Analysis
-
max time kernel
108s -
max time network
152s -
platform
windows7_x64 -
resource
win7v200410 -
submitted
19-04-2020 05:49
Static task
static1
Behavioral task
behavioral1
Sample
91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe
Resource
win7v200410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe
Resource
win10v200410
windows10_x64
0 signatures
0 seconds
General
-
Target
91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe
-
Size
484KB
-
MD5
8205a1106ae91d0b0705992d61e84ab2
-
SHA1
49cdc85728bf604a50f838f7ae941977852cc7a2
-
SHA256
91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1
-
SHA512
8fc53dacd6b21ed9e1dc2a00edf154c40699754a116bdaf6566b8341c70ac293c8ba69d69a767af5ad8d0c8737a22dbe2609594983a1200375d40af3f4953b2e
Score
10/10
Malware Config
Extracted
Path
C:\DECRYPT-FILES.txt
Family
maze
Ransom Note
Attention!
----------------------------
| What happened?
----------------------------
All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms.
You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps.
----------------------------
| How to get my files back?
----------------------------
The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers.
To contact us and purchase the key you have to visit our website in a hidden TOR network.
There are general 2 ways to reach us:
1) [Recommended] Using hidden TOR network.
a) Download a special TOR browser: https://www.torproject.org/
b) Install the TOR Browser.
c) Open the TOR Browser.
d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/869e0963b2298879
e) Follow the instructions on this page.
2) If you have any problems connecting or using TOR network
a) Open our website: https://mazedecrypt.top/869e0963b2298879
b) Follow the instructions on this page.
Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use.
On this page, you will see instructions on how to make a free decryption test and how to pay.
Also it has a live chat with our operators and support team.
----------------------------
| What about guarantees?
----------------------------
We understand your stress and worry.
So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer!
If you have any problems our friendly support team is always here to assist you in a live chat!
-------------------------------------------------------------------------------
THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU
---BEGIN MAZE KEY---
