Analysis
-
max time kernel
152s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2023 02:49
Static task
static1
Behavioral task
behavioral1
Sample
af64b568501ce3d7e43ace3dca1183e2.msi
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
af64b568501ce3d7e43ace3dca1183e2.msi
Resource
win10v2004-20231023-en
General
-
Target
af64b568501ce3d7e43ace3dca1183e2.msi
-
Size
496KB
-
MD5
af64b568501ce3d7e43ace3dca1183e2
-
SHA1
88d52d7ebe72415d1ee1ff16ffe8afda0b052df0
-
SHA256
bff478766c3a3962228a15fcaae1fbf8c31ec337a83496c4670cd3e704ead735
-
SHA512
b949b3cb7c80c38c38493b20c8e96e40343f79e265a5a1f73ecc9f1f34966e13079dcfc7b554ef67de5ab4e00f45b1dda5802f90084f5a64de8431d2d8f0943d
-
SSDEEP
12288:2sUSmjkJmRAp8QbNeSAt8wCz7JIXybzHI+c0zVH:nekURQzbNeSug3JIXybzxh
Malware Config
Extracted
C:\Users\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/6beb0cb347db9a2f
https://mazedecrypt.top/6beb0cb347db9a2f
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt MsiExec.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6beb0cb347db9a2f.tmp MsiExec.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt MsiExec.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6beb0cb347db9a2f.tmp MsiExec.exe -
Loads dropped DLL 1 IoCs
pid Process 1344 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\111.bmp" MsiExec.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files\6beb0cb347db9a2f.tmp MsiExec.exe File opened for modification C:\Program Files\BlockInstall.xhtml MsiExec.exe File opened for modification C:\Program Files\InstallSkip.vsdx MsiExec.exe File opened for modification C:\Program Files (x86)\6beb0cb347db9a2f.tmp MsiExec.exe File created C:\Program Files\DECRYPT-FILES.txt MsiExec.exe File opened for modification C:\Program Files\ReadCopy.dotx MsiExec.exe File opened for modification C:\Program Files\RegisterUnlock.xltx MsiExec.exe File opened for modification C:\Program Files\RequestSwitch.xlsx MsiExec.exe File opened for modification C:\Program Files\ResolveCompare.raw MsiExec.exe File opened for modification C:\Program Files\StartExport.htm MsiExec.exe File created C:\Program Files (x86)\DECRYPT-FILES.txt MsiExec.exe File created C:\Program Files (x86)\pawufefu\ReadMe.txt msiexec.exe File opened for modification C:\Program Files\CheckpointLimit.easmx MsiExec.exe File opened for modification C:\Program Files\CompareHide.js MsiExec.exe File opened for modification C:\Program Files\CompleteRestore.png MsiExec.exe File opened for modification C:\Program Files\InstallExport.mpv2 MsiExec.exe File opened for modification C:\Program Files\RevokeRemove.mht MsiExec.exe File opened for modification C:\Program Files\SuspendConnect.gif MsiExec.exe File opened for modification C:\Program Files\GrantDisconnect.ico MsiExec.exe File opened for modification C:\Program Files\TraceResize.mhtml MsiExec.exe File opened for modification C:\Program Files\UseSwitch.mht MsiExec.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{9E08E773-4CD6-4234-8DDB-3CBBF4A050A0} msiexec.exe File opened for modification C:\Windows\Installer\MSIED49.