maze | 84565919c48c0e959c2981301510228704dd74a7206ed660e7bfda06a980e5ce

Analysis

max time kernel
135s
max time network
136s
platform
windows7_x64
resource
win7v20201028
submitted
17-11-2020 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84565919c48c0e959c2981301510228704dd74a7206ed660e7bfda06a980e5ce.dll
Size

230KB
MD5

2f78ff32cbb3c478865a88276248d419
SHA1

c4401bc85cdf162e3547645005060bd070e231a4
SHA256

84565919c48c0e959c2981301510228704dd74a7206ed660e7bfda06a980e5ce
SHA512

1d989e475b7fbfa1f5c2704b94e7037443ecfe27cca81ade92a28dc91b2cebc1e0b47c6280c794d1020758a90be2f7f4ce98b6827d3c6d2c82610f28afdb2248

Score

10^/10

maze persistence ransomware spyware trojan

Malware Config

Extracted

Path

C:\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps. ---------------------------- | How to get my files back? ---------------------------- The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/86f4097f2b09b8c7 e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/86f4097f2b09b8c7 b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer! If you have any problems our friendly support team is always here to assist you in a live chat! ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- LC4LAMESFWNTlpjwWLfJSlQm/VIGQfuw/OI4awSgPpma/fFZxO1lrdfNhXbOHILXbJlkb2bVen+62n9qaGnBvEvwHZGc37iMEG7MWlwrQogOX3+Jl/ZdvvBFLXxzenppZij8alBrYLsFQXKjMeNTJCR8TBm5prus/dsWUKGluf+Md/ABhCUBgNjmJbnr1cM3tSaYx98l4ZzLYUfY0OBC5Gckwd0WvTwPtmqQuhtCm2pkl0RijhOhTvc5CNXtk4B8aTuBGgjm/7uOAN0juePExIEWVT1770Mb8sKgfeUzMXnhnJcquxhCZUwZNlTGJ5k/JzWK4N94ZUvbvHU/I8WdwHeblJ3+YuI2wObjrNciLWUHZddbyOwptUSmrHLApzrmRP3VJO4u50MZdOvjJ9TvtqN1RJyb1MdZz/SOo4MVTVKoDMzv6ajMJh1/95zqj6+l2Fkk9gxzi6kUK6ynMgk/4dYkgvq9nhkNYpTNpH7KlQsdOyhvQmTwoYfabZ20cVuxSLk60kGJKOriSUpWAKE08U+YHoEpx44I6AaGZgBRQsx4DYLYfIhffQAwaBXmYLIJ87mxb9YQEureTL8EI0mpcR0Bt2i1p2WHoOMY1gaXPr9VvNkB+0qnGR+Jbcy8bqPTpUDLX/RSv95LPj6L1ytpzY8xzKrnJXxfIIhgHTZHwxZXf7wD+T268aMZQRRHRX2Dxbu8lPKxRiyXftFZ/oLAUtAhsh5gDgPW6B2eV2vPjp431W40ZQJN7WQOCxm7052z15lUW