Analysis Overview
SHA256
e0f7bff1502dfca58121b84627d51ff2622857fd247123b4160833a5806b2bf2
Threat Level: Known bad
The file f45a18ae5714d1aeb067f1b4f4923073.bin was found to be: Known bad.
Malicious Activity Summary
Maze
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2023-10-31 03:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-31 03:31
Reported
2023-10-31 03:33
Platform
win7-20231020-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Maze
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\RemoveRename.docx | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\RestoreReceive.pps | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\DECRYPT-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\ResumeInitialize.mhtml | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\StepUnprotect.m1v | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\SwitchReset.wps | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\UndoLimit.m4a | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\MoveSubmit.xps | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\SubmitCompare.mp2v | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6c210cb7a929f79d.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\ExportWrite.htm | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\JoinDisable.cfg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\SaveSet.wpl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\6c210cb7a929f79d.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\RenameUnprotect.m4v | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\SplitMerge.mpg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6c210cb7a929f79d.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\UpdateJoin.mov | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6c210cb7a929f79d.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files\DECRYPT-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\InstallLimit.ttc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\MergeRestore.xsl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\PushInvoke.cab | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\6c210cb7a929f79d.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\MoveSkip.wav | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\UninstallLimit.mpeg | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2644 wrote to memory of 1912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2644 wrote to memory of 1912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2644 wrote to memory of 1912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2644 wrote to memory of 1912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2644 wrote to memory of 1912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2644 wrote to memory of 1912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2644 wrote to memory of 1912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f45a18ae5714d1aeb067f1b4f4923073.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f45a18ae5714d1aeb067f1b4f4923073.dll,#1
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
F:\$RECYCLE.BIN\S-1-5-21-1154728922-3261336865-3456416385-1000\DECRYPT-FILES.txt
| MD5 | a6bc87ffab145ec344f4bca0fd578ae6 |
| SHA1 | 84287315dc22e9395176ba73672b81167ecf6564 |
| SHA256 | e0bca39a8d65aa5d6fa66c73cdfb5f914f4b738bcd92e757f0e919d0ba3dfc91 |
| SHA512 | a7e7c1f5927ae7c7e345ae2d876c875993b93c8a417dfc96aa1ce8e9865ba67a2c9198801de9f75fa630a5d9f8a02cfa99d3391ae7e489785139980b5cdd88cc |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-31 03:31
Reported
2023-10-31 03:34
Platform
win10v2004-20231023-en
Max time kernel
141s
Max time network
152s
Command Line
Signatures
Maze
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\PingNew.cab | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\RedoShow.aifc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\SetLock.otf | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\StopLock.pub | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files\DECRYPT-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\CompareBackup.wax | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\GroupConvertTo.vssx | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\GroupPing.mov | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\RestartMove.rle | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\SendStop.vsw | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\6c4b0cb0ff7e16d7.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\AddConvertFrom.ps1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\ConvertFromAssert.mpg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\SyncReset.ps1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\DECRYPT-FILES.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\DisconnectDeny.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\RestartSwitch.edrwx | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\ShowPop.xls | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\SplitSubmit.pps | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\6c4b0cb0ff7e16d7.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1428 wrote to memory of 912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1428 wrote to memory of 912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1428 wrote to memory of 912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f45a18ae5714d1aeb067f1b4f4923073.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f45a18ae5714d1aeb067f1b4f4923073.dll,#1
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
C:\Users\DECRYPT-FILES.txt
| MD5 | b11bfc219bea85c0c9316580099ebe1e |
| SHA1 | 8f6778d797c91ea02c81c6b8c603756b076b90e2 |
| SHA256 | 565fcac311627308d8c3d013c68c1f61b400f2d87392a4e547a53ec6995a55b8 |
| SHA512 | 83a087dbdec782527bde1aed9b51fa632aa9fe8c1acb94d2459cf315893a477089118c4a4a3692657d72bba7b9c90712857eee1574322bfebe00d716bc0603a8 |