Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
17-02-2024 19:51
Static task
static1
Behavioral task
behavioral1
Sample
Week 5 Malware.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Week 5 Malware.exe
Resource
win10v2004-20231215-en
General
-
Target
Week 5 Malware.exe
-
Size
1.1MB
-
MD5
ce65b4b61c076642a5f98fa780d43899
-
SHA1
0a60240eb6e96836d6ca4b82f531ecc98ddbb4bb
-
SHA256
e84c050d38730a0bf098476cc6a167f9944521a0e4e1beedb2dab331a166fc52
-
SHA512
3f74a006ea16c182a3eaa896886fb7ed70ebf4fb74641dca77bcff300e89fe1ce230ac1fb29b168f7b0d4033954917439add8e31ea027c9041ffc3363220323f
-
SSDEEP
12288:BB4ONL1Oa+iJBPWhbvULrJ6Bti3ERXxlcWdMhaex:j9hEYsbvULrwC+Xxlc+Pex
Malware Config
Extracted
C:\$Recycle.Bin\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/88fa09a77d00ecfc
https://mazedecrypt.top/88fa09a77d00ecfc
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt Week 5 Malware.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\88fa09a77d00ecfc.tmp Week 5 Malware.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt Week 5 Malware.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\88fa09a77d00ecfc.tmp Week 5 Malware.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" Week 5 Malware.exe -
Drops file in Program Files directory 29 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\88fa09a77d00ecfc.tmp Week 5 Malware.exe File opened for modification C:\Program Files\AddGrant.xml Week 5 Malware.exe File created C:\Program Files (x86)\DECRYPT-FILES.txt Week 5 Malware.exe File opened for modification C:\Program Files\GetExport.MTS Week 5 Malware.exe File opened for modification C:\Program Files\PushGet.xht Week 5 Malware.exe File opened for modification C:\Program Files\RegisterApprove.wpl Week 5 Malware.exe File opened for modification C:\Program Files\ConvertToHide.M2T Week 5 Malware.exe File opened for modification C:\Program Files\CopyRedo.contact Week 5 Malware.exe File opened for modification C:\Program Files\MeasureSuspend.pptm Week 5 Malware.exe File opened for modification C:\Program Files\CheckpointOptimize.easmx Week 5 Malware.exe File opened for modification C:\Program Files\ConfirmUnpublish.jpe Week 5 Malware.exe File opened for modification C:\Program Files\DismountSend.dxf Week 5 Malware.exe File opened for modification C:\Program Files\StopMerge.rtf Week 5 Malware.exe File opened for modification C:\Program Files\ClearLimit.vssx Week 5 Malware.exe File opened for modification C:\Program Files\CompleteConvertFrom.M2V Week 5 Malware.exe File opened for modification C:\Program Files\ResumeDeny.midi Week 5 Malware.exe File opened for modification C:\Program Files\SetEnable.jpg Week 5 Malware.exe File opened for modification C:\Program Files\OpenSave.dwg Week 5 Malware.exe File opened for modification C:\Program Files\ResetUnprotect.pub Week 5 Malware.exe File opened for modification C:\Program Files\PublishRename.nfo Week 5 Malware.exe File opened for modification C:\Program Files\ShowRead.docm Week 5 Malware.exe File opened for modification C:\Program Files\88fa09a77d00ecfc.tmp Week 5 Malware.exe File opened for modification C:\Program Files\ProtectSuspend.php Week 5 Malware.exe File opened for modification C:\Program Files\RenameReset.dwg Week 5 Malware.exe File opened for modification C:\Program Files\ConfirmMerge.bmp Week 5 Malware.exe File opened for modification C:\Program Files\MountNew.vsdm Week 5 Malware.exe File opened for modification C:\Program Files\SearchExit.xps Week 5 Malware.exe File created C:\Program Files\DECRYPT-FILES.txt Week 5 Malware.exe File opened for modification C:\Program Files\ApproveCompress.zip Week 5 Malware.