Analysis
-
max time kernel
107s -
max time network
143s -
platform
windows7_x64 -
resource
win7v200410 -
submitted
20-04-2020 15:04
Static task
static1
Behavioral task
behavioral1
Sample
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
Resource
win7v200410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
Resource
win10v200410
windows10_x64
0 signatures
0 seconds
General
-
Target
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
-
Size
506KB
-
MD5
e69a8eb94f65480980deaf1ff5a431a6
-
SHA1
dcd2ab4540bde88f58dec8e8c243e303ec4bdd87
-
SHA256
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f
-
SHA512
3338e225d51efef723a520f52385f01b590638a4da7ccf56b52f59f2cfc169cba8b2f0328d90a1a38eaaeb3074c54d0dd1f82ae7f2bd1b5658a4899a0f93a9d2
Score
10/10
Malware Config
Extracted
Path
C:\DECRYPT-FILES.txt
Family
maze
Ransom Note
Attention!
----------------------------
| What happened?
----------------------------
All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms.
You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps.
----------------------------
| How to get my files back?
----------------------------
The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers.
To contact us and purchase the key you have to visit our website in a hidden TOR network.
There are general 2 ways to reach us:
1) [Recommended] Using hidden TOR network.
a) Download a special TOR browser: https://www.torproject.org/
b) Install the TOR Browser.
c) Open the TOR Browser.
d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/869e0963707c15be
e) Follow the instructions on this page.
2) If you have any problems connecting or using TOR network
a) Open our website: https://mazedecrypt.top/869e0963707c15be
b) Follow the instructions on this page.
Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use.
On this page, you will see instructions on how to make a free decryption test and how to pay.
Also it has a live chat with our operators and support team.
----------------------------
| What about guarantees?
----------------------------
We understand your stress and worry.
So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer!
If you have any problems our friendly support team is always here to assist you in a live chat!
-------------------------------------------------------------------------------
THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU
---BEGIN MAZE KEY---
