Malware Analysis Report

2024-09-22 14:43

Sample ID 231031-dbhjtsab79
Target af64b568501ce3d7e43ace3dca1183e2.bin
SHA256 bff478766c3a3962228a15fcaae1fbf8c31ec337a83496c4670cd3e704ead735
Tags
maze ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bff478766c3a3962228a15fcaae1fbf8c31ec337a83496c4670cd3e704ead735

Threat Level: Known bad

The file af64b568501ce3d7e43ace3dca1183e2.bin was found to be: Known bad.

Malicious Activity Summary

maze ransomware trojan

Maze

Deletes shadow copies

Loads dropped DLL

Drops startup file

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Windows directory

Drops file in Program Files directory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-10-31 02:49

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-31 02:49

Reported

2023-10-31 02:52

Platform

win10v2004-20231023-en

Max time kernel

152s

Max time network

146s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\af64b568501ce3d7e43ace3dca1183e2.msi

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6beb0cb347db9a2f.tmp C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6beb0cb347db9a2f.tmp C:\Windows\syswow64\MsiExec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\111.bmp" C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\6beb0cb347db9a2f.tmp C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\BlockInstall.xhtml C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\InstallSkip.vsdx C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\6beb0cb347db9a2f.tmp C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\ReadCopy.dotx C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\RegisterUnlock.xltx C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\RequestSwitch.xlsx C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\ResolveCompare.raw C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\StartExport.htm C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\pawufefu\ReadMe.txt C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\CheckpointLimit.easmx C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\CompareHide.js C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\CompleteRestore.png C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\InstallExport.mpv2 C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\RevokeRemove.mht C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\SuspendConnect.gif C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\GrantDisconnect.ico C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\TraceResize.mhtml C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\UseSwitch.mht C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{9E08E773-4CD6-4234-8DDB-3CBBF4A050A0} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIED49.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEDA8.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58eb74.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58eb74.msi C:\Windows\system32\msiexec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000064ad0c2742b1dab0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000064ad0c20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900064ad0c2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d064ad0c2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000064ad0c200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 4624 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2852 wrote to memory of 4624 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2852 wrote to memory of 1344 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2852 wrote to memory of 1344 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2852 wrote to memory of 1344 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1344 wrote to memory of 3920 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\wbem\wmic.exe
PID 1344 wrote to memory of 3920 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\wbem\wmic.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\af64b568501ce3d7e43ace3dca1183e2.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A02C15D667296BF410A557C25210E380

C:\Windows\system32\wbem\wmic.exe

"C:\p\..\Windows\j\pdoj\ji\..\..\..\system32\tuh\..\wbem\c\hkbt\v\..\..\..\wmic.exe" shadowcopy delete

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x41c 0x4a8

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 98.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

C:\Windows\Installer\MSIEDA8.tmp

MD5 718d001ca0e953c5f52f8a4ae2697411
SHA1 4e5727a404418663b228fedba2007de26f830b07
SHA256 53a21f26abc617eda7de86aaad08a2e6df7be31ab529a2f906951baedefe47fd
SHA512 3f8b80969e38af1138404f05bcab313f8167acc14dc7c905f9bd25e244e4a4d5bca61c601f5a50a5e8bf57668c4100adb08c4fc31668c88814a12c86f36784fc

C:\Windows\Installer\MSIEDA8.tmp

MD5 718d001ca0e953c5f52f8a4ae2697411
SHA1 4e5727a404418663b228fedba2007de26f830b07
SHA256 53a21f26abc617eda7de86aaad08a2e6df7be31ab529a2f906951baedefe47fd
SHA512 3f8b80969e38af1138404f05bcab313f8167acc14dc7c905f9bd25e244e4a4d5bca61c601f5a50a5e8bf57668c4100adb08c4fc31668c88814a12c86f36784fc

\??\Volume{c2d04a06-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cce326af-4643-4a12-a380-014ce4469c27}_OnDiskSnapshotProp

