maze | ab4c81f552a0dd8911bcbfc6601350139b72c1b5752b70ec699c465b3c54fc7d

Analysis

max time kernel
125s
max time network
128s
platform
windows10_x64
resource
win10-en-20211104
submitted
08-11-2021 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c1b18932f622126441802f5ccaa9eefb88465d83a4a527d2c7ca2bab404b373.dll
Size

486KB
MD5

e406d6097c42b81d5bcebe1827e66a19
SHA1

09d8c91ccefd699fb5ac1aaebeeebee25170fe1a
SHA256

7c1b18932f622126441802f5ccaa9eefb88465d83a4a527d2c7ca2bab404b373
SHA512

77f177824a9e5cfacd6d101ec84a75bf580e9fa707ed4a2bd5213d44b758890bd1922d5709791f20e379b5304efe41b9d8affab6042e51b0e54f5d0919d75020

Score

10^/10

maze ransomware trojan

Malware Config

Extracted

Path

C:\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6c230cc26eb0cf8e e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6c230cc26eb0cf8e b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- Rto9OJ/B+wuXpVIHEZQsln1aZDiGzMfDkWgDrXYYGSuwLo3w92YBOE/tKeItQoa2Nm7i8MbHq3Wd5tmbBgyA40EDIBOJexgEpzkTzifhDlq8Y1AuDKbieaBA9A78Y/OefEQFsS3PvWPKgDWIrJsd1P2mAmLqHClq23SmM0dI0kmSlchyp4y1bYNGz0PcMpo9PdsQUnMfjOz4xojboS5D/ag1OmAyTDZina0qDRle4hPY0cxgaTn0U0xjuumiMGkjwLgyZl6FL1gW+Y53NTcSLFIpAW/1w2cGfOz2cSLQwUIWh5uMn0fGxGPOijT/DXUbgqybuATn98hAHLGpG13mRX/a9XiDbWbZHzVCGOGYYKaeQcTIVN8nsPGFOoNLZb/cvokaJ+SZ1Rkvs08hjgr70RyGnof/L0H9bLc4GWBbugN2mnBJ/yRerwIr6tnkVvMs1D24WhZCIgJ+el6cDi1n1IYaWKzktv2I2QxHJLWxnXToeIZZUTHtGDVFTwd978mkmd/dzDzEtiLuZ0MZaDCOiVE12JPHqQsQHmVSeF0ws8V1M2kTnAEECgo9wwRKczE4no9sGw/av3XzNNwLfP1nvz+mijR9mVL9TDKYRcoldTFv5PmO261vpQB0SjpK6M7zNBXCWAOlYNyX+Wu8mLatX51f2bYzLYUrslX1g6hXcNTltnd4fYG6wOcyp2VFsMVXgaDsC2ozLkQG1X+qMfQG5BgVDf+x3e57j5KicWy1FLVkb3xkAatCCWwKbh1+ohXf9ErBXKe8dBeeaCDL9vWppEINT/rlXzPOTr2MPkmKw9igZ0w1KzZGOXPV9DuZkmogPBbzb5/fg3+Wu6H2UAcinF7zeEnfNc65MkP8oZer7rHxafT5SlXTBFrA5vlJvecFlM3I4yywq1O/Rf2CsdgWdEXQL87zZvyQYy7LI49W3eRFdWMWIGnj6D4Ga4dx0T+vsrNjiie8Ujk0wm6qKPsYzit7M9BrpVimZQiW9dDYNO8K4gQCe9GMpzSCF1G4w9JPFEUArSV0g1BToN5tihGIl5OCxG1YRykc/atUaRLTa1OuPFKzt2mDPlMWuwp9FmT0TluWXtLHOiNKb2TR4PPYZGpLH0Mh9sCrekYkSxbseK9+vzH11k+uLtvWziWGaWT2kfpIpo1cuOK5VIHQwi9jMPtSTzIXqq3eU4AiB/ySysTXYmYIYquTL68fGqLKXlqmpue7gelwvXnrHarZcSRzf/FAMkbYTg5mxw24UCXmoi5gt6RHz8eZT7G5hb4vaGAtX8G76spc2+x/hx3/nw+qt2JkM0VANJV4km2r3vSb4mWkLud1ySCxxMwAMZ+7ThdjFqbae29JreL7uQaFDlAcheSeZet5KzxLiNY6V2ynKNOv/RFVwINC2iCfI2Dveov0zz3toVNJRXJ45cGJPS9wOBAwxuPD2Rs9AD48QGbXKHJUPA2K8DNyaVL9UAGZqqwunH416MFkm3lmstOcm4ImYNl3/Jl6tW0NfVFd+8ugRTt4yM2rEls2eWb+DBc33DrYHt1pebDNYHYwdvW/pZHKOmDQ0U9MCMK4ZpCF5+hgDgneWyFd9BrH94hOrjYV48YeXqAxDqfaE1q/a24ZpvGLLt50wK+10k/flXYAd5nADwtTsODNJiSWDvMZlNZB6Q5rh3MeBxOKY4/PYn1qYGkjqQhG1x3+C1lAFJM74mRsdNTB8qmgZfqjYRUVtJt2InBoeIKppp7Vlj5DZaPkc3tax67FQEitqFUyY6GZumqsMCR5xHmgqX8zdPxYJlRI3LAmrT4eNcVXHYMVgsQAvBitbxohq0/SBOkgPUf4bLocKUbEC8yR1JsYmshyZVKEucttzGYmyhqYKWaIBav19kJmWqjCj3i1E1NLWEUanXBZRr+MZ5mbQZEl/RCuQx4vf1yQfqpmBdSpClBdgUTEj+tkArXCgTxJaX7kUzbKDxGMWoe6OoiGEibV21Kp+AxOhlGZzfcDIqAGtlstzmSLtj+5QPFjQVgr1aeoSf50aIKKk/SFgFJ/58MKMJrJqOlFa5pubVQQKWqKuE5h76Dtixk+docZRBJQp578nu9jMeHtNuaRGl0vu8cjo0wQak5FKR6KgfK7IDPg/l+lXmXGGUSscjfque1alJKq53Jek93tOWzZwQi3iyGJa/g/T93VuRwIDrW/frGbSoAkGCrRQSrXiwuhVbWakjeNhXnZKTTvmFeJBUGIIL2EWPESzsyKWhjSC9aRZAoiNgBjADIAMwAwAGMAYwAyADYAZQBiADAAYwBmADgAZQAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAEwAVQBDAE4ASgBWAEgAWAAAACoMbgBvAG4AZQB8AAAAMh5XAGkAbgBkAG8AdwBzACAAMQAwACAAUAByAG8AAAA6KHwAZABlAHAAcgBlAGMAYQB0AGUAZAAgAD4AIAB2ADIALgAzAHwAAABCNnwAQwBfAEYAXwAyADAANAA3ADUALwAyADYAMgAwADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhw8a3We3gbgAEBigEFMi4zLjI= ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/6c230cc26eb0cf8e

