Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
15-07-2024 10:31
Static task
static1
Behavioral task
behavioral1
Sample
6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe
Resource
win10v2004-20240709-en
General
-
Target
6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe
-
Size
478KB
-
MD5
deebbea18401e8b5e83c410c6d3a8b4e
-
SHA1
96d81e77b6af8f54a5ac07b2c613a5655dd05353
-
SHA256
6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af
-
SHA512
a0396c82fb68cf3931f0a2fcdba580d51ec6069c82b4e3853341fc6971a4bde4dbeb0094b94379d1dce4b1d8c43703e86266156ecbee89f9c939a71cafe9d487
-
SSDEEP
12288:2GOrdqXg+Hy7WxHXkzYHD9Fg0CNDG+X9MOguRTzxH/F:EjuSWxHY0C5PXmOgEhN
Malware Config
Extracted
C:\Users\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/887409a4277b028d
https://mazedecrypt.top/887409a4277b028d
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Windows Defender anti-emulation file check 1 TTPs 1 IoCs
Defender's emulator always creates certain fake files which can be used to detect it.
Processes:
6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exedescription ioc Process File opened (read-only) C:\aaa_TouchMeNot_.txt 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe -
Drops startup file 4 IoCs
Processes:
6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9petr03v.tmp 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\9petr03v.tmp 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 37 IoCs
Processes:
6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exedescription ioc Process File opened for modification C:\Program Files\DisconnectAssert.DVR 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\ResetBackup.ini 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\SaveFind.bin 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\SearchConnect.crw 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\SelectConvert.htm 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\9petr03v.tmp 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\ConvertFromJoin.scf 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\MountImport.jpeg 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\UseSet.docx 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\EditSuspend.xps 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\GrantWatch.dotx 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File created C:\Program Files (x86)\DECRYPT-FILES.txt 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\BackupRename.bat 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\StartRename.xltx 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\UnregisterDeny.potm 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\MergeNew.xlsb 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\9petr03v.tmp 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\AddRevoke.mov 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\CompleteMeasure.js 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\DebugPing.xml 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\SetBlock.wmx 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files (x86)\9petr03v.tmp 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File created C:\Program Files\DECRYPT-FILES.txt 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\HideRedo.jpeg 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\ReadInvoke.cab 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\SuspendOpen.wav 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\SyncConvertTo.xml 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\TestReceive.aifc 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\UpdatePop.vsdm 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\9petr03v.tmp 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\CopyUndo.raw 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\SplitRepair.iso 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\9petr03v.tmp 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe File opened for modification C:\Program Files\ApproveRestore.tiff 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exepid Process 2764 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
vssvc.exewmic.exedescription pid Process Token: SeBackupPrivilege 2664 vssvc.exe Token: SeRestorePrivilege 2664 vssvc.exe Token: SeAuditPrivilege 2664 vssvc.exe Token: SeIncreaseQuotaPrivilege 2144 wmic.exe Token: SeSecurityPrivilege 2144 wmic.exe Token: SeTakeOwnershipPrivilege 2144 wmic.exe Token: SeLoadDriverPrivilege 2144 wmic.exe Token: SeSystemProfilePrivilege 2144 wmic.exe Token: SeSystemtimePrivilege 2144 wmic.exe Token: SeProfSingleProcessPrivilege 2144 wmic.exe Token: SeIncBasePriorityPrivilege 2144 wmic.exe Token: SeCreatePagefilePrivilege 2144 wmic.exe Token: SeBackupPrivilege 2144 wmic.exe Token: SeRestorePrivilege 2144 wmic.exe Token: SeShutdownPrivilege 2144 wmic.exe Token: SeDebugPrivilege 2144 wmic.exe Token: SeSystemEnvironmentPrivilege 2144 wmic.exe Token: SeRemoteShutdownPrivilege 2144 wmic.exe Token: SeUndockPrivilege 2144 wmic.exe Token: SeManageVolumePrivilege 2144 wmic.exe Token: 33 2144 wmic.exe Token: 34 2144 wmic.exe Token: 35 2144 wmic.exe Token: SeIncreaseQuotaPrivilege 2144 wmic.exe Token: SeSecurityPrivilege 2144 wmic.exe Token: SeTakeOwnershipPrivilege 2144 wmic.exe Token: SeLoadDriverPrivilege 2144 wmic.exe Token: SeSystemProfilePrivilege 2144 wmic.exe Token: SeSystemtimePrivilege 2144 wmic.exe Token: SeProfSingleProcessPrivilege 2144 wmic.exe Token: SeIncBasePriorityPrivilege 2144 wmic.exe Token: SeCreatePagefilePrivilege 2144 wmic.exe Token: SeBackupPrivilege 2144 wmic.exe Token: SeRestorePrivilege 2144 wmic.exe Token: SeShutdownPrivilege 2144 wmic.exe Token: SeDebugPrivilege 2144 wmic.exe Token: SeSystemEnvironmentPrivilege 2144 wmic.exe Token: SeRemoteShutdownPrivilege 2144 wmic.exe Token: SeUndockPrivilege 2144 wmic.exe Token: SeManageVolumePrivilege 2144 wmic.exe Token: 33 2144 wmic.exe Token: 34 2144 wmic.exe Token: 35 2144 wmic.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exedescription pid Process procid_target PID 2764 wrote to memory of 2144 2764 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe 35 PID 2764 wrote to memory of 2144 2764 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe 35 PID 2764 wrote to memory of 2144 2764 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe 35 PID 2764 wrote to memory of 2144 2764 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe 35 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe"C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe"1⤵
- Windows Defender anti-emulation file check
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\system32\wbem\wmic.exe"C:\vpr\..\Windows\xpau\qatrb\j\..\..\..\system32\i\wv\..\..\wbem\m\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\DECRYPT-FILES.txt1⤵PID:1212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5d4bcde823ab060700dfc34f6608e9c3a
SHA16eccc8978d65fadeb5036a0cbe42819acdbc57a1
SHA256c1a7683320998edfff6c034e76ebe1af6d0f6eea703f31dfaaab6fee4c132398
SHA512487a5c9bf68aa507047ca62109b67a1178a22f50971f43fb2cb313ac113fa0a06f006ac0d8f6d5f576ea7db5aa0d871771ce551084df4ff7e5e678667c8f01da