Malware Analysis Report

2024-09-22 14:43

Sample ID 231031-d2776sad35
Target f45a18ae5714d1aeb067f1b4f4923073.bin
SHA256 e0f7bff1502dfca58121b84627d51ff2622857fd247123b4160833a5806b2bf2
Tags
maze ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0f7bff1502dfca58121b84627d51ff2622857fd247123b4160833a5806b2bf2

Threat Level: Known bad

The file f45a18ae5714d1aeb067f1b4f4923073.bin was found to be: Known bad.

Malicious Activity Summary

maze ransomware trojan

Maze

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2023-10-31 03:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-31 03:31

Reported

2023-10-31 03:33

Platform

win7-20231020-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f45a18ae5714d1aeb067f1b4f4923073.dll,#1

Signatures

Maze

trojan ransomware maze

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\RemoveRename.docx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\RestoreReceive.pps C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ResumeInitialize.mhtml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\StepUnprotect.m1v C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\SwitchReset.wps C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\UndoLimit.m4a C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\MoveSubmit.xps C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\SubmitCompare.mp2v C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6c210cb7a929f79d.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ExportWrite.htm C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\JoinDisable.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\SaveSet.wpl C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\6c210cb7a929f79d.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\RenameUnprotect.m4v C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\SplitMerge.mpg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6c210cb7a929f79d.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\UpdateJoin.mov C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6c210cb7a929f79d.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\InstallLimit.ttc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\MergeRestore.xsl C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\PushInvoke.cab C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\6c210cb7a929f79d.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\MoveSkip.wav C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\UninstallLimit.mpeg C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2644 wrote to memory of 1912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 1912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 1912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 1912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 1912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 1912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 1912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f45a18ae5714d1aeb067f1b4f4923073.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f45a18ae5714d1aeb067f1b4f4923073.dll,#1

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

F:\$RECYCLE.BIN\S-1-5-21-1154728922-3261336865-3456416385-1000\DECRYPT-FILES.txt

MD5 a6bc87ffab145ec344f4bca0fd578ae6
SHA1 84287315dc22e9395176ba73672b81167ecf6564
SHA256 e0bca39a8d65aa5d6fa66c73cdfb5f914f4b738bcd92e757f0e919d0ba3dfc91
SHA512 a7e7c1f5927ae7c7e345ae2d876c875993b93c8a417dfc96aa1ce8e9865ba67a2c9198801de9f75fa630a5d9f8a02cfa99d3391ae7e489785139980b5cdd88cc

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-31 03:31

Reported

2023-10-31 03:34

Platform

win10v2004-20231023-en

Max time kernel

141s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f45a18ae5714d1aeb067f1b4f4923073.dll,#1

Signatures

Maze

trojan ransomware maze

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\PingNew.cab C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\RedoShow.aifc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\SetLock.otf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\StopLock.pub C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\CompareBackup.wax C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\GroupConvertTo.vssx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\GroupPing.mov C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\RestartMove.rle C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\SendStop.vsw C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\6c4b0cb0ff7e16d7.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\AddConvertFrom.ps1 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ConvertFromAssert.mpg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\SyncReset.ps1 C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DisconnectDeny.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\RestartSwitch.edrwx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ShowPop.xls C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\SplitSubmit.pps C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\6c4b0cb0ff7e16d7.tmp C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1428 wrote to memory of 912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1428 wrote to memory of 912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1428 wrote to memory of 912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f45a18ae5714d1aeb067f1b4f4923073.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f45a18ae5714d1aeb067f1b4f4923073.dll,#1

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

C:\Users\DECRYPT-FILES.txt

MD5 b11bfc219bea85c0c9316580099ebe1e
SHA1 8f6778d797c91ea02c81c6b8c603756b076b90e2
SHA256 565fcac311627308d8c3d013c68c1f61b400f2d87392a4e547a53ec6995a55b8
SHA512 83a087dbdec782527bde1aed9b51fa632aa9fe8c1acb94d2459cf315893a477089118c4a4a3692657d72bba7b9c90712857eee1574322bfebe00d716bc0603a8