Analysis
-
max time kernel
159s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 14:53
Static task
static1
Behavioral task
behavioral1
Sample
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
Resource
win10v2004-20240226-en
General
-
Target
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
-
Size
473KB
-
MD5
f83fb9ce6a83da58b20685c1d7e1e546
-
SHA1
01c459b549c1c2a68208d38d4ba5e36d29212a4f
-
SHA256
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
-
SHA512
934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396
-
SSDEEP
12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ
Malware Config
Extracted
C:\$Recycle.Bin\DECRYPT-FILES.html
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exepid process 1776 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 1776 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1800 wmic.exe Token: SeSecurityPrivilege 1800 wmic.exe Token: SeTakeOwnershipPrivilege 1800 wmic.exe Token: SeLoadDriverPrivilege 1800 wmic.exe Token: SeSystemProfilePrivilege 1800 wmic.exe Token: SeSystemtimePrivilege 1800 wmic.exe Token: SeProfSingleProcessPrivilege 1800 wmic.exe Token: SeIncBasePriorityPrivilege 1800 wmic.exe Token: SeCreatePagefilePrivilege 1800 wmic.exe Token: SeBackupPrivilege 1800 wmic.exe Token: SeRestorePrivilege 1800 wmic.exe Token: SeShutdownPrivilege 1800 wmic.exe Token: SeDebugPrivilege 1800 wmic.exe Token: SeSystemEnvironmentPrivilege 1800 wmic.exe Token: SeRemoteShutdownPrivilege 1800 wmic.exe Token: SeUndockPrivilege 1800 wmic.exe Token: SeManageVolumePrivilege 1800 wmic.exe Token: 33 1800 wmic.exe Token: 34 1800 wmic.exe Token: 35 1800 wmic.exe Token: 36 1800 wmic.exe Token: SeIncreaseQuotaPrivilege 1800 wmic.exe Token: SeSecurityPrivilege 1800 wmic.exe Token: SeTakeOwnershipPrivilege 1800 wmic.exe Token: SeLoadDriverPrivilege 1800 wmic.exe Token: SeSystemProfilePrivilege 1800 wmic.exe Token: SeSystemtimePrivilege 1800 wmic.exe Token: SeProfSingleProcessPrivilege 1800 wmic.exe Token: SeIncBasePriorityPrivilege 1800 wmic.exe Token: SeCreatePagefilePrivilege 1800 wmic.exe Token: SeBackupPrivilege 1800 wmic.exe Token: SeRestorePrivilege 1800 wmic.exe Token: SeShutdownPrivilege 1800 wmic.exe Token: SeDebugPrivilege 1800 wmic.exe Token: SeSystemEnvironmentPrivilege 1800 wmic.exe Token: SeRemoteShutdownPrivilege 1800 wmic.exe Token: SeUndockPrivilege 1800 wmic.exe Token: SeManageVolumePrivilege 1800 wmic.exe Token: 33 1800 wmic.exe Token: 34 1800 wmic.exe Token: 35 1800 wmic.exe Token: 36 1800 wmic.exe Token: SeBackupPrivilege 504 vssvc.exe Token: SeRestorePrivilege 504 vssvc.exe Token: SeAuditPrivilege 504 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exedescription pid process target process PID 1776 wrote to memory of 1800 1776 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe wmic.exe PID 1776 wrote to memory of 1800 1776 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe wmic.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\system32\wbem\wmic.exe"C:\hglm\vt\..\..\Windows\ma\ggfb\in\..\..\..\system32\o\mlp\..\..\wbem\vocd\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4832 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:81⤵PID:260
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:504
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5ffb8dc4bd38326c1d921e8f515fbed66
SHA1169eb064650f2d0314be9126b089bcf15f6adbbf
SHA256e6d32461b5d4c96d6480292c345fe01e3f6fdcb5f7d7b406db901b38b89bc4af
SHA5129ceef82d88ffbff1d18e32522b89341de6d2006454d4eee864f76e9ec4b4906fe0bf65cdea2a197aefd1f5085ada48831a9122c6f99d922ee4a7d5e281902727