Analysis
-
max time kernel
138s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 08:45
Static task
static1
Behavioral task
behavioral1
Sample
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
Resource
win10v2004-20240426-en
General
-
Target
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
-
Size
473KB
-
MD5
f83fb9ce6a83da58b20685c1d7e1e546
-
SHA1
01c459b549c1c2a68208d38d4ba5e36d29212a4f
-
SHA256
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
-
SHA512
934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396
-
SSDEEP
12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ
Malware Config
Extracted
C:\$Recycle.Bin\DECRYPT-FILES.html
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yvasrzdr.dat e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2212 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2580 wmic.exe Token: SeSecurityPrivilege 2580 wmic.exe Token: SeTakeOwnershipPrivilege 2580 wmic.exe Token: SeLoadDriverPrivilege 2580 wmic.exe Token: SeSystemProfilePrivilege 2580 wmic.exe Token: SeSystemtimePrivilege 2580 wmic.exe Token: SeProfSingleProcessPrivilege 2580 wmic.exe Token: SeIncBasePriorityPrivilege 2580 wmic.exe Token: SeCreatePagefilePrivilege 2580 wmic.exe Token: SeBackupPrivilege 2580 wmic.exe Token: SeRestorePrivilege 2580 wmic.exe Token: SeShutdownPrivilege 2580 wmic.exe Token: SeDebugPrivilege 2580 wmic.exe Token: SeSystemEnvironmentPrivilege 2580 wmic.exe Token: SeRemoteShutdownPrivilege 2580 wmic.exe Token: SeUndockPrivilege 2580 wmic.exe Token: SeManageVolumePrivilege 2580 wmic.exe Token: 33 2580 wmic.exe Token: 34 2580 wmic.exe Token: 35 2580 wmic.exe Token: SeIncreaseQuotaPrivilege 2580 wmic.exe Token: SeSecurityPrivilege 2580 wmic.exe Token: SeTakeOwnershipPrivilege 2580 wmic.exe Token: SeLoadDriverPrivilege 2580 wmic.exe Token: SeSystemProfilePrivilege 2580 wmic.exe Token: SeSystemtimePrivilege 2580 wmic.exe Token: SeProfSingleProcessPrivilege 2580 wmic.exe Token: SeIncBasePriorityPrivilege 2580 wmic.exe Token: SeCreatePagefilePrivilege 2580 wmic.exe Token: SeBackupPrivilege 2580 wmic.exe Token: SeRestorePrivilege 2580 wmic.exe Token: SeShutdownPrivilege 2580 wmic.exe Token: SeDebugPrivilege 2580 wmic.exe Token: SeSystemEnvironmentPrivilege 2580 wmic.exe Token: SeRemoteShutdownPrivilege 2580 wmic.exe Token: SeUndockPrivilege 2580 wmic.exe Token: SeManageVolumePrivilege 2580 wmic.exe Token: 33 2580 wmic.exe Token: 34 2580 wmic.exe Token: 35 2580 wmic.exe Token: SeBackupPrivilege 2464 vssvc.exe Token: SeRestorePrivilege 2464 vssvc.exe Token: SeAuditPrivilege 2464 vssvc.exe Token: SeIncreaseQuotaPrivilege 960 wmic.exe Token: SeSecurityPrivilege 960 wmic.exe Token: SeTakeOwnershipPrivilege 960 wmic.exe Token: SeLoadDriverPrivilege 960 wmic.exe Token: SeSystemProfilePrivilege 960 wmic.exe Token: SeSystemtimePrivilege 960 wmic.exe Token: SeProfSingleProcessPrivilege 960 wmic.exe Token: SeIncBasePriorityPrivilege 960 wmic.exe Token: SeCreatePagefilePrivilege 960 wmic.exe Token: SeBackupPrivilege 960 wmic.exe Token: SeRestorePrivilege 960 wmic.exe Token: SeShutdownPrivilege 960 wmic.exe Token: SeDebugPrivilege 960 wmic.exe Token: SeSystemEnvironmentPrivilege 960 wmic.exe Token: SeRemoteShutdownPrivilege 960 wmic.exe Token: SeUndockPrivilege 960 wmic.exe Token: SeManageVolumePrivilege 960 wmic.exe Token: 33 960 wmic.exe Token: 34 960 wmic.exe Token: 35 960 wmic.exe Token: SeIncreaseQuotaPrivilege 960 wmic.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2580 2212 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 28 PID 2212 wrote to memory of 2580 2212 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 28 PID 2212 wrote to memory of 2580 2212 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 28 PID 2212 wrote to memory of 2580 2212 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 28 PID 2212 wrote to memory of 960 2212 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 36 PID 2212 wrote to memory of 960 2212 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 36 PID 2212 wrote to memory of 960 2212 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 36 PID 2212 wrote to memory of 960 2212 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 36 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\system32\wbem\wmic.exe"C:\dr\..\Windows\byhxr\d\..\..\system32\wpull\u\..\..\wbem\ssb\weo\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\system32\wbem\wmic.exe"C:\y\q\rlr\..\..\..\Windows\rm\..\system32\rt\obt\l\..\..\..\wbem\lqh\pcix\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:960
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:2588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5843bc8f9e031c5981c57e7691d172295
SHA1af67fe3b2481ee22349de374a93a434840a83723
SHA2563705836d7873a7f2b32f09f3309bd0efbeb4afcb81da83dcfbfaf51264f20835
SHA51276ff7a8ec674cff178a40df911f79d1a8fb0b6e45621f0821656e9a8a8d931263f84b3fdbf38ada05f6f3ec41493305b4b20f402a13f0f486a369735dfad484d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_FE04AB3F82284890AED5C8BCD42721E3.dat
Filesize940B
MD5abbb8968d81c2a39741bcec2001a9969
SHA15d853b1d70b2a79a76d1a67ee7ac413c32b5168d
SHA256fb5f808ef5b4b4182935660640e888ab8c914027bba9bd951b386822b6bb7391
SHA51277693afac4074d4031130624e3cac8bff402b7b1962b9dcd59f072029d41140c39315a9a633d741496a5549e4ab85f408b475424cf0836d408874a11de5e818d