MD5 4565da4926d6dc0261b79be07494e636
SHA1 c0b269ae72dc4c1753ea73769cffa06b1144060a
SHA256 c5cbf78f78b1eab7258562fd59168f5847cfd38c8b90d6324f51c277910a7dc1
SHA512 991e828c4bd48cd30e7cce460243b51deae018cc5532a37bc9edf9db291720e594875edeafb45c6a145465d36cdeb4a6278b8355782c0d633e3929ff1b4f53d0

memory/1344-19-0x0000000002820000-0x000000000287D000-memory.dmp

memory/1344-24-0x0000000002820000-0x000000000287D000-memory.dmp

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 13fa4befb65ae433cdf5a0ae55696417
SHA1 fc9d107572403d0ee3d57c5ce03ab2ed9114018f
SHA256 2ce4bdff6731ae8fd3bf0e02187ea9eac73cb354a0d14767d232d57632ca4ceb
SHA512 af363dd6479d74c9ea961382d1ef66d176f7b8cd0a63f74fe26980268a4c3c7646b5cf59555b92594639f3fe7ca26873f6454f3dec04ba7508f2a95ed630d139

memory/1344-27-0x0000000002820000-0x000000000287D000-memory.dmp

memory/1344-30-0x0000000002820000-0x000000000287D000-memory.dmp

C:\Users\DECRYPT-FILES.txt

MD5 77c3a614c675f2b5c7cdb563292f608e
SHA1 5b98149307ec0cd34985a632295296514ac78781
SHA256 c417d48e0c3afa49ed2a5bab55a7f89c95c18f0382b5232e3697ac0b311e2d42
SHA512 96cd68e63f7a531cc4caef7b4844f3d038ace8fb587f664342e2539bd0c43da9da206ef7a0282bb612197cff647a2bdff16b67b98d259606e866d6e6a7e616b5

C:\Config.Msi\e58eb75.rbs

MD5 ab05d16b471c6eee2d6202ffbc469058
SHA1 bff924829a18da8a27014230a8c7eeca514dfa0e
SHA256 c109fca02d8d71c6fa0ff04855c32522aaae478ca5b7997b6443f4183459c922
SHA512 05728b65a4123ec2486699d0457827b9604d951ef2f1b372779ed86cc1646c44849140b2fda7b0cc4326e4f0b49c5aee31834320c55ec3fdf3e6774f9297274e

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1344-766-0x0000000002820000-0x000000000287D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_B05958E041E04BBCB35D04BC68F4C579.dat

MD5 c171e02f9bbf52b4614b944705cdde91
SHA1 99d01ad9c82c8b7688117c00e7603678635fdd36
SHA256 7ca59b1f475f59187fa610ad44ec38406b1d01a837e6b90920ab1097d71e0208
SHA512 89a6d930710ac7413d29f1ba14c53901adf8ef055e76bb551a63167ea5b29a032314bf7ca16f5b5337aee45947e62eac18405e595a07cf1699a5063a70c90827

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-31 02:49

Reported

2023-10-31 02:52

Platform

win7-20231020-en

Max time kernel

122s

Max time network

126s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\af64b568501ce3d7e43ace3dca1183e2.msi

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6dc90cd941a81769.tmp C:\Windows\syswow64\MsiExec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\111.bmp" C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\ClearMount.eps C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\ConfirmSwitch.cab C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\ImportRead.xml C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\SwitchClose.asx C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\FormatResume.ocx C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\RedoMerge.dwfx C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\AddConnect.au C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\AssertEnter.ico C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6dc90cd941a81769.tmp C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\DisableRestore.mp4v C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\6dc90cd941a81769.tmp C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\JoinUse.rtf C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\PingUndo.mhtml C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\ConnectResume.jpeg C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\DismountWrite.mpa C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\EnableInitialize.7z C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\ExitResume.asp C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\FindGroup.vdw C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6dc90cd941a81769.tmp C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6dc90cd941a81769.tmp C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\SplitConvert.3g2 C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\StepUndo.ram C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\SyncDeny.emf C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\UnprotectUnlock.midi C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\UseRead.cab C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\pawufefu\ReadMe.txt C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\RemoveCopy.7z C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\6dc90cd941a81769.tmp C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\ExportTest.mpp C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\OpenFind.odt C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\CompleteRemove.mpeg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f7683a2.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI85A4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8603.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f7683a1.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f7683a1.msi C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\af64b568501ce3d7e43ace3dca1183e2.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A8" "00000000000005AC"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A58EC127D954BA3C811C961BB65C90F5