1f06ckfWY+cEml2p2v1YJjS2nAK2BKU0Rwoj7Lu0KnwMbg6iEzjCHx3HOB/Zm5OB3dDeMcMZ8svA2lCbqCaH47r3m7BuHRC6oRGJKIysKfSt4F4n69r+0aB3lezVcOZVp2lKriKwU+VEQjKYhcnXUID5sCulYPlT6TorW/GAjZqDWqC1OzltuFHA2dCo/AyUmA6iw/oSUO2uoY+KR9nHcfkyB8RQLKjccjfVW5U1iuaNJy48qzm5sOMf4vVC1o2nsv93YYO7K5IBev322/OioknzY/j/IwmDQAPBLrioawbzySFZ5rjStb1rlOD/SQy8XUWhgPms/nvi+dC9V5nL0F9Ov+2LDff3aungiXr7590hVRem1w+nNJD3ZXiLdGdkPlrmyHww21LgdurZ1OBRdzpInUL0bHcgIxY5K9DA+iE9N+d3KPvmyVi5w06fzaKC7esfhFBgXYvkkzaGou3pVEP/dVn2/oBuWrnY+YMNQQpquPKRJFx8Ii7lAR3Hwih6gJ46qtjriWuCsOIngXwwZ3DKNi7FFgHtrRMHXC62vF4Ug/QidUGMtvMNUemufUKBxJNFZGaf9RihcEbA+/wIMz4FqnkyZgwJVPXpdYJG8EZJda4+ORjzWc/2nsMzlsZh1Ja9b+SSOwe4y74dpGdFaIZs00gXbIY1XFLNajRMjqjihPnbl63u8cRBCgKvisNC3XKRNbxdQPpJt0IMdZbms1i0fINCV33muCbxLgqOiob5jIIo4GLKfxyOCwwcmW8MtWxmWIQz1X9omApKgmpZRZqduHQvY9A2zfquT5lzFl4VZYUGRCgaUsTJeqhPCmH7VzrHOPG1Q1rDBOxl8v85RQ+gD0oC5XhMvv6UQEinu5+NTH8jVOmtLHj7E9i2SFBzY9UDzQA0gkBfMUw6Tyzy2Kdqrdt4MHAg6Iawb+efaKbvlmzONwJjjOSyedqPvPR33oUTMCMZsiViuQbmx8JgDzc9xGm235lkhfUIQk5S/KQl7dSlDLSYaGPEwKMg0cQt2PKWsB76DQzYLRW8ucjvtjZ5jbDtWnb+BYdBleXnlQqv3YTCObKFqQZ1Qxv6IqTu1RwF/3dGmZ9wK26+SP4tqsAFtiWMBKkq2JJ6xz8pyAfzhC3FDvUVOTcAc7RS2lo30v3NXj6tzZHEpQi1kX4AU1keqzaaCrH6BJbK3+6Kg+ZZNrImfJKvAxfcjBduJ5SFb9eXghJgRGPVpUY9GOFfaQdbG+QQXLmUT7CQbc10K/pI8NvmhrVLF8YUTVHyhaLp2rFQzk6DLt9VLTETRzfBIgOoB9SBA+mfXn/S0wYWvPwJlHycE0qHzwy09sjiwd0yvFrXWzDFoOkxRYqrjhNj2c5fVUYm8mDJVwSHRev6L/DpPs3HsDQ0WjFu+8fWTAMQTdrBquVBcN5kAj0GIkdInt9VqyM5S8PhW/mtXHoaTqv3Ic7zivWYBo+sP60I72YMAoiOAA2AGYANAAwADkANwBmADIAYgAwADkAYgA4AGMANwAAABCAYBoMQQBkAG0AaQBuAAAAIhJFAEkARABRAEgAUgBSAEwAAAAqDG4AbwBuAGUAfAAAADIuVwBpAG4AZABvAHcAcwAgADcAIABQAHIAbwBmAGUAcwBzAGkAbwBuAGEAbAAAAEI4fABDAF8ARgBfADIANAA0ADAANQA3AC8AMgA2ADEAOAA0ADEAfABEAF8AVQBfADAALwAwAHwAAABIAFBAWIkIYIkIaIkIcKq70Xt4DoABAYoBBTIuMC45 ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/86f4097f2b09b8c7

https://mazedecrypt.top/86f4097f2b09b8c7

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Blacklisted process makes network request 9 IoCs