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEDA8.tmp msiexec.exe File created C:\Windows\Installer\e58eb74.msi msiexec.exe File opened for modification C:\Windows\Installer\e58eb74.msi msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000064ad0c2742b1dab0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000064ad0c20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900064ad0c2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d064ad0c2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000064ad0c200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2852 msiexec.exe 2852 msiexec.exe 1344 MsiExec.exe 1344 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5036 msiexec.exe Token: SeIncreaseQuotaPrivilege 5036 msiexec.exe Token: SeSecurityPrivilege 2852 msiexec.exe Token: SeCreateTokenPrivilege 5036 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5036 msiexec.exe Token: SeLockMemoryPrivilege 5036 msiexec.exe Token: SeIncreaseQuotaPrivilege 5036 msiexec.exe Token: SeMachineAccountPrivilege 5036 msiexec.exe Token: SeTcbPrivilege 5036 msiexec.exe Token: SeSecurityPrivilege 5036 msiexec.exe Token: SeTakeOwnershipPrivilege 5036 msiexec.exe Token: SeLoadDriverPrivilege 5036 msiexec.exe Token: SeSystemProfilePrivilege 5036 msiexec.exe Token: SeSystemtimePrivilege 5036 msiexec.exe Token: SeProfSingleProcessPrivilege 5036 msiexec.exe Token: SeIncBasePriorityPrivilege 5036 msiexec.exe Token: SeCreatePagefilePrivilege 5036 msiexec.exe Token: SeCreatePermanentPrivilege 5036 msiexec.exe Token: SeBackupPrivilege 5036 msiexec.exe Token: SeRestorePrivilege 5036 msiexec.exe Token: SeShutdownPrivilege 5036 msiexec.exe Token: SeDebugPrivilege 5036 msiexec.exe Token: SeAuditPrivilege 5036 msiexec.exe Token: SeSystemEnvironmentPrivilege 5036 msiexec.exe Token: SeChangeNotifyPrivilege 5036 msiexec.exe Token: SeRemoteShutdownPrivilege 5036 msiexec.exe Token: SeUndockPrivilege 5036 msiexec.exe Token: SeSyncAgentPrivilege 5036 msiexec.exe Token: SeEnableDelegationPrivilege 5036 msiexec.exe Token: SeManageVolumePrivilege 5036 msiexec.exe Token: SeImpersonatePrivilege 5036 msiexec.exe Token: SeCreateGlobalPrivilege 5036 msiexec.exe Token: SeBackupPrivilege 4620 vssvc.exe Token: SeRestorePrivilege 4620 vssvc.exe Token: SeAuditPrivilege 4620 vssvc.exe Token: SeBackupPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeBackupPrivilege 4624 srtasks.exe Token: SeRestorePrivilege 4624 srtasks.exe Token: SeSecurityPrivilege 4624 srtasks.exe Token: SeTakeOwnershipPrivilege 4624 srtasks.exe Token: SeBackupPrivilege 4624 srtasks.exe Token: SeRestorePrivilege 4624 srtasks.exe Token: SeSecurityPrivilege 4624 srtasks.exe Token: SeTakeOwnershipPrivilege 4624 srtasks.exe Token: SeIncreaseQuotaPrivilege 3920 wmic.exe Token: SeSecurityPrivilege 3920 wmic.exe Token: SeTakeOwnershipPrivilege 3920 wmic.exe Token: SeLoadDriverPrivilege 3920 wmic.exe Token: SeSystemProfilePrivilege 3920 wmic.exe Token: SeSystemtimePrivilege 3920 wmic.exe Token: SeProfSingleProcessPrivilege 3920 wmic.exe Token: SeIncBasePriorityPrivilege 3920 wmic.exe Token: SeCreatePagefilePrivilege 3920 wmic.exe Token: SeBackupPrivilege 3920 wmic.exe Token: SeRestorePrivilege 3920 wmic.exe Token: SeShutdownPrivilege 3920 wmic.exe Token: SeDebugPrivilege 3920 wmic.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5036 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2852 wrote to memory of 4624 2852 msiexec.exe 112 PID 2852 wrote to memory of 4624 2852 msiexec.exe 112 PID 2852 wrote to memory of 1344 2852 msiexec.exe 114 PID 2852 wrote to memory of 1344 2852 msiexec.exe 114 PID 2852 wrote to memory of 1344 2852 msiexec.exe 114 PID 1344 wrote to memory of 3920 1344 MsiExec.exe 116 PID 1344 wrote to memory of 3920 1344 MsiExec.exe 116 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\af64b568501ce3d7e43ace3dca1183e2.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5036