C:\Windows\system32\wbem\wmic.exe

"C:\nrxv\a\..\..\Windows\c\opw\ynl\..\..\..\system32\snk\a\..\..\wbem\lxsei\ecdjh\..\..\wmic.exe" shadowcopy delete

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

Network

N/A

Files

C:\Windows\Installer\MSI8603.tmp

MD5 718d001ca0e953c5f52f8a4ae2697411
SHA1 4e5727a404418663b228fedba2007de26f830b07
SHA256 53a21f26abc617eda7de86aaad08a2e6df7be31ab529a2f906951baedefe47fd
SHA512 3f8b80969e38af1138404f05bcab313f8167acc14dc7c905f9bd25e244e4a4d5bca61c601f5a50a5e8bf57668c4100adb08c4fc31668c88814a12c86f36784fc

\Windows\Installer\MSI8603.tmp

MD5 718d001ca0e953c5f52f8a4ae2697411
SHA1 4e5727a404418663b228fedba2007de26f830b07
SHA256 53a21f26abc617eda7de86aaad08a2e6df7be31ab529a2f906951baedefe47fd
SHA512 3f8b80969e38af1138404f05bcab313f8167acc14dc7c905f9bd25e244e4a4d5bca61c601f5a50a5e8bf57668c4100adb08c4fc31668c88814a12c86f36784fc

memory/2592-13-0x00000000023B0000-0x000000000240D000-memory.dmp

memory/2592-18-0x00000000023B0000-0x000000000240D000-memory.dmp

memory/2592-20-0x00000000023B0000-0x000000000240D000-memory.dmp

memory/2592-23-0x00000000023B0000-0x000000000240D000-memory.dmp

C:\$Recycle.Bin\DECRYPT-FILES.txt

MD5 fb782ce8aaf2eee1839a6ccd42cc1d37
SHA1 179d3fb8a1690314a520129a0704399cfe355d6f
SHA256 1300f288f0f36f534ccc2897a0653a5e7f2655487f6d66aae7c93895e1892388
SHA512 d3083e6901d9845d14472db33d4e53d0db7adce42d48b50941678a08b84014327ec9902a019615ca6aef90d06d147cfa53be5152ccebe280671ba4fa96b313c8

C:\Config.Msi\f7683a3.rbs

MD5 ad73565c3a021e7afc57b2be3df8ef01
SHA1 d13bf86e286520c30eaf5fd21a57564903924d68
SHA256 0eafc10378df64d9ca5223f10e482a23b534b5de8890f95d9d96205115dab224
SHA512 645b62cf20b09d40535a59805f781fadbe252234c4b5be5bddca88c8b6ae52e9ed84446394997e20643cbc8d009de80b3f5c8ade1c67c47253e381957329ed58

memory/2592-801-0x00000000023B0000-0x000000000240D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_2BFC39EC52024679BD3781D4359B334F.dat

MD5 663fdb249d342d3f0fffec117cdfa382
SHA1 6dd43fceb2908949bf1d2a4538ffe7a550862c0c
SHA256 a08023d0a806a85aa75b507297db1fc5c363410d98b8c4fc2145c7889552c9e8
SHA512 1f99aac77e8d39e444214ce379957bbc4b8acb3a56f6fbb47c2c67520f4f0c493a896b8ca06888cf41bdff7e9bced117a09a331c233c1e623dbf8210c86024fc