Analysis Overview
SHA256
e0f7bff1502dfca58121b84627d51ff2622857fd247123b4160833a5806b2bf2
Threat Level: Known bad
The file 0.dll was found to be: Known bad.
Malicious Activity Summary
Maze
Deletes shadow copies
Reads user/profile data of web browsers
Drops startup file
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-10-29 20:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-29 20:28
Reported
2023-10-29 20:31
Platform
win7-20231023-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Maze
Deletes shadow copies
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b930cc385fe346b.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\ClearInstall.odp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\GroupInitialize.mpeg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\PublishBlock.DVR | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\ResetAssert.css | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6b930cc385fe346b.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6b930cc385fe346b.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\6b930cc385fe346b.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\ExpandRead.jpeg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\ExportAssert.bmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\GroupCompare.7z | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\MountHide.reg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\SearchHide.vbs | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\RemoveRegister.avi | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\SyncNew.scf | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\EnableReceive.shtml | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\EnterRestart.001 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\FormatStop.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\InvokeDeny.rmi | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\LockRestart.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\MoveStop.cab | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\UpdateUninstall.wps | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\BlockTrace.emf | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\ImportConvertFrom.vstx | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\SendConvertTo.wdp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\UseResolve.dib | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\6b930cc385fe346b.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\UndoSubmit.raw | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files\DECRYPT-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\CopyUndo.bin | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\FindDisconnect.xltm | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\RestartTest.tiff | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\RevokeUnpublish.vsdx | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\ShowSync.eprtx | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6b930cc385fe346b.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\RemoveSplit.contact | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\SuspendPop.vb | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\HideMove.htm | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\ProtectRedo.vsd | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\ResetDeny.001 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\DECRYPT-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0.dll,#1
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\cv\e\..\..\Windows\jfhe\w\..\..\system32\exl\wgw\bxlnj\..\..\..\wbem\ifvm\ixmt\m\..\..\..\wmic.exe" shadowcopy delete
Network
Files
F:\$RECYCLE.BIN\S-1-5-21-3618187007-3650799920-3290345941-1000\DECRYPT-FILES.txt
| MD5 | 3855935c6776197480aee4c2479ae2e5 |
| SHA1 | e1c251af57c0e32f65349af2b2d339c63a43775d |
| SHA256 | 5719e7909be7db185fdae67ee84e3794a4d060aafbb6f6b8ed54f9f14a99e179 |
| SHA512 | e3499ee3a9100cecae14207466ab63ac0fdcdfd4f7f2f641adf5fa455808054d18b73f24437b78d88f2b3d51913a08d2bbcad748c59d67bd9cd78d5ff71482aa |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-29 20:28
Reported
2023-10-29 20:31
Platform
win10v2004-20231020-en
Max time kernel
128s
Max time network
136s
Command Line
Signatures
Maze
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c270cabc633370a.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6c270cabc633370a.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\CompleteCompress.mpeg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\GrantMeasure.htm | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\MoveSelect.clr | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\UseTrace.js | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files\DECRYPT-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\CompareConnect.asp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\ConvertFromReset.mpeg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\UnlockNew.001 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\UnprotectDismount.emz | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\UnregisterBackup.ps1xml | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\GrantStop.jpe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\SelectDisconnect.rle | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\DECRYPT-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\PopOut.dwg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\6c270cabc633370a.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\CloseInvoke.clr | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\CopyGrant.csv | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\ImportGroup.tiff | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\ShowPublish.svg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\UnpublishCheckpoint.rmi | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\ConvertFromResize.hta | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\EnableConvertFrom.xhtml | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\PopSuspend.jfif | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\TraceExit.sql | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\UnpublishExpand.jpeg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\GrantInvoke.tif | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\ResolveRestore.xlt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\RevokeResume.ico | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\StopSave.xltm | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\6c270cabc633370a.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\BlockMove.lock | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\SubmitHide.pub | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3920 wrote to memory of 4428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3920 wrote to memory of 4428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3920 wrote to memory of 4428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0.dll,#1
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.211.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.117.223.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
F:\$RECYCLE.BIN\S-1-5-21-3811856890-180006922-3689258494-1000\DECRYPT-FILES.txt
| MD5 | 5e1dffb75373fc66ebacc5d8e5156ced |
| SHA1 | 18c752af3bbeaddc03e60260bee61059624fe11d |
| SHA256 | 4e6d415e0cf918714152c3ab323ec24fedd3646ef1c93d4d452c2c1df56d5424 |
| SHA512 | 9f6bd6a869c91224beb9964e7353f84c72285dc148e1de68e4d4a3c1638a0269d636e0fe1844c1da44e1a235d68c1b628347ed25e79a4dc6245457f975d279e8 |