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4564 Week 5 Malware.exe 4564 Week 5 Malware.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeBackupPrivilege 5064 vssvc.exe Token: SeRestorePrivilege 5064 vssvc.exe Token: SeAuditPrivilege 5064 vssvc.exe Token: SeIncreaseQuotaPrivilege 416 wmic.exe Token: SeSecurityPrivilege 416 wmic.exe Token: SeTakeOwnershipPrivilege 416 wmic.exe Token: SeLoadDriverPrivilege 416 wmic.exe Token: SeSystemProfilePrivilege 416 wmic.exe Token: SeSystemtimePrivilege 416 wmic.exe Token: SeProfSingleProcessPrivilege 416 wmic.exe Token: SeIncBasePriorityPrivilege 416 wmic.exe Token: SeCreatePagefilePrivilege 416 wmic.exe Token: SeBackupPrivilege 416 wmic.exe Token: SeRestorePrivilege 416 wmic.exe Token: SeShutdownPrivilege 416 wmic.exe Token: SeDebugPrivilege 416 wmic.exe Token: SeSystemEnvironmentPrivilege 416 wmic.exe Token: SeRemoteShutdownPrivilege 416 wmic.exe Token: SeUndockPrivilege 416 wmic.exe Token: SeManageVolumePrivilege 416 wmic.exe Token: 33 416 wmic.exe Token: 34 416 wmic.exe Token: 35 416 wmic.exe Token: 36 416 wmic.exe Token: SeIncreaseQuotaPrivilege 416 wmic.exe Token: SeSecurityPrivilege 416 wmic.exe Token: SeTakeOwnershipPrivilege 416 wmic.exe Token: SeLoadDriverPrivilege 416 wmic.exe Token: SeSystemProfilePrivilege 416 wmic.exe Token: SeSystemtimePrivilege 416 wmic.exe Token: SeProfSingleProcessPrivilege 416 wmic.exe Token: SeIncBasePriorityPrivilege 416 wmic.exe Token: SeCreatePagefilePrivilege 416 wmic.exe Token: SeBackupPrivilege 416 wmic.exe Token: SeRestorePrivilege 416 wmic.exe Token: SeShutdownPrivilege 416 wmic.exe Token: SeDebugPrivilege 416 wmic.exe Token: SeSystemEnvironmentPrivilege 416 wmic.exe Token: SeRemoteShutdownPrivilege 416 wmic.exe Token: SeUndockPrivilege 416 wmic.exe Token: SeManageVolumePrivilege 416 wmic.exe Token: 33 416 wmic.exe Token: 34 416 wmic.exe Token: 35 416 wmic.exe Token: 36 416 wmic.exe Token: 33 1352 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1352 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4564 wrote to memory of 416 4564 Week 5 Malware.exe 95 PID 4564 wrote to memory of 416 4564 Week 5 Malware.exe 95 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Week 5 Malware.exe"C:\Users\Admin\AppData\Local\Temp\Week 5 Malware.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\system32\wbem\wmic.exe"C:\kpxjt\o\..\..\Windows\ha\gpg\..\..\system32\jxo\yud\f\..\..\..\wbem\tqs\cpb\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:416
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5064
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x308 0x2441⤵
- Suspicious use of AdjustPrivilegeToken
PID:1352
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD51ddaaf959ab234ebbfaa40b8206183b9
SHA15472ab129d7388c795a40c14738c69dff4ec711a
SHA2561db138bff64e2e93a3bf7035fb69e063473e6e4b35a212e8eabc0d9d574cdd70
SHA5125f1de7d6ce5b216679085c19f0e9a34d730e7b3d661c325494fee5004d9d1165a32435320211b9774d5790fd3fbdd1d843c97bf6ebf7dd06ca1ca4c89cfd732b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_D0D9AC7FA6A94AA49E974FBE6960B8A1.dat
Filesize940B
MD5610b2d07b108c3e21a207b3b66df0ac6
SHA173df193f0b266a76faa0a544ddbcaffc463afb1e
SHA2561734d0a1ea158492cc47e5760ac5b78a4fb4fcf234bbab6063014a6fe2975f96
SHA5121422e3d5b0757aa688ac2eb8f6acbd2cd0e71a7c5e27189223fe40f1c2be3023e4c0ae400af09ead9ed77be0f53c38a55c83d959c100a8ab69d70c864bdcb9dd