Analysis
-
max time kernel
54s -
max time network
58s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
21-02-2024 23:46
Static task
static1
Behavioral task
behavioral1
Sample
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
Resource
win10v2004-20240221-en
General
-
Target
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
-
Size
473KB
-
MD5
f83fb9ce6a83da58b20685c1d7e1e546
-
SHA1
01c459b549c1c2a68208d38d4ba5e36d29212a4f
-
SHA256
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
-
SHA512
934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396
-
SSDEEP
12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ
Malware Config
Extracted
C:\odt\DECRYPT-FILES.html
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\85j2d.dat e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.html e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\85j2d.dat e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 536 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 536 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2824 wmic.exe Token: SeSecurityPrivilege 2824 wmic.exe Token: SeTakeOwnershipPrivilege 2824 wmic.exe Token: SeLoadDriverPrivilege 2824 wmic.exe Token: SeSystemProfilePrivilege 2824 wmic.exe Token: SeSystemtimePrivilege 2824 wmic.exe Token: SeProfSingleProcessPrivilege 2824 wmic.exe Token: SeIncBasePriorityPrivilege 2824 wmic.exe Token: SeCreatePagefilePrivilege 2824 wmic.exe Token: SeBackupPrivilege 2824 wmic.exe Token: SeRestorePrivilege 2824 wmic.exe Token: SeShutdownPrivilege 2824 wmic.exe Token: SeDebugPrivilege 2824 wmic.exe Token: SeSystemEnvironmentPrivilege 2824 wmic.exe Token: SeRemoteShutdownPrivilege 2824 wmic.exe Token: SeUndockPrivilege 2824 wmic.exe Token: SeManageVolumePrivilege 2824 wmic.exe Token: 33 2824 wmic.exe Token: 34 2824 wmic.exe Token: 35 2824 wmic.exe Token: 36 2824 wmic.exe Token: SeIncreaseQuotaPrivilege 2824 wmic.exe Token: SeSecurityPrivilege 2824 wmic.exe Token: SeTakeOwnershipPrivilege 2824 wmic.exe Token: SeLoadDriverPrivilege 2824 wmic.exe Token: SeSystemProfilePrivilege 2824 wmic.exe Token: SeSystemtimePrivilege 2824 wmic.exe Token: SeProfSingleProcessPrivilege 2824 wmic.exe Token: SeIncBasePriorityPrivilege 2824 wmic.exe Token: SeCreatePagefilePrivilege 2824 wmic.exe Token: SeBackupPrivilege 2824 wmic.exe Token: SeRestorePrivilege 2824 wmic.exe Token: SeShutdownPrivilege 2824 wmic.exe Token: SeDebugPrivilege 2824 wmic.exe Token: SeSystemEnvironmentPrivilege 2824 wmic.exe Token: SeRemoteShutdownPrivilege 2824 wmic.exe Token: SeUndockPrivilege 2824 wmic.exe Token: SeManageVolumePrivilege 2824 wmic.exe Token: 33 2824 wmic.exe Token: 34 2824 wmic.exe Token: 35 2824 wmic.exe Token: 36 2824 wmic.exe Token: SeBackupPrivilege 1456 vssvc.exe Token: SeRestorePrivilege 1456 vssvc.exe Token: SeAuditPrivilege 1456 vssvc.exe Token: SeIncreaseQuotaPrivilege 696 wmic.exe Token: SeSecurityPrivilege 696 wmic.exe Token: SeTakeOwnershipPrivilege 696 wmic.exe Token: SeLoadDriverPrivilege 696 wmic.exe Token: SeSystemProfilePrivilege 696 wmic.exe Token: SeSystemtimePrivilege 696 wmic.exe Token: SeProfSingleProcessPrivilege 696 wmic.exe Token: SeIncBasePriorityPrivilege 696 wmic.exe Token: SeCreatePagefilePrivilege 696 wmic.exe Token: SeBackupPrivilege 696 wmic.exe Token: SeRestorePrivilege 696 wmic.exe Token: SeShutdownPrivilege 696 wmic.exe Token: SeDebugPrivilege 696 wmic.exe Token: SeSystemEnvironmentPrivilege 696 wmic.exe Token: SeRemoteShutdownPrivilege 696 wmic.exe Token: SeUndockPrivilege 696 wmic.exe Token: SeManageVolumePrivilege 696 wmic.exe Token: 33 696 wmic.exe Token: 34 696 wmic.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 536 wrote to memory of 2824 536 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 84 PID 536 wrote to memory of 2824 536 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 84 PID 536 wrote to memory of 696 536 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 90 PID 536 wrote to memory of 696 536 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 90 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\system32\wbem\wmic.exe"C:\hknpe\xan\..\..\Windows\rmlgt\..\system32\lswka\pdus\vd\..\..\..\wbem\p\onty\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\system32\wbem\wmic.exe"C:\jfj\efme\..\..\Windows\v\tliq\gq\..\..\..\system32\o\be\wsero\..\..\..\wbem\dw\hna\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:696
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x44c 0x3041⤵PID:2832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5cb5fa0514f353fea7ad28fb60389566d
SHA12f67db46ba883ca900b47838c1410a8e37af6d02
SHA25617f69133e4ab7714166d34f901154431b664c8d0b891cf072d159c810d6a0c26
SHA5124910749a8cc003bfcb467914539c10776dd6233117b968de75ebab5ccf86ab160eda3b73c53d9f0de7c8c9d395f98d5ae34525029d0c07f80172f2dfb063e9df