Analysis
-
max time kernel
139s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 07:18
Static task
static1
Behavioral task
behavioral1
Sample
Device/HarddiskVolume3/Users/User1/Desktop/LetsDefend/SOC104 - Malware Detected/e8a091a84dd2ea7ee429.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Device/HarddiskVolume3/Users/User1/Desktop/LetsDefend/SOC104 - Malware Detected/e8a091a84dd2ea7ee429.exe
Resource
win10v2004-20231222-en
General
-
Target
Device/HarddiskVolume3/Users/User1/Desktop/LetsDefend/SOC104 - Malware Detected/e8a091a84dd2ea7ee429.exe
-
Size
473KB
-
MD5
f83fb9ce6a83da58b20685c1d7e1e546
-
SHA1
01c459b549c1c2a68208d38d4ba5e36d29212a4f
-
SHA256
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
-
SHA512
934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396
-
SSDEEP
12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ
Malware Config
Extracted
F:\$RECYCLE.BIN\DECRYPT-FILES.html
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5xarl.dat e8a091a84dd2ea7ee429.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html e8a091a84dd2ea7ee429.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" e8a091a84dd2ea7ee429.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2028 e8a091a84dd2ea7ee429.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2648 wmic.exe Token: SeSecurityPrivilege 2648 wmic.exe Token: SeTakeOwnershipPrivilege 2648 wmic.exe Token: SeLoadDriverPrivilege 2648 wmic.exe Token: SeSystemProfilePrivilege 2648 wmic.exe Token: SeSystemtimePrivilege 2648 wmic.exe Token: SeProfSingleProcessPrivilege 2648 wmic.exe Token: SeIncBasePriorityPrivilege 2648 wmic.exe Token: SeCreatePagefilePrivilege 2648 wmic.exe Token: SeBackupPrivilege 2648 wmic.exe Token: SeRestorePrivilege 2648 wmic.exe Token: SeShutdownPrivilege 2648 wmic.exe Token: SeDebugPrivilege 2648 wmic.exe Token: SeSystemEnvironmentPrivilege 2648 wmic.exe Token: SeRemoteShutdownPrivilege 2648 wmic.exe Token: SeUndockPrivilege 2648 wmic.exe Token: SeManageVolumePrivilege 2648 wmic.exe Token: 33 2648 wmic.exe Token: 34 2648 wmic.exe Token: 35 2648 wmic.exe Token: SeIncreaseQuotaPrivilege 2648 wmic.exe Token: SeSecurityPrivilege 2648 wmic.exe Token: SeTakeOwnershipPrivilege 2648 wmic.exe Token: SeLoadDriverPrivilege 2648 wmic.exe Token: SeSystemProfilePrivilege 2648 wmic.exe Token: SeSystemtimePrivilege 2648 wmic.exe Token: SeProfSingleProcessPrivilege 2648 wmic.exe Token: SeIncBasePriorityPrivilege 2648 wmic.exe Token: SeCreatePagefilePrivilege 2648 wmic.exe Token: SeBackupPrivilege 2648 wmic.exe Token: SeRestorePrivilege 2648 wmic.exe Token: SeShutdownPrivilege 2648 wmic.exe Token: SeDebugPrivilege 2648 wmic.exe Token: SeSystemEnvironmentPrivilege 2648 wmic.exe Token: SeRemoteShutdownPrivilege 2648 wmic.exe Token: SeUndockPrivilege 2648 wmic.exe Token: SeManageVolumePrivilege 2648 wmic.exe Token: 33 2648 wmic.exe Token: 34 2648 wmic.exe Token: 35 2648 wmic.exe Token: SeBackupPrivilege 2540 vssvc.exe Token: SeRestorePrivilege 2540 vssvc.exe Token: SeAuditPrivilege 2540 vssvc.exe Token: SeIncreaseQuotaPrivilege 112 wmic.exe Token: SeSecurityPrivilege 112 wmic.exe Token: SeTakeOwnershipPrivilege 112 wmic.exe Token: SeLoadDriverPrivilege 112 wmic.exe Token: SeSystemProfilePrivilege 112 wmic.exe Token: SeSystemtimePrivilege 112 wmic.exe Token: SeProfSingleProcessPrivilege 112 wmic.exe Token: SeIncBasePriorityPrivilege 112 wmic.exe Token: SeCreatePagefilePrivilege 112 wmic.exe Token: SeBackupPrivilege 112 wmic.exe Token: SeRestorePrivilege 112 wmic.exe Token: SeShutdownPrivilege 112 wmic.exe Token: SeDebugPrivilege 112 wmic.exe Token: SeSystemEnvironmentPrivilege 112 wmic.exe Token: SeRemoteShutdownPrivilege 112 wmic.exe Token: SeUndockPrivilege 112 wmic.exe Token: SeManageVolumePrivilege 112 wmic.exe Token: 33 112 wmic.exe Token: 34 112 wmic.exe Token: 35 112 wmic.exe Token: SeIncreaseQuotaPrivilege 112 wmic.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2028 wrote to memory of 2648 2028 e8a091a84dd2ea7ee429.exe 28 PID 2028 wrote to memory of 2648 2028 e8a091a84dd2ea7ee429.exe 28 PID 2028 wrote to memory of 2648 2028 e8a091a84dd2ea7ee429.exe 28 PID 2028 wrote to memory of 2648 2028 e8a091a84dd2ea7ee429.exe 28 PID 2028 wrote to memory of 112 2028 e8a091a84dd2ea7ee429.exe 36 PID 2028 wrote to memory of 112 2028 e8a091a84dd2ea7ee429.exe 36 PID 2028 wrote to memory of 112 2028 e8a091a84dd2ea7ee429.exe 36 PID 2028 wrote to memory of 112 2028 e8a091a84dd2ea7ee429.exe 36 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\User1\Desktop\LetsDefend\SOC104 - Malware Detected\e8a091a84dd2ea7ee429.exe"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\User1\Desktop\LetsDefend\SOC104 - Malware Detected\e8a091a84dd2ea7ee429.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\system32\wbem\wmic.exe"C:\sgaqr\..\Windows\q\xo\..\..\system32\he\msmyt\..\..\wbem\nnwi\n\mk\..\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\system32\wbem\wmic.exe"C:\yvs\..\Windows\xi\..\system32\bhei\jdrd\..\..\wbem\nnr\w\ttkke\..\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:112
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_03AA5FA515384E32A090395B5F26959A.dat
Filesize940B
MD574354b3f7c4821943b57e1e0856dae69
SHA1c42f34f42811ca4c399abf17a8b6df5240475e8b
SHA2566ac90b35b89d5281229b425c80c1ea3af18caf351f2f9d0d18ce6230290f7078
SHA512544015313d4629786caddd490b1a9f00f07298c1f79b712331daaef608671a1b24369b54f5e4750d5d9af480779fb2a7cd1998865e552792e2d19d96fc13a654
-
Filesize
6KB
MD52e0a44f3a9f10a5d5d708db968e1496a
SHA16c4da7306efd223dc6798a5f6ba5644a100f7945
SHA256134eba2ab18bdd5db2f938cbe98e1b4c66c2ed5f913818f4b132e02665dd53ce
SHA51202d02c8f277301c5575dfa5b9ccf2734704fdce7ce887f841cb575e335bed2cade9f168cf144e4539596fdd0916f9273474a8de935dc3301e862332a0880656e