Malware Analysis Report

2024-09-22 14:44

Sample ID 240622-vlcj1azdrp
Target df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d
SHA256 df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d
Tags
maze defense_evasion execution impact ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d

Threat Level: Known bad

The file df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d was found to be: Known bad.

Malicious Activity Summary

maze defense_evasion execution impact ransomware spyware stealer trojan

Maze

Deletes shadow copies

Drops startup file

Reads user/profile data of web browsers

Sets desktop wallpaper using registry

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-22 17:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 17:04

Reported

2024-06-22 17:05

Platform

win7-20240611-en

Max time kernel

33s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d.exe"

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fd4yis.dat C:\Users\Admin\AppData\Local\Temp\df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html C:\Users\Admin\AppData\Local\Temp\df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" C:\Users\Admin\AppData\Local\Temp\df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d.exe

"C:\Users\Admin\AppData\Local\Temp\df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\wbem\wmic.exe

"C:\nfa\wjx\rbak\..\..\..\Windows\g\qgrpr\..\..\system32\wo\g\kyg\..\..\..\wbem\p\dmv\..\..\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\bfv\roceb\wad\..\..\..\Windows\gc\jnr\..\..\system32\ll\bv\..\..\wbem\gt\joemc\tx\..\..\..\wmic.exe" shadowcopy delete

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

Network

Country Destination Domain Proto
TR 92.63.8.47:80 92.63.8.47 tcp
TR 92.63.8.47:80 92.63.8.47 tcp
PL 92.63.32.2:80 92.63.32.2 tcp
PL 92.63.32.2:80 92.63.32.2 tcp
PL 92.63.37.100:80 92.63.37.100 tcp
PL 92.63.37.100:80 92.63.37.100 tcp
RU 92.63.194.20:80 92.63.194.20 tcp
RU 92.63.194.20:80 92.63.194.20 tcp
SI 92.63.17.245:80 92.63.17.245 tcp
SI 92.63.17.245:80 92.63.17.245 tcp
PL 92.63.32.55:80 92.63.32.55 tcp
PL 92.63.32.55:80 92.63.32.55 tcp
TR 92.63.11.151:80 92.63.11.151 tcp
TR 92.63.11.151:80 92.63.11.151 tcp
RU 92.63.194.3:80 92.63.194.3 tcp
RU 92.63.194.3:80 92.63.194.3 tcp
TR 92.63.15.8:80 92.63.15.8 tcp
TR 92.63.15.8:80 92.63.15.8 tcp
SI 92.63.29.137:80 92.63.29.137 tcp
SI 92.63.29.137:80 92.63.29.137 tcp
PL 92.63.32.57:80 92.63.32.57 tcp
PL 92.63.32.57:80 92.63.32.57 tcp
TR 92.63.15.56:80 92.63.15.56 tcp
TR 92.63.15.56:80 92.63.15.56 tcp
TR 92.63.11.151:80 92.63.11.151 tcp
TR 92.63.11.151:80 92.63.11.151 tcp
PL 92.63.32.52:80 92.63.32.52 tcp
PL 92.63.32.52:80 92.63.32.52 tcp
TR 92.63.15.6:80 92.63.15.6 tcp
TR 92.63.15.6:80 92.63.15.6 tcp
TR 92.63.8.47:80 92.63.8.47 tcp
TR 92.63.8.47:80 92.63.8.47 tcp
PL 92.63.32.2:80 92.63.32.2 tcp
PL 92.63.32.2:80 92.63.32.2 tcp
PL 92.63.37.100:80 92.63.37.100 tcp
PL 92.63.37.100:80 92.63.37.100 tcp
RU 92.63.194.20:80 92.63.194.20 tcp
RU 92.63.194.20:80 92.63.194.20 tcp
SI 92.63.17.245:80 92.63.17.245 tcp
SI 92.63.17.245:80 92.63.17.245 tcp
PL 92.63.32.55:80 92.63.32.55 tcp
PL 92.63.32.55:80 92.63.32.55 tcp
TR 92.63.11.151:80 92.63.11.151 tcp
TR 92.63.11.151:80 92.63.11.151 tcp
RU 92.63.194.3:80 92.63.194.3 tcp
RU 92.63.194.3:80 92.63.194.3 tcp
TR 92.63.15.8:80 92.63.15.8 tcp
TR 92.63.15.8:80 92.63.15.8 tcp
SI 92.63.29.137:80 92.63.29.137 tcp
SI 92.63.29.137:80 92.63.29.137 tcp
PL 92.63.32.57:80 92.63.32.57 tcp
PL 92.63.32.57:80 92.63.32.57 tcp
TR 92.63.15.56:80 92.63.15.56 tcp
TR 92.63.15.56:80 92.63.15.56 tcp
TR 92.63.11.151:80 92.63.11.151 tcp
TR 92.63.11.151:80 92.63.11.151 tcp
PL 92.63.32.52:80 92.63.32.52 tcp
PL 92.63.32.52:80 92.63.32.52 tcp
TR 92.63.15.6:80 92.63.15.6 tcp
TR 92.63.15.6:80 92.63.15.6 tcp

Files

memory/2856-1-0x0000000005020000-0x0000000005120000-memory.dmp

memory/2856-2-0x0000000000220000-0x000000000027A000-memory.dmp

memory/2856-3-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3020-4-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/3020-5-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\DECRYPT-FILES.html

MD5 e134b90185da011b3a9a1461c17945ff
SHA1 883f54deabc4c776289448a0da3ec82c05570168
SHA256 d0f9df7f9682cab742c5fecb4ecd947f4c93eba7b94f1ea118258e58c3481715
SHA512 a72613bfa950e7bf3827d10548938b85e7241b282bc3e1eb9c587ea168a741c07e210ff9ea05ff228d2c2b52941ff2999d3b3f198c2ca9469b19c65457921c4d

memory/2856-1844-0x0000000000400000-0x0000000004E4F000-memory.dmp

memory/2856-1848-0x0000000005020000-0x0000000005120000-memory.dmp

memory/2856-1849-0x0000000000220000-0x000000000027A000-memory.dmp

memory/2856-1850-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3020-1852-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2856-1851-0x0000000000400000-0x0000000004E4F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_67DA2002B81E441DAD68E6DA304D6E85.dat

MD5 1a251b2fd172046b544ea774b27636dc
SHA1 2ef6aaef3905abb7ab03f602088ecfc4a8597128
SHA256 259910c6781e1528df2d341ce6ac06d4299fb053d994667fb6c507f50bc33068
SHA512 a70498a96f1da4e3c198bfaba0a8cef6ffa2fec8dfeb28e388c49442cb2bdec4ccb825ddba9216a8d7d508974da7c7a7ba6e7619510f3582ccb676beaec9613e