NtbVliLvGx9Ck4TthLudwCOQfRWvuIwh4i1JLtLf3CiOKxXHGCHEJqO/2A89rYD322+R0a6h32YAYEUFFZEjaF1+jmfAthTBvfXPVS9Gc96iGoC7FczneeOBOV6RRqkdSWrt20gyWbSkfYTIaymur2B5JgtoRMJ3EMJDU41URDErIwHIEzlFALVqPOHIKxFLhKeCZT4/crDKZ7+4O+kG50Q5euvP5r8qyra14ha5PTBMa/ZC+HdycqtPU7Nr1oKPQFOQwr2XR/eqcPBDHEi7ERSm0dke9p2r7rtGgkaVWX5Lf8yUWkNpcfqZJ3LeYdrA32Nek5eGhsPiLoyoOI3DriaCpuGWAT1UzdlzSO1qB1+nKZZvhvpj9aqsYPZ/gk0K/IO/b0K0ER9S+VZInDxQ0FeMz5WwlN9qWAC0CxGsK1YURnbQftVzMUSqYbM0Ot50DOa4hUugicvwo5hZFDNtfV6ellj21u5ms0g/mhIqACvGBUYS56OLyw3HOVtCibVDdNsIY93q4cS6NcPTiq18qDpNUNcotKaOW0ojUpMhugbuhnuqFbBApFpokkVtW4YHbxRI6XD1NjWdUJeu3d9l0cJBYPxjuDP9XVzR0OiSEFnU8oGtmknRH+YBQKiqH4EMruJIu8qvijLtn78dLbWvDUMqgn7sf33JCgxsS7+MrQmG3f1u+TrWUg7Wmipox2XtbFiulNYbuaNYkuteDjAMoaBz6rG7X+EWVtMy17jWgrCvXfVzs/uFMHRa4nQlz3YWgp68teJ1T4p74f4CztxIf5Oo6h1bWMFGu86NnMaNOkpEBZXC0OzQiQrZmzIKHPud9BgzHBv5/Q50V3C6i/zWLWqmVigaPOD1seS+5FWpoJq0l1rYilRqN3Z2bEqa+iATzACJmBVa4KsplQLiB7m+BJPVD105Nwt8UCE/ZPB/oscEaqJVsrqtI9wRQ7oYAeGC31riAXbkrOe3XXAfspeXqN13Yxqngj+wqxc/8IlyZeCD7kzRnQET+74TWXTz+AzFKJhQ1HkreOr3bu5Yum1FROQtf15UzbO4AqjUSrjbMgLpp8zcrBMuOp4VmayEGrM5A5zvCxG8nDLX68e9H2wFMl/1r3jTkZKRD3OGWIsVCQYK8gipjun8GOKN1SxZ7HYXNZbYuCaa1PVaAlDpzB4M3VW7kBVwVRTragisCa3V9nuYGDWfetzWnmvKDDzB018isGr51Zpt/DEAGxo9l+7AjU0HurR1YHDIphPO+YBe0qh/DGWSi9VR44gbI4RCvrJbS5tDPNwXuKDJDP8M/noJuzRLeuo3gCEAEGPc9hYvMrYKhinFSNlCTPlJ21/FNy0Yig+A0ZJogeOarjZnie3ZqKm4dj2ShbGHo9b3yDQ1VMJamcAxH7gbUtZok51jVDvV7hznWEQAGB/XivfKqTDeN8vUWL/eXMiekybrtZmxHzRwO/ESfq7JAhRS0uAykl7lmUXkVEl2Q3E8rE7OI2BYcnwCVVyDoFoc9Mc61+TjoZ7ECVD2zMcRm2cc39bKeYsmmFpM7uaZVUsSnJPaWrVYsnk3UdYeSxkpoMDduWIegIjGBbj1NWk3H3mIZWVNF/Xh2gb/NKim4blF0WOOiiPd/CxqqU9TG+/5cb4rfZhtwwObdZecCICSwvUFjpbEudsuMBy7KARNaelu8gT5s3hfTd4rldFZQMxIvjSryy7ETRhEcjPyI0lpC+Qe65fmgCQbdAhd7IE2nVY5N3j6s9Zqk60WiUpo24Q7a+8kBZZmu/lbmve68l+j0LvDCGY7huE6P4euUUKOhSZ7bFvQdiesuezIIPf2MzMFdzKvsSxuK1rpuffKrhZ3kK6TpBxIbIdMdVN9P4tq275w8a6Gbps9sRAmXRngpC3a7LKrSxOZusBc888XT/4GEjhBDGQG2A0IXZe//w3nbTP7lCdZaMUml4pj+Kw2GV2c43du/NEzUywORh/JV6hnkNqL2HRN+0Dp8Oi8D+B/hfBtwsJDbeC5UD1+OvT2UmMoh+QINmjykjlYka0yDRybohxhOQZyDtwPkffX+qq9yVCojNtKGfuqM6KGJuxVeyFNJla5UlrMFpnpGIHgrFLGgO8TeBLZsdFhGEujb0vOfWdcC0MfrqyJ2nmP/Z/6nfyMXiELehuLIJK+MU0tyGalhXmdpLQy+O6kwVACNsPzBSYMCsFGz/qIqnfZqkL5whulr+bxt7zISxzqv4Y5Djtw/2btg9MEnPaWzivgaAoiOAA2ADkAZQAwADkANgAzADcAMAA3AGMAMQA1AGIAZQAAABCAYBoMQQBkAG0AaQBuAAAAIhJCAEsASQBXAEEARABMAEEAAAAqDG4AbwBuAGUAfAAAADIuVwBpAG4AZABvAHcAcwAgADcAIABQAHIAbwBmAGUAcwBzAGkAbwBuAGEAbAAAAEI4fABDAF8ARgBfADIANAA0ADMANgA1AC8AMgA2ADEAOAA0ADEAfABEAF8AVQBfADAALwAwAHwAAABIAFBAWIkIYIkIaIkIcKXtAXgLgAEBigEFMi4wLjk=
---END MAZE KEY---
URLs
http://aoacugmutagkwctu.onion/869e0963707c15be
https://mazedecrypt.top/869e0963707c15be
Signatures
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe -
Makes http(s) request 30 IoCs
Contacts server via http/https, possibly for C2 communication.