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A02C15D667296BF410A557C25210E3802⤵
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\system32\wbem\wmic.exe"C:\p\..\Windows\j\pdoj\ji\..\..\..\system32\tuh\..\wbem\c\hkbt\v\..\..\..\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3920
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x41c 0x4a81⤵PID:4036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
770B
MD5ab05d16b471c6eee2d6202ffbc469058
SHA1bff924829a18da8a27014230a8c7eeca514dfa0e
SHA256c109fca02d8d71c6fa0ff04855c32522aaae478ca5b7997b6443f4183459c922
SHA51205728b65a4123ec2486699d0457827b9604d951ef2f1b372779ed86cc1646c44849140b2fda7b0cc4326e4f0b49c5aee31834320c55ec3fdf3e6774f9297274e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_B05958E041E04BBCB35D04BC68F4C579.dat
Filesize940B
MD5c171e02f9bbf52b4614b944705cdde91
SHA199d01ad9c82c8b7688117c00e7603678635fdd36
SHA2567ca59b1f475f59187fa610ad44ec38406b1d01a837e6b90920ab1097d71e0208
SHA51289a6d930710ac7413d29f1ba14c53901adf8ef055e76bb551a63167ea5b29a032314bf7ca16f5b5337aee45947e62eac18405e595a07cf1699a5063a70c90827
-
Filesize
10KB
MD577c3a614c675f2b5c7cdb563292f608e
SHA15b98149307ec0cd34985a632295296514ac78781
SHA256c417d48e0c3afa49ed2a5bab55a7f89c95c18f0382b5232e3697ac0b311e2d42
SHA51296cd68e63f7a531cc4caef7b4844f3d038ace8fb587f664342e2539bd0c43da9da206ef7a0282bb612197cff647a2bdff16b67b98d259606e866d6e6a7e616b5
-
Filesize
462KB
MD5718d001ca0e953c5f52f8a4ae2697411
SHA14e5727a404418663b228fedba2007de26f830b07
SHA25653a21f26abc617eda7de86aaad08a2e6df7be31ab529a2f906951baedefe47fd
SHA5123f8b80969e38af1138404f05bcab313f8167acc14dc7c905f9bd25e244e4a4d5bca61c601f5a50a5e8bf57668c4100adb08c4fc31668c88814a12c86f36784fc
-
Filesize
462KB
MD5718d001ca0e953c5f52f8a4ae2697411
SHA14e5727a404418663b228fedba2007de26f830b07
SHA25653a21f26abc617eda7de86aaad08a2e6df7be31ab529a2f906951baedefe47fd
SHA5123f8b80969e38af1138404f05bcab313f8167acc14dc7c905f9bd25e244e4a4d5bca61c601f5a50a5e8bf57668c4100adb08c4fc31668c88814a12c86f36784fc
-
Filesize
23.0MB
MD513fa4befb65ae433cdf5a0ae55696417
SHA1fc9d107572403d0ee3d57c5ce03ab2ed9114018f
SHA2562ce4bdff6731ae8fd3bf0e02187ea9eac73cb354a0d14767d232d57632ca4ceb
SHA512af363dd6479d74c9ea961382d1ef66d176f7b8cd0a63f74fe26980268a4c3c7646b5cf59555b92594639f3fe7ca26873f6454f3dec04ba7508f2a95ed630d139
-
\??\Volume{c2d04a06-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cce326af-4643-4a12-a380-014ce4469c27}_OnDiskSnapshotProp
Filesize5KB
MD54565da4926d6dc0261b79be07494e636
SHA1c0b269ae72dc4c1753ea73769cffa06b1144060a
SHA256c5cbf78f78b1eab7258562fd59168f5847cfd38c8b90d6324f51c277910a7dc1
SHA512991e828c4bd48cd30e7cce460243b51deae018cc5532a37bc9edf9db291720e594875edeafb45c6a145465d36cdeb4a6278b8355782c0d633e3929ff1b4f53d0