Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 07:19
Static task
static1
Behavioral task
behavioral1
Sample
Device/HarddiskVolume3/Users/User1/Desktop/LetsDefend/SOC104 - Malware Detected/e8a091a84dd2ea7ee429.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Device/HarddiskVolume3/Users/User1/Desktop/LetsDefend/SOC104 - Malware Detected/e8a091a84dd2ea7ee429.exe
Resource
win10v2004-20231215-en
General
-
Target
Device/HarddiskVolume3/Users/User1/Desktop/LetsDefend/SOC104 - Malware Detected/e8a091a84dd2ea7ee429.exe
-
Size
473KB
-
MD5
f83fb9ce6a83da58b20685c1d7e1e546
-
SHA1
01c459b549c1c2a68208d38d4ba5e36d29212a4f
-
SHA256
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
-
SHA512
934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396
-
SSDEEP
12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ
Malware Config
Extracted
C:\$Recycle.Bin\DECRYPT-FILES.html
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html e8a091a84dd2ea7ee429.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ah3d87.dat e8a091a84dd2ea7ee429.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" e8a091a84dd2ea7ee429.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2112 e8a091a84dd2ea7ee429.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2828 wmic.exe Token: SeSecurityPrivilege 2828 wmic.exe Token: SeTakeOwnershipPrivilege 2828 wmic.exe Token: SeLoadDriverPrivilege 2828 wmic.exe Token: SeSystemProfilePrivilege 2828 wmic.exe Token: SeSystemtimePrivilege 2828 wmic.exe Token: SeProfSingleProcessPrivilege 2828 wmic.exe Token: SeIncBasePriorityPrivilege 2828 wmic.exe Token: SeCreatePagefilePrivilege 2828 wmic.exe Token: SeBackupPrivilege 2828 wmic.exe Token: SeRestorePrivilege 2828 wmic.exe Token: SeShutdownPrivilege 2828 wmic.exe Token: SeDebugPrivilege 2828 wmic.exe Token: SeSystemEnvironmentPrivilege 2828 wmic.exe Token: SeRemoteShutdownPrivilege 2828 wmic.exe Token: SeUndockPrivilege 2828 wmic.exe Token: SeManageVolumePrivilege 2828 wmic.exe Token: 33 2828 wmic.exe Token: 34 2828 wmic.exe Token: 35 2828 wmic.exe Token: SeIncreaseQuotaPrivilege 2828 wmic.exe Token: SeSecurityPrivilege 2828 wmic.exe Token: SeTakeOwnershipPrivilege 2828 wmic.exe Token: SeLoadDriverPrivilege 2828 wmic.exe Token: SeSystemProfilePrivilege 2828 wmic.exe Token: SeSystemtimePrivilege 2828 wmic.exe Token: SeProfSingleProcessPrivilege 2828 wmic.exe Token: SeIncBasePriorityPrivilege 2828 wmic.exe Token: SeCreatePagefilePrivilege 2828 wmic.exe Token: SeBackupPrivilege 2828 wmic.exe Token: SeRestorePrivilege 2828 wmic.exe Token: SeShutdownPrivilege 2828 wmic.exe Token: SeDebugPrivilege 2828 wmic.exe Token: SeSystemEnvironmentPrivilege 2828 wmic.exe Token: SeRemoteShutdownPrivilege 2828 wmic.exe Token: SeUndockPrivilege 2828 wmic.exe Token: SeManageVolumePrivilege 2828 wmic.exe Token: 33 2828 wmic.exe Token: 34 2828 wmic.exe Token: 35 2828 wmic.exe Token: SeBackupPrivilege 788 vssvc.exe Token: SeRestorePrivilege 788 vssvc.exe Token: SeAuditPrivilege 788 vssvc.exe Token: SeIncreaseQuotaPrivilege 840 wmic.exe Token: SeSecurityPrivilege 840 wmic.exe Token: SeTakeOwnershipPrivilege 840 wmic.exe Token: SeLoadDriverPrivilege 840 wmic.exe Token: SeSystemProfilePrivilege 840 wmic.exe Token: SeSystemtimePrivilege 840 wmic.exe Token: SeProfSingleProcessPrivilege 840 wmic.exe Token: SeIncBasePriorityPrivilege 840 wmic.exe Token: SeCreatePagefilePrivilege 840 wmic.exe Token: SeBackupPrivilege 840 wmic.exe Token: SeRestorePrivilege 840 wmic.exe Token: SeShutdownPrivilege 840 wmic.exe Token: SeDebugPrivilege 840 wmic.exe Token: SeSystemEnvironmentPrivilege 840 wmic.exe Token: SeRemoteShutdownPrivilege 840 wmic.exe Token: SeUndockPrivilege 840 wmic.exe Token: SeManageVolumePrivilege 840 wmic.exe Token: 33 840 wmic.exe Token: 34 840 wmic.exe Token: 35 840 wmic.exe Token: SeIncreaseQuotaPrivilege 840 wmic.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2828 2112 e8a091a84dd2ea7ee429.exe 28 PID 2112 wrote to memory of 2828 2112 e8a091a84dd2ea7ee429.exe 28 PID 2112 wrote to memory of 2828 2112 e8a091a84dd2ea7ee429.exe 28 PID 2112 wrote to memory of 2828 2112 e8a091a84dd2ea7ee429.exe 28 PID 2112 wrote to memory of 840 2112 e8a091a84dd2ea7ee429.exe 34 PID 2112 wrote to memory of 840 2112 e8a091a84dd2ea7ee429.exe 34 PID 2112 wrote to memory of 840 2112 e8a091a84dd2ea7ee429.exe 34 PID 2112 wrote to memory of 840 2112 e8a091a84dd2ea7ee429.exe 34 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\User1\Desktop\LetsDefend\SOC104 - Malware Detected\e8a091a84dd2ea7ee429.exe"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\User1\Desktop\LetsDefend\SOC104 - Malware Detected\e8a091a84dd2ea7ee429.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\system32\wbem\wmic.exe"C:\u\gyst\p\..\..\..\Windows\wl\lstvw\ut\..\..\..\system32\jiogt\..\wbem\evpyp\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\system32\wbem\wmic.exe"C:\ti\..\Windows\g\mdf\soby\..\..\..\system32\jwd\wcwqg\yd\..\..\..\wbem\vjeo\dy\si\..\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:840
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:788
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD51ca67a2c049e99b5e35d268aadf2a33b
SHA1e791963fd92b57834fa5e81258dd062ac4cfc3ce
SHA25657050182ac0e21fcf4c22a1e6bf1e0c51afdfe8cf511f29211fa032d217f5f03
SHA512971b243486f8dc2ae3e1b6da09503121393c678f7a8f73dde1186ecafe41dac86527a27c6328005d48553e03d403cea9e40b8f8aadda823fc079a9368c22dcd5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_02D6C19F426A43CEA176A1ECE8DC3356.dat
Filesize940B
MD517822b34095e0be857749fa7d0a606d7
SHA134ac68881a108407ab529cbb09d1948081dcf13f
SHA2563e2eaab1b3c0f9d9eafb196be1306bec8c9005e603e845470a2f0b730a7648f3
SHA512fe638d74dc3b94d1291f8c96b41aad57b91b8be0e0c7f9a7c767503ee6dc0ef77b843a1a524c8c04e7479253bae6abb9de0c95cd6a0559cd08171d41e0484847