Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 08:34
Static task
static1
Behavioral task
behavioral1
Sample
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
Resource
win10v2004-20240426-en
General
-
Target
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
-
Size
473KB
-
MD5
f83fb9ce6a83da58b20685c1d7e1e546
-
SHA1
01c459b549c1c2a68208d38d4ba5e36d29212a4f
-
SHA256
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
-
SHA512
934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396
-
SSDEEP
12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-540404634-651139247-2967210625-1000\DECRYPT-FILES.html
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\96qhhmu.dat e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\96qhhmu.dat e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.html e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 532 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 532 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4352 wmic.exe Token: SeSecurityPrivilege 4352 wmic.exe Token: SeTakeOwnershipPrivilege 4352 wmic.exe Token: SeLoadDriverPrivilege 4352 wmic.exe Token: SeSystemProfilePrivilege 4352 wmic.exe Token: SeSystemtimePrivilege 4352 wmic.exe Token: SeProfSingleProcessPrivilege 4352 wmic.exe Token: SeIncBasePriorityPrivilege 4352 wmic.exe Token: SeCreatePagefilePrivilege 4352 wmic.exe Token: SeBackupPrivilege 4352 wmic.exe Token: SeRestorePrivilege 4352 wmic.exe Token: SeShutdownPrivilege 4352 wmic.exe Token: SeDebugPrivilege 4352 wmic.exe Token: SeSystemEnvironmentPrivilege 4352 wmic.exe Token: SeRemoteShutdownPrivilege 4352 wmic.exe Token: SeUndockPrivilege 4352 wmic.exe Token: SeManageVolumePrivilege 4352 wmic.exe Token: 33 4352 wmic.exe Token: 34 4352 wmic.exe Token: 35 4352 wmic.exe Token: 36 4352 wmic.exe Token: SeIncreaseQuotaPrivilege 4352 wmic.exe Token: SeSecurityPrivilege 4352 wmic.exe Token: SeTakeOwnershipPrivilege 4352 wmic.exe Token: SeLoadDriverPrivilege 4352 wmic.exe Token: SeSystemProfilePrivilege 4352 wmic.exe Token: SeSystemtimePrivilege 4352 wmic.exe Token: SeProfSingleProcessPrivilege 4352 wmic.exe Token: SeIncBasePriorityPrivilege 4352 wmic.exe Token: SeCreatePagefilePrivilege 4352 wmic.exe Token: SeBackupPrivilege 4352 wmic.exe Token: SeRestorePrivilege 4352 wmic.exe Token: SeShutdownPrivilege 4352 wmic.exe Token: SeDebugPrivilege 4352 wmic.exe Token: SeSystemEnvironmentPrivilege 4352 wmic.exe Token: SeRemoteShutdownPrivilege 4352 wmic.exe Token: SeUndockPrivilege 4352 wmic.exe Token: SeManageVolumePrivilege 4352 wmic.exe Token: 33 4352 wmic.exe Token: 34 4352 wmic.exe Token: 35 4352 wmic.exe Token: 36 4352 wmic.exe Token: SeBackupPrivilege 3088 vssvc.exe Token: SeRestorePrivilege 3088 vssvc.exe Token: SeAuditPrivilege 3088 vssvc.exe Token: SeIncreaseQuotaPrivilege 1012 wmic.exe Token: SeSecurityPrivilege 1012 wmic.exe Token: SeTakeOwnershipPrivilege 1012 wmic.exe Token: SeLoadDriverPrivilege 1012 wmic.exe Token: SeSystemProfilePrivilege 1012 wmic.exe Token: SeSystemtimePrivilege 1012 wmic.exe Token: SeProfSingleProcessPrivilege 1012 wmic.exe Token: SeIncBasePriorityPrivilege 1012 wmic.exe Token: SeCreatePagefilePrivilege 1012 wmic.exe Token: SeBackupPrivilege 1012 wmic.exe Token: SeRestorePrivilege 1012 wmic.exe Token: SeShutdownPrivilege 1012 wmic.exe Token: SeDebugPrivilege 1012 wmic.exe Token: SeSystemEnvironmentPrivilege 1012 wmic.exe Token: SeRemoteShutdownPrivilege 1012 wmic.exe Token: SeUndockPrivilege 1012 wmic.exe Token: SeManageVolumePrivilege 1012 wmic.exe Token: 33 1012 wmic.exe Token: 34 1012 wmic.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 532 wrote to memory of 4352 532 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 92 PID 532 wrote to memory of 4352 532 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 92 PID 532 wrote to memory of 1012 532 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 97 PID 532 wrote to memory of 1012 532 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 97 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\system32\wbem\wmic.exe"C:\wcda\euoin\ura\..\..\..\Windows\ipyyb\qhxm\..\..\system32\khn\bj\ools\..\..\..\wbem\oce\w\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
-
C:\Windows\system32\wbem\wmic.exe"C:\djfvh\p\..\..\Windows\qj\u\..\..\system32\j\bqyng\..\..\wbem\l\hpjca\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3088
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x418 0x2f41⤵PID:1000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_8377E48662D5407AA3BA234C733B8616.dat
Filesize940B
MD5f6e927ca28866637e7d5f2e25e7fd9f1
SHA1c1f3b33171f977c8cf039ca99fe5f9e898708879
SHA256951e4f1752a584b32df64e79b706d1300fa166295a5d4b68a0b3934f5b3dd706
SHA512c7990a228efa28aabe49cffaf4f118cb62dcbf661047ad73b0b10634f10aec56ded185d5aa1910c40574001d164cdc6ed89b2527899922d25125180682763a1a
-
Filesize
6KB
MD54c3ad2dc57c3a8d8bdeec7548ad01e84
SHA160b2f7a745b740961afafb44d720468ed067f16c
SHA25617381ac504c6bde202cf0b5eb423415ca218162dd931e8f3d38e87beda7d00fe
SHA512cc7855dc518ede8bf4ac82dfa63f2733bd6a1f1d67cfe3fafc2f0dcd0d34b394e242401794e34bd86ff4d3f8225e95aa13b254911bdc9e655b9898e6bd3b8767