA256 5719e7909be7db185fdae67ee84e3794a4d060aafbb6f6b8ed54f9f14a99e179
SHA512 e3499ee3a9100cecae14207466ab63ac0fdcdfd4f7f2f641adf5fa455808054d18b73f24437b78d88f2b3d51913a08d2bbcad748c59d67bd9cd78d5ff71482aa

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-29 20:28

Reported

2023-10-29 20:31

Platform

win10v2004-20231020-en

Max time kernel

128s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0.dll,#1

Signatures

Maze

trojan ransomware maze

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c270cabc633370a.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6c270cabc633370a.tmp C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\CompleteCompress.mpeg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\GrantMeasure.htm C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\MoveSelect.clr C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\UseTrace.js C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\CompareConnect.asp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ConvertFromReset.mpeg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\UnlockNew.001 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\UnprotectDismount.emz C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\UnregisterBackup.ps1xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\GrantStop.jpe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\SelectDisconnect.rle C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\PopOut.dwg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\6c270cabc633370a.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\CloseInvoke.clr C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\CopyGrant.csv C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ImportGroup.tiff C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ShowPublish.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\UnpublishCheckpoint.rmi C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ConvertFromResize.hta C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\EnableConvertFrom.xhtml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\PopSuspend.jfif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\TraceExit.sql C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\UnpublishExpand.jpeg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\GrantInvoke.tif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ResolveRestore.xlt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\RevokeResume.ico C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\StopSave.xltm C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\6c270cabc633370a.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\BlockMove.lock C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\SubmitHide.pub C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3920 wrote to memory of 4428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3920 wrote to memory of 4428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3920 wrote to memory of 4428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0.dll,#1

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 164.117.223.173.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

F:\$RECYCLE.BIN\S-1-5-21-3811856890-180006922-3689258494-1000\DECRYPT-FILES.txt

MD5 5e1dffb75373fc66ebacc5d8e5156ced
SHA1 18c752af3bbeaddc03e60260bee61059624fe11d
SHA256 4e6d415e0cf918714152c3ab323ec24fedd3646ef1c93d4d452c2c1df56d5424
SHA512 9f6bd6a869c91224beb9964e7353f84c72285dc148e1de68e4d4a3c1638a0269d636e0fe1844c1da44e1a235d68c1b628347ed25e79a4dc6245457f975d279e8