Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 08:45
Static task
static1
Behavioral task
behavioral1
Sample
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
Resource
win10v2004-20240426-en
General
-
Target
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
-
Size
473KB
-
MD5
f83fb9ce6a83da58b20685c1d7e1e546
-
SHA1
01c459b549c1c2a68208d38d4ba5e36d29212a4f
-
SHA256
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
-
SHA512
934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396
-
SSDEEP
12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ
Malware Config
Extracted
F:\$RECYCLE.BIN\DECRYPT-FILES.html
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tf2qs.dat e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.html e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\tf2qs.dat e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2064 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 2064 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4040 wmic.exe Token: SeSecurityPrivilege 4040 wmic.exe Token: SeTakeOwnershipPrivilege 4040 wmic.exe Token: SeLoadDriverPrivilege 4040 wmic.exe Token: SeSystemProfilePrivilege 4040 wmic.exe Token: SeSystemtimePrivilege 4040 wmic.exe Token: SeProfSingleProcessPrivilege 4040 wmic.exe Token: SeIncBasePriorityPrivilege 4040 wmic.exe Token: SeCreatePagefilePrivilege 4040 wmic.exe Token: SeBackupPrivilege 4040 wmic.exe Token: SeRestorePrivilege 4040 wmic.exe Token: SeShutdownPrivilege 4040 wmic.exe Token: SeDebugPrivilege 4040 wmic.exe Token: SeSystemEnvironmentPrivilege 4040 wmic.exe Token: SeRemoteShutdownPrivilege 4040 wmic.exe Token: SeUndockPrivilege 4040 wmic.exe Token: SeManageVolumePrivilege 4040 wmic.exe Token: 33 4040 wmic.exe Token: 34 4040 wmic.exe Token: 35 4040 wmic.exe Token: 36 4040 wmic.exe Token: SeIncreaseQuotaPrivilege 4040 wmic.exe Token: SeSecurityPrivilege 4040 wmic.exe Token: SeTakeOwnershipPrivilege 4040 wmic.exe Token: SeLoadDriverPrivilege 4040 wmic.exe Token: SeSystemProfilePrivilege 4040 wmic.exe Token: SeSystemtimePrivilege 4040 wmic.exe Token: SeProfSingleProcessPrivilege 4040 wmic.exe Token: SeIncBasePriorityPrivilege 4040 wmic.exe Token: SeCreatePagefilePrivilege 4040 wmic.exe Token: SeBackupPrivilege 4040 wmic.exe Token: SeRestorePrivilege 4040 wmic.exe Token: SeShutdownPrivilege 4040 wmic.exe Token: SeDebugPrivilege 4040 wmic.exe Token: SeSystemEnvironmentPrivilege 4040 wmic.exe Token: SeRemoteShutdownPrivilege 4040 wmic.exe Token: SeUndockPrivilege 4040 wmic.exe Token: SeManageVolumePrivilege 4040 wmic.exe Token: 33 4040 wmic.exe Token: 34 4040 wmic.exe Token: 35 4040 wmic.exe Token: 36 4040 wmic.exe Token: SeBackupPrivilege 1528 vssvc.exe Token: SeRestorePrivilege 1528 vssvc.exe Token: SeAuditPrivilege 1528 vssvc.exe Token: SeIncreaseQuotaPrivilege 3616 wmic.exe Token: SeSecurityPrivilege 3616 wmic.exe Token: SeTakeOwnershipPrivilege 3616 wmic.exe Token: SeLoadDriverPrivilege 3616 wmic.exe Token: SeSystemProfilePrivilege 3616 wmic.exe Token: SeSystemtimePrivilege 3616 wmic.exe Token: SeProfSingleProcessPrivilege 3616 wmic.exe Token: SeIncBasePriorityPrivilege 3616 wmic.exe Token: SeCreatePagefilePrivilege 3616 wmic.exe Token: SeBackupPrivilege 3616 wmic.exe Token: SeRestorePrivilege 3616 wmic.exe Token: SeShutdownPrivilege 3616 wmic.exe Token: SeDebugPrivilege 3616 wmic.exe Token: SeSystemEnvironmentPrivilege 3616 wmic.exe Token: SeRemoteShutdownPrivilege 3616 wmic.exe Token: SeUndockPrivilege 3616 wmic.exe Token: SeManageVolumePrivilege 3616 wmic.exe Token: 33 3616 wmic.exe Token: 34 3616 wmic.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2064 wrote to memory of 4040 2064 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 92 PID 2064 wrote to memory of 4040 2064 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 92 PID 2064 wrote to memory of 3616 2064 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 97 PID 2064 wrote to memory of 3616 2064 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe 97 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\system32\wbem\wmic.exe"C:\jpsw\xi\tlmxw\..\..\..\Windows\qo\bwt\..\..\system32\jel\..\wbem\n\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
-
C:\Windows\system32\wbem\wmic.exe"C:\xm\..\Windows\vjbsf\xcup\..\..\system32\fui\affea\p\..\..\..\wbem\xd\jilpd\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3616
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4fc 0x3901⤵PID:4612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_59FCE5B011F14380981F7DFBECBA0828.dat
Filesize940B
MD5843d29acb05c55a256e224825038ced3
SHA1ee509c52a94d84f6bce55d208e26a3f31134cca1
SHA256053effdede5a17e9afe515f3b406fa506b066e92ae72fb40683e06daffac66c6
SHA5128efe53150557a8e666155499bd21b169b26e004b76910c8da73351882da9e3af6802248f77cb044aa59183af3fcc2d1c2a817393b98cb56ecf34acd32a975302
-
Filesize
6KB
MD578a05c2a733f0a86b9d89bed1707ce33
SHA1a40952f5e169f58a19bad590daa9be37dcb3e606
SHA25697b69ce8d26f8372a0af399644633332adefacac5f5d88767ab57c0d18a3740d
SHA5121bc24652e7b85e7fdfc50ac6b0199ca40f1c5b237cd36ddc97c03813a59b6a9e573d2c667e32591c2eaa98135a58791f3d9c452dedfb72efecdc962459122771