maze | 38cc87cc48cdb89a2ab1ffaa0897c10ba4a26ff645f16d9cd5a8bc8debf255c6

General

Target

e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
Size

3.7MB
MD5

e14c0622af40260fec213c4100605bfb
SHA1

2cc388e5e5ccb150604e3e5c0a715a8974a274c7
SHA256

38cc87cc48cdb89a2ab1ffaa0897c10ba4a26ff645f16d9cd5a8bc8debf255c6
SHA512

e0ae9b2f70b6460672079b907cd30fc228b2245b60315561651a09de1516424aeb770383b5cd7468926c5cfb221f130787d536d87b0941fe09cdb47af40a2d05
SSDEEP

98304:YjNRO2u6p4S2tdxCrSs4bd2DOuYeWCLgq+cIMXam1zECP9Qz6:sNRPLD2bo4G6e8qRXaop

Score

10^/10

maze credential_access defense_evasion discovery evasion execution impact ransomware spyware stealer trojan

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-1302416131-1437503476-2806442725-1000\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps. ---------------------------- | How to get my files back? ---------------------------- The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/87e2098f22c2da4b e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/87e2098f22c2da4b b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer! If you have any problems our friendly support team is always here to assist you in a live chat! ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- Akypmaow6v683u7FnfSB+KJZsICgtasiS5uikg0+tpvWkMBrhu4zlPMHSIj/H55ZrrLcisGRO5YPGupOi4JqCjxf+x4xSCpiKNGJiYosem4S6y3bPr3v6WcVj+SEA62mhNgO/xIpWbTiQCWLCJ3/rK3nPkm3NyRcPrU6ILKulYrbnNw6GdGxlHgR3G8p+w3kiBC2ztG7PvNE7Tt0gmdpvoYjebge0GuCzotU0GMHZPO+l8i1JZSYdbrDYNd62ti6bl/gFfSwAtqp6MOmIW40KVTTndvo40HRJj/vZHqrZ46i5BNcqRacy6eTDtpZBov+Xpi5xhXMAT7TIh1ZBAoRaKjVUuCgHVXmYo7kenVnakdRqWEUU83/LHHE1toZ9Ew3CQDcRULObbvP20SCsP7qVk4PKWFrzD2n1uwFaSnq09RsGcjXFbxQ/kDo5rFtsU4VGmDf1FEXUlE0QYx7pPFgFRbvTFcup1j2Jvu8UB6WBUQ3/rMFoatYIOE6yZYMYCoV474dUtxf+9GUZE7NPaI4QK522B+UIJJ9bS7beFNmMU6bmOr5rCAtZX/20QmlsHZXhpTuoYgSnn/LJzkgDjWCnWlkd9BV24jFbBPcJuzS0iVRl+sSceWFyN5kbsAJ6RlOUrROYHAYheyRu/urH7k8qTzcsM4IlBDUhndz6lFmK+nXehYsKmf+Z1gmcuMpc0dwJ5CLo7BEAuXgfThxQleIJ4lCcH5PBRulTWlcpFcYTm9NA3PLy02MYN+wPoCuLKw6grC7ETjqUVCfO8M2MiJlo+eDJqjwzW2nu71K7YelIwQy9FYxdp+ahTQpVeU9XrRe4MpAeukQul1uwmqEPf5iNa2YmJc0u0tmYDi6oTK5yXE5GtBUKdCzepP0n3HCnyYm0IKQvqcbnpRgGsnOpJ74ZjvSIk4FYZ3qkWaa5tXFXCz4CyghMpCdjurXYai4wuWvaIq6ICW4OttkA5odwJQFgx2b5uftJRYSI+E5/FUdtIzeUgS3YC5orv9Zn8+GWvKKQk3If6E8TsK7eyP4nSfDbw9rM+S0c3TqvrRLsLuaNFuOAZsrS6pFRSR1KqjWeQB8v/6SPWB29iAvxmN6xwtLy7tb+p8RDG9H4D3M8o2691SlTl7Q7+6OCnkwUrQl4Bo5E5bvZij1ncO+8SUHDK3RN/i7k/Qsw2uJu/CS+FZ6iZVy1yyB3CdAHYLSExenCqwM6tA2f6E4szRcmXZ1oO5YEHC0HC2rX2924kg9rWIPCvNiLdS0Uzlb2H9K6Uxm8ADGGV/BxbKP8r7sg6g4hBcPZ4e+zx74RpKNcx1j+GBjVGbLvVcThnxFlbbqV8kH3pEYd5KUtm7nA5iAqMVsAmW1XG3SNW6URBjRDwSSCBFBI/U7T7z1D1fXb//wRY65DJ69VRMPdUPa6rB/RPINHyR2GA5n7iLk3ek0tAayA+WO9LxtcOHV/6qvyzzrrjPCmvbgVJo5Z/DfWM9jcGqA7ARDGxqCEnPUDS6tsTnNWShI3n3rR6Gue0+CpGpqDLFlqsS8cN8lV5KhdgGSP7EQ6ew0ToTDCmnqZg8wSkAEV7vbff2hCERNDMj6LQlS39SRi1Yy07LJCw67yv2mq0O8x30bqnUgKecwU8Pvf+9i6+HIsxWiA+OyUAFmipwQvH2U3dcrfVRNteNA7QGoCuyoynhuAnbKpBQ1cdVXQOstyw25n97BydIoJuxYmLtP2UiAU8jC6pnxUFY2atcWBH2/vBxT5nG7+rBR37qgPeEnAAeCb4CcP3rIvUsFbC5djSdBXcsYf5QtEhUh+bOPQ937SzyOG+DvQbSuQGZtbqpUby6zEpcq2OE1lIiDE8mL7zYUIEd2icQWmHnp4MHu5eJEYKes+iE4Qti6bfZC+kw8MeVUN4UnxVkE/CeQFjS5pw3suXqIiE6Vy26mEXsuzgZXGTNTmrVKP7nR4KkRBpIA0AP58zH1ELqveCsjk6wA0cNm9IOyozK6PBbgUy/yc4esKYGSletYsVXo17iKXWtNwRCdE0t+X4CSSVKDLEl8iOdkMO7vLNcM/MCPSBh2gAlaOoc5fNUwBgFq9Wi0yvJJwQE0plM1SvDaovZIKRx3q85a89TZwqsNkBaHTf3ASDc0XYsWkm/O0e5BCwxUasDGjfCEKxmFOy1y468ulr7U7F00oWu1tn0pcx5BGapXX1oLMblpFSTIZjtZvSs1U7Aun+trBEyuzz2ITM23nQpM6KEEiX64AfR3KAoiOAA3AGUAMgAwADkAOABmADIAMgBjADIAZABhADQAYgAAABCAYBoMQQBkAG0AaQBuAAAAIhJPAEQAWgBLAEQAUgBHAFYAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCVnwAQwBfAEYAXwAyADAANAA3ADkALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAA0ADIAMQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHCuh99yeBCAAQGKAQUyLjEuMQ== ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/87e2098f22c2da4b

https://mazedecrypt.top/87e2098f22c2da4b

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 4 IoCs

Processes:

e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\87e2098f22c2da4b.tmp	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\87e2098f22c2da4b.tmp	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp"	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

pid process

2916 e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

Drops file in Program Files directory 41 IoCs

Processes:

e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files\CheckpointBlock.cmd	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\ClearRegister.ocx	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\ClearRestore.odt	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\EditConnect.css	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\RequestResolve.mpv2	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\StopOptimize.ogg	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\UnblockPublish.MTS	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\ClearResolve.xsl	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\ExpandReceive.WTV	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\MergeUse.mpeg	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\UnregisterOut.mpeg	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\UnregisterUnlock.TTS	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\ConvertToInitialize.clr	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\DebugAdd.htm	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\DisconnectEdit.M2TS	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\EditUnregister.gif	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\EnterUninstall.tiff	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File created	C:\Program Files (x86)\DECRYPT-FILES.txt	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\DisconnectGroup.mov	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\MountAssert.asx	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\PushGroup.wdp	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\ResolveLimit.vsd	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\87e2098f22c2da4b.tmp	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\EnableImport.ttf	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\StepCheckpoint.png	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File created	C:\Program Files\DECRYPT-FILES.txt	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\CloseLock.mp4v	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\FindSend.docx	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\GetMerge.ogg	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\MeasureWrite.wav	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\UnblockClear.dib	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\UseResume.cfg	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\87e2098f22c2da4b.tmp	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\ConvertToSave.aiff	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\MountRename.js	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\ResumeConfirm.vsdx	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\SkipEnter.png	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\ConfirmMount.pdf	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\ImportConvertTo.vstx	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\MeasureRestore.001	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files\OptimizeRemove.ico	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

pid	process
2916	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
2916	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
2916	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
2916	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

vssvc.exewmic.exeAUDIODG.EXE

description	pid	process
Token: SeBackupPrivilege	2380	vssvc.exe
Token: SeRestorePrivilege	2380	vssvc.exe
Token: SeAuditPrivilege	2380	vssvc.exe
Token: SeIncreaseQuotaPrivilege	904	wmic.exe
Token: SeSecurityPrivilege	904	wmic.exe
Token: SeTakeOwnershipPrivilege	904	wmic.exe
Token: SeLoadDriverPrivilege	904	wmic.exe
Token: SeSystemProfilePrivilege	904	wmic.exe
Token: SeSystemtimePrivilege	904	wmic.exe
Token: SeProfSingleProcessPrivilege	904	wmic.exe
Token: SeIncBasePriorityPrivilege	904	wmic.exe
Token: SeCreatePagefilePrivilege	904	wmic.exe
Token: SeBackupPrivilege	904	wmic.exe
Token: SeRestorePrivilege	904	wmic.exe
Token: SeShutdownPrivilege	904	wmic.exe
Token: SeDebugPrivilege	904	wmic.exe
Token: SeSystemEnvironmentPrivilege	904	wmic.exe
Token: SeRemoteShutdownPrivilege	904	wmic.exe
Token: SeUndockPrivilege	904	wmic.exe
Token: SeManageVolumePrivilege	904	wmic.exe
Token: 33	904	wmic.exe
Token: 34	904	wmic.exe
Token: 35	904	wmic.exe
Token: 36	904	wmic.exe
Token: SeIncreaseQuotaPrivilege	904	wmic.exe
Token: SeSecurityPrivilege	904	wmic.exe
Token: SeTakeOwnershipPrivilege	904	wmic.exe
Token: SeLoadDriverPrivilege	904	wmic.exe
Token: SeSystemProfilePrivilege	904	wmic.exe
Token: SeSystemtimePrivilege	904	wmic.exe
Token: SeProfSingleProcessPrivilege	904	wmic.exe
Token: SeIncBasePriorityPrivilege	904	wmic.exe
Token: SeCreatePagefilePrivilege	904	wmic.exe
Token: SeBackupPrivilege	904	wmic.exe
Token: SeRestorePrivilege	904	wmic.exe
Token: SeShutdownPrivilege	904	wmic.exe
Token: SeDebugPrivilege	904	wmic.exe
Token: SeSystemEnvironmentPrivilege	904	wmic.exe
Token: SeRemoteShutdownPrivilege	904	wmic.exe
Token: SeUndockPrivilege	904	wmic.exe
Token: SeManageVolumePrivilege	904	wmic.exe
Token: 33	904	wmic.exe
Token: 34	904	wmic.exe
Token: 35	904	wmic.exe
Token: 36	904	wmic.exe
Token: 33	296	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	296	AUDIODG.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

description	pid	process	target process
PID 2916 wrote to memory of 904	2916	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe	wmic.exe
PID 2916 wrote to memory of 904	2916	e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe	wmic.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\system32\wbem\wmic.exe
  "C:\fbeh\..\Windows\lbq\..\system32\aupp\rvnm\..\..\wbem\idqgd\..\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ac 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials from Password Stores