https://mazedecrypt.top/6c230cc26eb0cf8e

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\UnpublishRequest.raw => C:\Users\Admin\Pictures\UnpublishRequest.raw.Pe2fOe	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\BlockPush.tif => C:\Users\Admin\Pictures\BlockPush.tif.S9b8BBQ	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\CloseEdit.raw => C:\Users\Admin\Pictures\CloseEdit.raw.S9b8BBQ	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\ConfirmJoin.raw => C:\Users\Admin\Pictures\ConfirmJoin.raw.BWAd	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\InvokeStart.crw => C:\Users\Admin\Pictures\InvokeStart.crw.1Xb1Q	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\SearchHide.tif => C:\Users\Admin\Pictures\SearchHide.tif.vra9Lx	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\SyncExit.raw => C:\Users\Admin\Pictures\SyncExit.raw.vra9Lx	regsvr32.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c230cc26eb0cf8e.tmp	regsvr32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6c230cc26eb0cf8e.tmp	regsvr32.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\111.bmp"	regsvr32.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DebugUnlock.ps1	regsvr32.exe
File opened for modification	C:\Program Files\DisableRestore.js	regsvr32.exe
File opened for modification	C:\Program Files\ResumeImport.raw	regsvr32.exe
File opened for modification	C:\Program Files\ResumePop.emf	regsvr32.exe
File opened for modification	C:\Program Files\TraceOpen.odt	regsvr32.exe
File opened for modification	C:\Program Files\6c230cc26eb0cf8e.tmp	regsvr32.exe
File opened for modification	C:\Program Files\TraceMove.emz	regsvr32.exe
File opened for modification	C:\Program Files\UnprotectUpdate.pcx	regsvr32.exe
File created	C:\Program Files\DECRYPT-FILES.txt	regsvr32.exe
File opened for modification	C:\Program Files\NewUnlock.mov	regsvr32.exe
File opened for modification	C:\Program Files\UnprotectLock.docx	regsvr32.exe
File opened for modification	C:\Program Files\LockSkip.avi	regsvr32.exe
File opened for modification	C:\Program Files\RepairTest.cfg	regsvr32.exe
File opened for modification	C:\Program Files\WaitTrace.ex_	regsvr32.exe
File opened for modification	C:\Program Files\CompressUpdate.csv	regsvr32.exe
File opened for modification	C:\Program Files\ReceivePing.emf	regsvr32.exe
File opened for modification	C:\Program Files\RepairTest.wma	regsvr32.exe
File opened for modification	C:\Program Files\ResolveRevoke.m1v	regsvr32.exe
File opened for modification	C:\Program Files\WaitJoin.dwfx	regsvr32.exe
File opened for modification	C:\Program Files\BlockAdd.gif	regsvr32.exe
File opened for modification	C:\Program Files\ClearStart.jfif	regsvr32.exe
File opened for modification	C:\Program Files\UnprotectRename.vstx	regsvr32.exe
File opened for modification	C:\Program Files (x86)\6c230cc26eb0cf8e.tmp	regsvr32.exe
File opened for modification	C:\Program Files\ClearSet.edrwx	regsvr32.exe
File opened for modification	C:\Program Files\DisableSelect.dot	regsvr32.exe
File opened for modification	C:\Program Files\RequestGroup.ttf	regsvr32.exe