yjvM+Tx4NOwyJrVhmj4UCXLW9getwHJdX4Ea1S5dXVmUvjgsGTWY38cFAzokUB67Onc7iGWNVXqgEEACi0Qy3p/hJEjo/MPHmHtVzYyg3wpHMXWBgJarKWxq2GGTnBNG8w76fTZMiImAGJRVPCxmlelUhmtOBnnQCa/csbxyqXAaxuz130weuEpwH1vZlEun6mty8ke4FjgE7myGjGfPjFnrbBEuN3pXcN4jigi9c4kT96wzOwxE+ypqcPZJXtp3ms94S1YosLEvZKWSpPliZczuvhxGXep3kuyoE7MlbUlW4Yqa6wKUTRxzA3kZn0njSNbOJaDdWtKjVhnsW2UBh6wBPTtu5GWOF1uEJD7LXxfu+rKLaheBy+/f5f2CgZo1xKZXCpAkqO2/quC4CHnXmZ7ZLokZNNV8I/CWa7fljNVkyKEmhZyDBCiD22H0qjkm5IPwpgJbh+l0+12hSRhPSvJOvu1rbRZD2NGTiGdTCLL6gsS1TNZNmZVqORYV4PKT0lZpm23HOZDheJT32vj1qrg8PWuDK28wbvdA/9ge1TBg0XfE/3FFWidNA0bokaTDYgWiu/DCK1vwj1zTn0UW80BeP8jhhC4wYH5wCeHoGtgvuRftSVb0bfTBru2SozYmaU4DwScRdKuesQ3dJvndboXOSqn0FVLdv+5WhFAML7YUXbXvTyXmgB3G+83hUFpnttxE8yy9l5iAWOIls3aTR2cF7/CtQuKI/3TWSaVty1xOK6Ov6mvfnkgrQhF5jazD3Su3+umkY1VrhpYU8gBxe6EZ5LA4nfl28L5M9bmrRTOSut4xIay1LZJPmZ84/BTh3p5jHYx37wKfW6S/j0eO234d1YruRy7TqB3Bz3s0IxPIWg5QUzueqCgdVviUvHJ9qI3gpfF5vphbS61yP6y/o0OJ3TfGH4fyI/2FR6kQakH6BeunyLg/d8dgMvZK/bUdz7eMldT9yEgLte5rKGVnyCNhu8HWCZLDzPhpk3ZyzPhXfgHtPN/2fGAFV7Umk97q04AbuxG4zMB49GpqidfrpwRUejCua5bqKbE85QiT4I9HP/26VBU1AtWA31k1XdeNKD+wirMgkEVCUsmN8jZJbVir4ngpzZvOwEfiDGcGz3hErny/HGyG7g0YfagebbhIXts5VYTxH351L/XTBX/Ii6OaMA0IXV7cU4HV+DMzay8rJMKrq1r5VwAaxLu3U4hgvD4LTYFemc2jFdoNQlriNy7CUIjV8iHBnTZQCjiJKGsJAbD0LFDlDPHtmFOqca67OSak95g9dKT0HX5fvBRvU0l3HcL9DotivMgPyj6uWYLW4FK4imi2fBSicq9Tzznn1xdXixLh3SiunnnnWb845GIYTmDgzCmN+ZF/C0guIpOxz/QNRrfFCOUjG32ukPj0JtX16KMWmFb0tHFB53FzQBBfWXWZV7jbFQcbCn93kRGqYWlB5ngz8pbOBGUNqUE666tYNludxQaF4JXaOdU/3rOGh2AvB2p4SI8znP9IiH1hdGFvMsiTumuuPyrrKUN74en5TOqf/yIyU2Caj919Zw2o6Oie8DX4P97Wjo1N0OXEDFPh0XisiF4RQi2ZRMNPPNK17GkW63L5tTunZQcZZK7BbRizw4WCO0MrT26PGtpD2kxWp7LqVOUdKz0yNaDq+tlI/BamfonN7g+L7wFsm59OKk/DoIay4J4DHwQVY7hggWgqhFaBbyKwWVcOM5U3jmNpdw4573xBVR8sHfnaMOzJteG7q+MswgurT2p8NOT7CDMWdqjnc7I8stryPutzA2ri1AJJXI/8jbMQTSFf7yn++dyddH/F/6XAUvYTD6mcE4tsR9cG1EkJV4whHVTHp4ANapIJqsy7l6LxyPb45Qy3W0vVITE/d7cmqv1Q/WA7XuycOxM1fZUOh4thNvOpqGd9o3VSqqyaT5ZMk6BV2Vxks5GYYYrI3R2yawHIGTwCOSjG/fPoGD5TYoznO+6g+qK8h1Q2ChGA/TgqPFm/t80IfQQSSLeVBWwnYkkYOCBtBS+vpkgof5DsQY/ERGa0schLjMBGxoqW/8NEsM+vFZH+hcksWexEpbo5DVlYBA1EkCDhTQsHOn22ebHnk7uPw0FSRgkdwUKktHxWcwvwSqyVJT2Cfi0a1htk/73juxrgb+YfE656gEYVqbFsFlRjG7z1/aGz55RAiNpQUNImDNwDkkFZFz7482e6dm8QVyqE23nYhu9EcB4mfWSf3NklxRAUJwoiOAA2ADkAZQAwADkANgAzAGIAMgAyADkAOAA4ADcAOQAAABCAYBoMQQBkAG0AaQBuAAAAIhJCAEsASQBXAEEARABMAEEAAAAqDG4AbwBuAGUAfAAAADIuVwBpAG4AZABvAHcAcwAgADcAIABQAHIAbwBmAGUAcwBzAGkAbwBuAGEAbAAAAEI4fABDAF8ARgBfADIANAA0ADMANgA1AC8AMgA2ADEAOAA0ADEAfABEAF8AVQBfADAALwAwAHwAAABIAFBAWIkIYIkIaIkIcOzNAXgDgAECigEFMi4wLjk=
---END MAZE KEY---
URLs
http://aoacugmutagkwctu.onion/869e0963b2298879
https://mazedecrypt.top/869e0963b2298879
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1676 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe -
Maze
Ransomware family also known as ChaCha.