flow	pid	Process
5	1480	rundll32.exe
6	1480	rundll32.exe
10	1480	rundll32.exe
11	1480	rundll32.exe
12	1480	rundll32.exe
13	1480	rundll32.exe
14	1480	rundll32.exe
15	1480	rundll32.exe
18	1480	rundll32.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\RevokeEnter.crw => C:\Users\Admin\Pictures\RevokeEnter.crw.gYPd	rundll32.exe
File renamed	C:\Users\Admin\Pictures\UnblockComplete.crw => C:\Users\Admin\Pictures\UnblockComplete.crw.t1Hyp	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\MergeUpdate.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\MergeUpdate.tiff => C:\Users\Admin\Pictures\MergeUpdate.tiff.eU38	rundll32.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f18nucy7.tmp	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Program Files directory 49 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\StopResolve.dib	rundll32.exe
File opened for modification	C:\Program Files\UnblockEnter.snd	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\f18nucy7.tmp	rundll32.exe
File opened for modification	C:\Program Files\ClearDebug.ttc	rundll32.exe
File opened for modification	C:\Program Files\ImportRevoke.nfo	rundll32.exe
File opened for modification	C:\Program Files\PopClose.tif	rundll32.exe
File opened for modification	C:\Program Files\SearchDeny.wma	rundll32.exe
File opened for modification	C:\Program Files\StartDebug.inf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\f18nucy7.tmp	rundll32.exe
File opened for modification	C:\Program Files\WaitUse.ps1	rundll32.exe
File opened for modification	C:\Program Files (x86)\f18nucy7.tmp	rundll32.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt	rundll32.exe
File opened for modification	C:\Program Files\DenyExport.svg	rundll32.exe
File opened for modification	C:\Program Files\RestartSync.xlsb	rundll32.exe
File opened for modification	C:\Program Files\RevokeRename.scf	rundll32.exe
File opened for modification	C:\Program Files\ShowDisconnect.doc	rundll32.exe
File opened for modification	C:\Program Files\SwitchUpdate.easmx	rundll32.exe
File opened for modification	C:\Program Files\RepairRestart.pdf	rundll32.exe
File opened for modification	C:\Program Files\SearchStop.edrwx	rundll32.exe
File opened for modification	C:\Program Files\ShowFormat.mpa	rundll32.exe
File created	C:\Program Files\DECRYPT-FILES.txt	rundll32.exe
File opened for modification	C:\Program Files\ClearLock.ogg	rundll32.exe
File opened for modification	C:\Program Files\EnableNew.xls	rundll32.exe
File opened for modification	C:\Program Files\GetRevoke.aiff	rundll32.exe
File opened for modification	C:\Program Files\HideResolve.aif	rundll32.exe
File opened for modification	C:\Program Files\WatchRename.odp	rundll32.exe
File opened for modification	C:\Program Files\ConvertFromLock.svg	rundll32.exe
File opened for modification	C:\Program Files\ResolveExport.crw	rundll32.exe
File opened for modification	C:\Program Files\SuspendUndo.txt	rundll32.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt	rundll32.exe
File opened for modification	C:\Program Files\BlockConvert.DVR-MS	rundll32.exe
File opened for modification	C:\Program Files\CopyExport.wma	rundll32.exe
File opened for modification	C:\Program Files\ExpandResume.midi	rundll32.exe
File opened for modification	C:\Program Files\GetOptimize.eps	rundll32.exe
File opened for modification	C:\Program Files\MountClose.zip	rundll32.exe
File opened for modification	C:\Program Files\StopOut.xltx	rundll32.exe
File opened for modification	C:\Program Files\DenySwitch.ods	rundll32.exe
File opened for modification	C:\Program Files\EditEnable.txt	rundll32.exe
File opened for modification	C:\Program Files\f18nucy7.tmp	rundll32.exe