description flow ioc HTTP URL 21 http://91.218.114.37/auth/login HTTP URL 23 http://91.218.114.38/content/sqtktuaksh.cgi?glll=m4h00t&ym=854oby2&t=162m&uvq=70u2628v HTTP URL 24 http://91.218.114.77/sexj.php?vw=5&qnaq=51&l=ve05 HTTP URL 27 http://91.218.114.32/sepa/create/cwrwctekni.cgi?waf=4&s=6dmja0&ya=77 HTTP URL 30 http://91.218.114.38/private/qt.action?ve=c578i4xi8&m=w&fb=e361aqw54&tws=j3y6s8 HTTP URL 30 http://91.218.114.38/auth/login HTTP URL 32 http://91.218.114.79/update/kmdnsfms.jsp?pgr=tv&aqg=84&murh=1crvxd4mb&idk=v4cwif13l8 HTTP URL 19 http://91.218.114.32/sepa/create/cwrwctekni.cgi?waf=4&s=6dmja0&ya=77 HTTP URL 23 http://91.218.114.38/auth/login HTTP URL 6 http://91.218.114.25/content/jly.asp HTTP URL 4 http://91.218.114.4/account/ytwbdip.asp?c=1056328r&idjq=1ag&m=m&uprg=qj248v HTTP URL 10 http://91.218.114.11/rgqmbsasay.phtml?dccy=u6o&cmtg=4r6uq28f&ahe=n1l7&yi=137 HTTP URL 11 http://91.218.114.25/task/mxedqwex.asp?obw=sdp55w&gsx=m0t3&hea=11g3l703 HTTP URL 31 http://91.218.114.77/register/content/abiqxnxq.html?vd=0ev3nm&tv=63b0&d=74 HTTP URL 33 http://91.218.114.79/update/kmdnsfms.jsp?pgr=tv&aqg=84&murh=1crvxd4mb&idk=v4cwif13l8 HTTP URL 1 http://91.218.114.4/account/ytwbdip.asp?c=1056328r&idjq=1ag&m=m&uprg=qj248v HTTP URL 18 http://91.218.114.32/task/signout/poeof.jsp?n=nppwcyr HTTP URL 25 http://91.218.114.79/task/iwaplb.action?mcq=vps36&yi=2m5&bv=mxl6 HTTP URL 19 http://91.218.114.32/task/signout/poeof.jsp?n=nppwcyr HTTP URL 29 http://91.218.114.38/private/qt.action?ve=c578i4xi8&m=w&fb=e361aqw54&tws=j3y6s8 HTTP URL 7 http://91.218.114.26/task/forum/xiudgrq.asp?pce=4x07dxv HTTP URL 20 http://91.218.114.37/post/ejrpyiq.html HTTP URL 5 http://91.218.114.11/view/sepa/cbbrsaprn.jspx?l=kyi8n1nf4&jy=wn4pml6v7u&ya=r3bf4&ws=a2 HTTP URL 9 http://91.218.114.4/signout/news/ryxotsip.php?al=16u22if&xgq=mg0&vf=80616 HTTP URL 22 http://91.218.114.38/content/sqtktuaksh.cgi?glll=m4h00t&ym=854oby2&t=162m&uvq=70u2628v HTTP URL 26 http://91.218.114.79/task/iwaplb.action?mcq=vps36&yi=2m5&bv=mxl6 HTTP URL 4 http://91.218.114.4/signout/news/ryxotsip.php?al=16u22if&xgq=mg0&vf=80616 HTTP URL 28 http://91.218.114.37/view/news/jnunyxufqi.jspx?udgk=3417l68&texf=ksi0o HTTP URL 12 http://91.218.114.26/tmm.html?mel=j83c0bbb&pk=k15t6wj HTTP URL 21 http://91.218.114.37/post/ejrpyiq.html -
Modifies service 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b5o88dc5h.tmp fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\b5o88dc5h.tmp fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2044 fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2044 wrote to memory of 1860 2044 fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe 31 PID 2044 wrote to memory of 1860 2044 fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe 31 PID 2044 wrote to memory of 1860 2044 fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe 31 PID 2044 wrote to memory of 1860 2044 fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe 31 -
Maze
Ransomware family also known as ChaCha.
-
Drops file in Program Files directory 23 IoCs
description ioc Process File opened for modification C:\Program Files\b5o88dc5h.tmp fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File opened for modification C:\Program Files\ConvertToRestore.ttc fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File opened for modification C:\Program Files\EnableSync.edrwx fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File created C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File opened for modification C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\Desktop\b5o88dc5h.tmp fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File opened for modification C:\Program Files\UpdateUnpublish.xht fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File opened for modification C:\Program Files\JoinClear.pptm fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File opened for modification C:\Program Files\LimitGrant.snd fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File opened for modification C:\Program Files\Microsoft SQL Server Compact Edition\b5o88dc5h.tmp fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File created C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File opened for modification C:\Program Files\RegisterUnregister.mpg fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File opened for modification C:\Program Files (x86)\b5o88dc5h.tmp fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File created C:\Program Files\DECRYPT-FILES.txt fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File opened for modification C:\Program Files\DisableUndo.au3 fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File created C:\Program Files\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File opened for modification C:\Program Files\SuspendGet.odt fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File opened for modification C:\Program Files\SwitchUnprotect.wm fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File created C:\Program Files (x86)\DECRYPT-FILES.txt fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File opened for modification C:\Program Files\CompleteUninstall.dotx fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File opened for modification C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\b5o88dc5h.tmp fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File opened for modification C:\Program Files\OpenLimit.lock fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File opened for modification C:\Program Files\ResumeInitialize.ps1 fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe File opened for modification C:\Program Files\SaveRepair.emz fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeBackupPrivilege 564 vssvc.exe Token: SeRestorePrivilege 564 vssvc.exe Token: SeAuditPrivilege 564 vssvc.exe Token: SeIncreaseQuotaPrivilege 1860 wmic.exe Token: SeSecurityPrivilege 1860 wmic.exe Token: SeTakeOwnershipPrivilege 1860 wmic.exe Token: SeLoadDriverPrivilege 1860 wmic.exe Token: SeSystemProfilePrivilege 1860 wmic.exe Token: SeSystemtimePrivilege 1860 wmic.exe Token: SeProfSingleProcessPrivilege 1860 wmic.exe Token: SeIncBasePriorityPrivilege 1860 wmic.exe Token: SeCreatePagefilePrivilege 1860 wmic.exe Token: SeBackupPrivilege 1860 wmic.exe Token: SeRestorePrivilege 1860 wmic.exe Token: SeShutdownPrivilege 1860 wmic.exe Token: SeDebugPrivilege 1860 wmic.exe Token: SeSystemEnvironmentPrivilege 1860 wmic.exe Token: SeRemoteShutdownPrivilege 1860 wmic.exe Token: SeUndockPrivilege 1860 wmic.exe Token: SeManageVolumePrivilege 1860 wmic.exe Token: 33 1860 wmic.exe Token: 34 1860 wmic.exe Token: 35 1860 wmic.exe Token: SeIncreaseQuotaPrivilege 1860 wmic.exe Token: SeSecurityPrivilege 1860 wmic.exe Token: SeTakeOwnershipPrivilege 1860 wmic.exe Token: SeLoadDriverPrivilege 1860 wmic.exe Token: SeSystemProfilePrivilege 1860 wmic.exe Token: SeSystemtimePrivilege 1860 wmic.exe Token: SeProfSingleProcessPrivilege 1860 wmic.exe Token: SeIncBasePriorityPrivilege 1860 wmic.exe Token: SeCreatePagefilePrivilege 1860 wmic.exe Token: SeBackupPrivilege 1860 wmic.exe Token: SeRestorePrivilege 1860 wmic.exe Token: SeShutdownPrivilege 1860 wmic.exe Token: SeDebugPrivilege 1860 wmic.exe Token: SeSystemEnvironmentPrivilege 1860 wmic.exe Token: SeRemoteShutdownPrivilege 1860 wmic.exe Token: SeUndockPrivilege 1860 wmic.exe Token: SeManageVolumePrivilege 1860 wmic.exe Token: 33 1860 wmic.exe Token: 34 1860 wmic.exe Token: 35 1860 wmic.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe"C:\Users\Admin\AppData\Local\Temp\fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe"1⤵
- Sets desktop wallpaper using registry
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
PID:2044 -
C:\Windows\system32\wbem\wmic.exe"C:\rryx\tsipx\..\..\Windows\l\op\ts\..\..\..\system32\eptji\..\wbem\u\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:564
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:1536