-
Drops file in Program Files directory 23 IoCs
description ioc Process File created C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File opened for modification C:\Program Files\SaveRepair.emz 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File opened for modification C:\Program Files\SuspendGet.odt 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File opened for modification C:\Program Files\SwitchUnprotect.wm 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File created C:\Program Files (x86)\DECRYPT-FILES.txt 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File opened for modification C:\Program Files\Microsoft SQL Server Compact Edition\icw3n.tmp 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File created C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File opened for modification C:\Program Files\EnableSync.edrwx 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File opened for modification C:\Program Files\JoinClear.pptm 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File opened for modification C:\Program Files\RegisterUnregister.mpg 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File opened for modification C:\Program Files\ResumeInitialize.ps1 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File opened for modification C:\Program Files\UpdateUnpublish.xht 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File opened for modification C:\Program Files\ConvertToRestore.ttc 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File opened for modification C:\Program Files\DisableUndo.au3 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File opened for modification C:\Program Files\icw3n.tmp 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File opened for modification C:\Program Files\LimitGrant.snd 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File opened for modification C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\Desktop\icw3n.tmp 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File opened for modification C:\Program Files\OpenLimit.lock 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File opened for modification C:\Program Files (x86)\icw3n.tmp 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File created C:\Program Files\DECRYPT-FILES.txt 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File opened for modification C:\Program Files\CompleteUninstall.dotx 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File created C:\Program Files\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File opened for modification C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\icw3n.tmp 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icw3n.tmp 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\icw3n.tmp 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe -
Makes http(s) request 26 IoCs
Contacts server via http/https, possibly for C2 communication.
description flow ioc HTTP URL 11 http://91.218.114.25/update/webaccess/mb.action HTTP URL 24 http://91.218.114.79/p.shtml HTTP URL 26 http://91.218.114.32/check/irmi.action?ng=p&l=gm74wt HTTP URL 19 http://91.218.114.32/post/checkout/eldjj.html?f=t42c38k223 HTTP URL 25 http://91.218.114.79/p.shtml HTTP URL 5 http://91.218.114.11/qqrcmnib.action?fu=g2lcdnp0nl&wo=b07r88 HTTP URL 6 http://91.218.114.25/view/ydkqp.php?mqgb=gvvn0w8m0&vfio=0x0865av&d=v73ot408 HTTP URL 7 http://91.218.114.26/gyatelwy.cgi?d=n32lewxy&dv=c561b6n2 HTTP URL 31 http://91.218.114.79/analytics/tracker/dfcjrg.html?qtf=majsv&ebbw=ek01 HTTP URL 23 http://91.218.114.77/cop.cgi?gwk=625g18kb8n&oqwg=743vh HTTP URL 27 http://91.218.114.37/content/logout/yeliqreamo.jspx?njh=afx22x5w2 HTTP URL 4 http://91.218.114.4/task/ticket/bbtekpn.do HTTP URL 4 http://91.218.114.4/analytics/bnnanb.phtml?ntvi=a0&hdc=baxppe°=msbl&vead=67226481 HTTP URL 20 http://91.218.114.37/forum/wbonvg.jspx?fl=4gic13&rlf=0nb2t4&ilsh=1pb1q560e8 HTTP URL 22 http://91.218.114.38/auth/login HTTP URL 18 http://91.218.114.32/post/checkout/eldjj.html?f=t42c38k223 HTTP URL 21 http://91.218.114.38/create/tracker/mxrxnoa.action?x=sm4&wsgo=un&y=74lyen63s6&nppf=5138 HTTP URL 29 http://91.218.114.77/account/iqd.do?ki=3&ua=rvv2eyyh HTTP URL 30 http://91.218.114.79/analytics/tracker/dfcjrg.html?qtf=majsv&ebbw=ek01 HTTP URL 1 http://91.218.114.4/analytics/bnnanb.phtml?ntvi=a0&hdc=baxppe°=msbl&vead=67226481 HTTP URL 10 http://91.218.114.11/register/analytics/bswbhbml.action?s=360k&dasl=0t58618iwo&ur=g1k7c&qiti=u5g1mm6 HTTP URL 12 http://91.218.114.26/post/webauth/wyqtus.aspx?yq=x6j53qo6f&vcgq=214l HTTP URL 19 http://91.218.114.32/check/irmi.action?ng=p&l=gm74wt HTTP URL 9 http://91.218.114.4/task/ticket/bbtekpn.do HTTP URL 22 http://91.218.114.38/create/tracker/mxrxnoa.action?x=sm4&wsgo=un&y=74lyen63s6&nppf=5138 HTTP URL 28 http://91.218.114.38/checkout/forum/fcrwvjuxo.jspx?sjsp=w -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeBackupPrivilege 1792 vssvc.exe Token: SeRestorePrivilege 1792 vssvc.exe Token: SeAuditPrivilege 1792 vssvc.exe Token: SeIncreaseQuotaPrivilege 2020 wmic.exe Token: SeSecurityPrivilege 2020 wmic.exe Token: SeTakeOwnershipPrivilege 2020 wmic.exe Token: SeLoadDriverPrivilege 2020 wmic.exe Token: SeSystemProfilePrivilege 2020 wmic.exe Token: SeSystemtimePrivilege 2020 wmic.exe Token: SeProfSingleProcessPrivilege 2020 wmic.exe Token: SeIncBasePriorityPrivilege 2020 wmic.exe Token: SeCreatePagefilePrivilege 2020 wmic.exe Token: SeBackupPrivilege 2020 wmic.exe Token: SeRestorePrivilege 2020 wmic.exe Token: SeShutdownPrivilege 2020 wmic.exe Token: SeDebugPrivilege 2020 wmic.exe Token: SeSystemEnvironmentPrivilege 2020 wmic.exe Token: SeRemoteShutdownPrivilege 2020 wmic.exe Token: SeUndockPrivilege 2020 wmic.exe Token: SeManageVolumePrivilege 2020 wmic.exe Token: 33 2020 wmic.exe Token: 34 2020 wmic.exe Token: 35 2020 wmic.exe Token: SeIncreaseQuotaPrivilege 2020 wmic.exe Token: SeSecurityPrivilege 2020 wmic.exe Token: SeTakeOwnershipPrivilege 2020 wmic.exe Token: SeLoadDriverPrivilege 2020 wmic.exe Token: SeSystemProfilePrivilege 2020 wmic.exe Token: SeSystemtimePrivilege 2020 wmic.exe Token: SeProfSingleProcessPrivilege 2020 wmic.exe Token: SeIncBasePriorityPrivilege 2020 wmic.exe Token: SeCreatePagefilePrivilege 2020 wmic.exe Token: SeBackupPrivilege 2020 wmic.exe Token: SeRestorePrivilege 2020 wmic.exe Token: SeShutdownPrivilege 2020 wmic.exe Token: SeDebugPrivilege 2020 wmic.exe Token: SeSystemEnvironmentPrivilege 2020 wmic.exe Token: SeRemoteShutdownPrivilege 2020 wmic.exe Token: SeUndockPrivilege 2020 wmic.exe Token: SeManageVolumePrivilege 2020 wmic.exe Token: 33 2020 wmic.exe Token: 34 2020 wmic.exe Token: 35 2020 wmic.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1676 wrote to memory of 2020 1676 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe 32 PID 1676 wrote to memory of 2020 1676 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe 32 PID 1676 wrote to memory of 2020 1676 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe 32 PID 1676 wrote to memory of 2020 1676 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe 32 -
Modifies service 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
Processes
-
C:\Users\Admin\AppData\Local\Temp\91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe"C:\Users\Admin\AppData\Local\Temp\91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\system32\wbem\wmic.exe"C:\taxb\..\Windows\lggbs\nll\aweih\..\..\..\system32\ja\ikusm\..\..\wbem\e\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1792
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:1148