File opened for modification	C:\Program Files\FindNew.wmv	rundll32.exe
File opened for modification	C:\Program Files\FormatWait.aiff	rundll32.exe
File opened for modification	C:\Program Files\DenyPush.ico	rundll32.exe
File opened for modification	C:\Program Files\GrantOpen.cr2	rundll32.exe
File opened for modification	C:\Program Files\UseUninstall.emz	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\f18nucy7.tmp	rundll32.exe
File opened for modification	C:\Program Files\LimitRedo.svg	rundll32.exe
File opened for modification	C:\Program Files\OptimizeWrite.rm	rundll32.exe
File created	C:\Program Files (x86)\DECRYPT-FILES.txt	rundll32.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1480	rundll32.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeBackupPrivilege	1796	vssvc.exe
Token: SeRestorePrivilege	1796	vssvc.exe
Token: SeAuditPrivilege	1796	vssvc.exe
Token: SeIncreaseQuotaPrivilege	568	wmic.exe
Token: SeSecurityPrivilege	568	wmic.exe
Token: SeTakeOwnershipPrivilege	568	wmic.exe
Token: SeLoadDriverPrivilege	568	wmic.exe
Token: SeSystemProfilePrivilege	568	wmic.exe
Token: SeSystemtimePrivilege	568	wmic.exe
Token: SeProfSingleProcessPrivilege	568	wmic.exe
Token: SeIncBasePriorityPrivilege	568	wmic.exe
Token: SeCreatePagefilePrivilege	568	wmic.exe
Token: SeBackupPrivilege	568	wmic.exe
Token: SeRestorePrivilege	568	wmic.exe
Token: SeShutdownPrivilege	568	wmic.exe
Token: SeDebugPrivilege	568	wmic.exe
Token: SeSystemEnvironmentPrivilege	568	wmic.exe
Token: SeRemoteShutdownPrivilege	568	wmic.exe
Token: SeUndockPrivilege	568	wmic.exe
Token: SeManageVolumePrivilege	568	wmic.exe
Token: 33	568	wmic.exe
Token: 34	568	wmic.exe
Token: 35	568	wmic.exe
Token: SeIncreaseQuotaPrivilege	568	wmic.exe
Token: SeSecurityPrivilege	568	wmic.exe
Token: SeTakeOwnershipPrivilege	568	wmic.exe
Token: SeLoadDriverPrivilege	568	wmic.exe
Token: SeSystemProfilePrivilege	568	wmic.exe
Token: SeSystemtimePrivilege	568	wmic.exe
Token: SeProfSingleProcessPrivilege	568	wmic.exe
Token: SeIncBasePriorityPrivilege	568	wmic.exe
Token: SeCreatePagefilePrivilege	568	wmic.exe
Token: SeBackupPrivilege	568	wmic.exe
Token: SeRestorePrivilege	568	wmic.exe
Token: SeShutdownPrivilege	568	wmic.exe
Token: SeDebugPrivilege	568	wmic.exe
Token: SeSystemEnvironmentPrivilege	568	wmic.exe
Token: SeRemoteShutdownPrivilege	568	wmic.exe
Token: SeUndockPrivilege	568	wmic.exe
Token: SeManageVolumePrivilege	568	wmic.exe
Token: 33	568	wmic.exe
Token: 34	568	wmic.exe
Token: 35	568	wmic.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1480	1904	rundll32.exe	25
PID 1904 wrote to memory of 1480	1904	rundll32.exe	25
PID 1904 wrote to memory of 1480	1904	rundll32.exe	25
PID 1904 wrote to memory of 1480	1904	rundll32.exe	25
PID 1904 wrote to memory of 1480	1904	rundll32.exe	25
PID 1904 wrote to memory of 1480	1904	rundll32.exe	25
PID 1904 wrote to memory of 1480	1904	rundll32.exe	25
PID 1480 wrote to memory of 568	1480	rundll32.exe	34
PID 1480 wrote to memory of 568	1480	rundll32.exe	34
PID 1480 wrote to memory of 568	1480	rundll32.exe	34
PID 1480 wrote to memory of 568	1480	rundll32.exe	34

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\84565919c48c0e959c2981301510228704dd74a7206ed660e7bfda06a980e5ce.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\84565919c48c0e959c2981301510228704dd74a7206ed660e7bfda06a980e5ce.dll,#1
  2⤵
  - Blacklisted process makes network request
  - Modifies extensions of user files
  - Drops startup file
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\system32\wbem\wmic.exe
    "C:\f\..\Windows\eltb\..\system32\i\..\wbem\tlkc\..\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1648-2-0x000007FEF5D50000-0x000007FEF5FCA000-memory.dmp

Filesize
2.5MB

Download