1

T1555

Windows Credential Manager

1

T1555.004

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_30C63F05DA094CC39E8AB4D4D8C1AEA8.dat

Filesize
940B

MD5
d5c77c5d8c2d68e55a7aa329af72d5bd

SHA1
599efb00a5e4d101a4f0877ef7260dd13cf4704a

SHA256
ee2aff2aca81989ed057e209b6e7421ab915b9d4c6e66e568a77aaf5147cc0ea

SHA512
e459d4c6506afdef8d460267673f4e22120132995852d9cb0ed8b7f190a6af71ca0f2a74c3cc887ffd5e2aeac2b56010634e7c4f9a3841250b158ade04de6595

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1302416131-1437503476-2806442725-1000\DECRYPT-FILES.txt

Filesize
9KB

MD5
7a79230649a9c0d49c32feb4574ca694

SHA1
837fe39742488d84b08ea5624c5e9118e954b8b9

SHA256
da73163e9b9f9cb86583d438dcf27c2bc05d3bbeea0ae8421560facaba97320e

SHA512
74d44df20ba1aed6eb839dde75500dfd939bdb8ac33ba3c76b884c6d9fc2a876f6a7fc96dc6c693f2b0de67744bd816428fdf46b8238e4bb8f9dd081636838fd

Download Submit
memory/2916-814-0x0000000000400000-0x0000000000BD7000-memory.dmp

Filesize
7.8MB

Download
memory/2916-4-0x0000000000400000-0x0000000000BD7000-memory.dmp

Filesize
7.8MB

Download
memory/2916-1-0x0000000077664000-0x0000000077666000-memory.dmp

Filesize
8KB

Download
memory/2916-5-0x0000000000400000-0x0000000000BD7000-memory.dmp

Filesize
7.8MB

Download
memory/2916-7-0x0000000000401000-0x000000000045D000-memory.dmp

Filesize
368KB

Download
memory/2916-6-0x0000000000400000-0x0000000000BD7000-memory.dmp

Filesize
7.8MB

Download
memory/2916-8-0x0000000000400000-0x0000000000BD7000-memory.dmp

Filesize
7.8MB

Download
memory/2916-2-0x0000000000401000-0x000000000045D000-memory.dmp

Filesize
368KB

Download
memory/2916-817-0x0000000000400000-0x0000000000BD7000-memory.dmp

Filesize
7.8MB

Download
memory/2916-810-0x0000000000400000-0x0000000000BD7000-memory.dmp

Filesize
7.8MB

Download
memory/2916-834-0x0000000000400000-0x0000000000BD7000-memory.dmp

Filesize
7.8MB

Download
memory/2916-3-0x0000000000400000-0x0000000000BD7000-memory.dmp

Filesize
7.8MB

Download
memory/2916-808-0x0000000000400000-0x0000000000BD7000-memory.dmp

Filesize
7.8MB

Download
memory/2916-818-0x0000000000400000-0x0000000000BD7000-memory.dmp

Filesize
7.8MB

Download
memory/2916-823-0x0000000000400000-0x0000000000BD7000-memory.dmp

Filesize
7.8MB

Download
memory/2916-826-0x0000000000400000-0x0000000000BD7000-memory.dmp

Filesize
7.8MB

Download
memory/2916-827-0x0000000000400000-0x0000000000BD7000-memory.dmp

Filesize
7.8MB

Download
memory/2916-830-0x0000000000400000-0x0000000000BD7000-memory.dmp

Filesize
7.8MB

Download
memory/2916-831-0x0000000000400000-0x0000000000BD7000-memory.dmp

Filesize
7.8MB

Download
memory/2916-832-0x0000000000400000-0x0000000000BD7000-memory.dmp

Filesize
7.8MB

Download
memory/2916-833-0x0000000000400000-0x0000000000BD7000-memory.dmp

Filesize
7.8MB

Download
memory/2916-0-0x0000000000400000-0x0000000000BD7000-memory.dmp

Filesize
7.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads