Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 07:18
Static task
static1
Behavioral task
behavioral1
Sample
Device/HarddiskVolume3/Users/User1/Desktop/LetsDefend/SOC104 - Malware Detected/e8a091a84dd2ea7ee429.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Device/HarddiskVolume3/Users/User1/Desktop/LetsDefend/SOC104 - Malware Detected/e8a091a84dd2ea7ee429.exe
Resource
win10v2004-20231222-en
General
-
Target
Device/HarddiskVolume3/Users/User1/Desktop/LetsDefend/SOC104 - Malware Detected/e8a091a84dd2ea7ee429.exe
-
Size
473KB
-
MD5
f83fb9ce6a83da58b20685c1d7e1e546
-
SHA1
01c459b549c1c2a68208d38d4ba5e36d29212a4f
-
SHA256
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
-
SHA512
934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396
-
SSDEEP
12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ
Malware Config
Extracted
C:\odt\DECRYPT-FILES.html
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html e8a091a84dd2ea7ee429.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cl04anqt.dat e8a091a84dd2ea7ee429.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.html e8a091a84dd2ea7ee429.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\cl04anqt.dat e8a091a84dd2ea7ee429.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" e8a091a84dd2ea7ee429.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4012 e8a091a84dd2ea7ee429.exe 4012 e8a091a84dd2ea7ee429.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1112 wmic.exe Token: SeSecurityPrivilege 1112 wmic.exe Token: SeTakeOwnershipPrivilege 1112 wmic.exe Token: SeLoadDriverPrivilege 1112 wmic.exe Token: SeSystemProfilePrivilege 1112 wmic.exe Token: SeSystemtimePrivilege 1112 wmic.exe Token: SeProfSingleProcessPrivilege 1112 wmic.exe Token: SeIncBasePriorityPrivilege 1112 wmic.exe Token: SeCreatePagefilePrivilege 1112 wmic.exe Token: SeBackupPrivilege 1112 wmic.exe Token: SeRestorePrivilege 1112 wmic.exe Token: SeShutdownPrivilege 1112 wmic.exe Token: SeDebugPrivilege 1112 wmic.exe Token: SeSystemEnvironmentPrivilege 1112 wmic.exe Token: SeRemoteShutdownPrivilege 1112 wmic.exe Token: SeUndockPrivilege 1112 wmic.exe Token: SeManageVolumePrivilege 1112 wmic.exe Token: 33 1112 wmic.exe Token: 34 1112 wmic.exe Token: 35 1112 wmic.exe Token: 36 1112 wmic.exe Token: SeIncreaseQuotaPrivilege 1112 wmic.exe Token: SeSecurityPrivilege 1112 wmic.exe Token: SeTakeOwnershipPrivilege 1112 wmic.exe Token: SeLoadDriverPrivilege 1112 wmic.exe Token: SeSystemProfilePrivilege 1112 wmic.exe Token: SeSystemtimePrivilege 1112 wmic.exe Token: SeProfSingleProcessPrivilege 1112 wmic.exe Token: SeIncBasePriorityPrivilege 1112 wmic.exe Token: SeCreatePagefilePrivilege 1112 wmic.exe Token: SeBackupPrivilege 1112 wmic.exe Token: SeRestorePrivilege 1112 wmic.exe Token: SeShutdownPrivilege 1112 wmic.exe Token: SeDebugPrivilege 1112 wmic.exe Token: SeSystemEnvironmentPrivilege 1112 wmic.exe Token: SeRemoteShutdownPrivilege 1112 wmic.exe Token: SeUndockPrivilege 1112 wmic.exe Token: SeManageVolumePrivilege 1112 wmic.exe Token: 33 1112 wmic.exe Token: 34 1112 wmic.exe Token: 35 1112 wmic.exe Token: 36 1112 wmic.exe Token: SeBackupPrivilege 4656 vssvc.exe Token: SeRestorePrivilege 4656 vssvc.exe Token: SeAuditPrivilege 4656 vssvc.exe Token: SeIncreaseQuotaPrivilege 4444 wmic.exe Token: SeSecurityPrivilege 4444 wmic.exe Token: SeTakeOwnershipPrivilege 4444 wmic.exe Token: SeLoadDriverPrivilege 4444 wmic.exe Token: SeSystemProfilePrivilege 4444 wmic.exe Token: SeSystemtimePrivilege 4444 wmic.exe Token: SeProfSingleProcessPrivilege 4444 wmic.exe Token: SeIncBasePriorityPrivilege 4444 wmic.exe Token: SeCreatePagefilePrivilege 4444 wmic.exe Token: SeBackupPrivilege 4444 wmic.exe Token: SeRestorePrivilege 4444 wmic.exe Token: SeShutdownPrivilege 4444 wmic.exe Token: SeDebugPrivilege 4444 wmic.exe Token: SeSystemEnvironmentPrivilege 4444 wmic.exe Token: SeRemoteShutdownPrivilege 4444 wmic.exe Token: SeUndockPrivilege 4444 wmic.exe Token: SeManageVolumePrivilege 4444 wmic.exe Token: 33 4444 wmic.exe Token: 34 4444 wmic.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4012 wrote to memory of 1112 4012 e8a091a84dd2ea7ee429.exe 96 PID 4012 wrote to memory of 1112 4012 e8a091a84dd2ea7ee429.exe 96 PID 4012 wrote to memory of 4444 4012 e8a091a84dd2ea7ee429.exe 101 PID 4012 wrote to memory of 4444 4012 e8a091a84dd2ea7ee429.exe 101 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\User1\Desktop\LetsDefend\SOC104 - Malware Detected\e8a091a84dd2ea7ee429.exe"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\User1\Desktop\LetsDefend\SOC104 - Malware Detected\e8a091a84dd2ea7ee429.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\system32\wbem\wmic.exe"C:\gc\rdswc\..\..\Windows\bdbo\..\system32\me\fyn\..\..\wbem\e\kaxyk\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
C:\Windows\system32\wbem\wmic.exe"C:\j\eb\j\..\..\..\Windows\pl\..\system32\lryw\..\wbem\bwysq\eya\uip\..\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4656
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3c4 0x4501⤵PID:224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_96B3271690214F968EB040C8FB40977C.dat
Filesize940B
MD5caa08f6f601f33dee84d6b25eb7bac7a
SHA1fc4c6ea355d17b6907143af83cf636a34f51f1a5
SHA256c7a8d65b32091bb67bf4533cfc150cf0e75e9118957eb044e1b47b1ffe7db283
SHA512c9e810242c76b9b4c3d3a79352618b3dade71091881c939b96c6c5559ff63b401be7d3fc1d3ab02480f3754414ead2f60de11233b1c0f3f2f498d98f364d0d5a
-
Filesize
6KB
MD5087bdbc95269099663d70fc46c318d56
SHA1df4deff5990c5ab77fd4074ebbbdec3738f8a79a
SHA256fa562841034420a1063dbcc0e684914ee65607efa2bdd90eb7aa218de7af127c
SHA512678ddb85ef1302e0974d970d4d3af56c22c72d6c1dede23efbea13f40d911a3e1a4f6ff757ed7f367ef03a751c49856dcc2482e6f6e53a8a74b7c418578f88e7