File opened for modification	C:\Program Files\SplitConvertFrom.wmf	regsvr32.exe
File created	C:\Program Files (x86)\DECRYPT-FILES.txt	regsvr32.exe
File opened for modification	C:\Program Files\UnlockMeasure.mpe	regsvr32.exe
File opened for modification	C:\Program Files\UseBackup.ico	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3068	regsvr32.exe
3068	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeBackupPrivilege	3168	vssvc.exe
Token: SeRestorePrivilege	3168	vssvc.exe
Token: SeAuditPrivilege	3168	vssvc.exe
Token: SeIncreaseQuotaPrivilege	800	wmic.exe
Token: SeSecurityPrivilege	800	wmic.exe
Token: SeTakeOwnershipPrivilege	800	wmic.exe
Token: SeLoadDriverPrivilege	800	wmic.exe
Token: SeSystemProfilePrivilege	800	wmic.exe
Token: SeSystemtimePrivilege	800	wmic.exe
Token: SeProfSingleProcessPrivilege	800	wmic.exe
Token: SeIncBasePriorityPrivilege	800	wmic.exe
Token: SeCreatePagefilePrivilege	800	wmic.exe
Token: SeBackupPrivilege	800	wmic.exe
Token: SeRestorePrivilege	800	wmic.exe
Token: SeShutdownPrivilege	800	wmic.exe
Token: SeDebugPrivilege	800	wmic.exe
Token: SeSystemEnvironmentPrivilege	800	wmic.exe
Token: SeRemoteShutdownPrivilege	800	wmic.exe
Token: SeUndockPrivilege	800	wmic.exe
Token: SeManageVolumePrivilege	800	wmic.exe
Token: 33	800	wmic.exe
Token: 34	800	wmic.exe
Token: 35	800	wmic.exe
Token: 36	800	wmic.exe
Token: SeIncreaseQuotaPrivilege	800	wmic.exe
Token: SeSecurityPrivilege	800	wmic.exe
Token: SeTakeOwnershipPrivilege	800	wmic.exe
Token: SeLoadDriverPrivilege	800	wmic.exe
Token: SeSystemProfilePrivilege	800	wmic.exe
Token: SeSystemtimePrivilege	800	wmic.exe
Token: SeProfSingleProcessPrivilege	800	wmic.exe
Token: SeIncBasePriorityPrivilege	800	wmic.exe
Token: SeCreatePagefilePrivilege	800	wmic.exe
Token: SeBackupPrivilege	800	wmic.exe
Token: SeRestorePrivilege	800	wmic.exe
Token: SeShutdownPrivilege	800	wmic.exe
Token: SeDebugPrivilege	800	wmic.exe
Token: SeSystemEnvironmentPrivilege	800	wmic.exe
Token: SeRemoteShutdownPrivilege	800	wmic.exe
Token: SeUndockPrivilege	800	wmic.exe
Token: SeManageVolumePrivilege	800	wmic.exe
Token: 33	800	wmic.exe
Token: 34	800	wmic.exe
Token: 35	800	wmic.exe
Token: 36	800	wmic.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 3068	2896	regsvr32.exe	69
PID 2896 wrote to memory of 3068	2896	regsvr32.exe	69
PID 2896 wrote to memory of 3068	2896	regsvr32.exe	69
PID 3068 wrote to memory of 800	3068	regsvr32.exe	74
PID 3068 wrote to memory of 800	3068	regsvr32.exe	74

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7c1b18932f622126441802f5ccaa9eefb88465d83a4a527d2c7ca2bab404b373.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\7c1b18932f622126441802f5ccaa9eefb88465d83a4a527d2c7ca2bab404b373.dll
  2⤵
  - Modifies extensions of user files
  - Drops startup file
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\system32\wbem\wmic.exe
    "C:\slp\..\Windows\alwh\rfy\ak\..\..\..\system32\kfa\gjd\afomu\..\..\..\wbem\au\lxrp\lirp\..\..\..\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3068-119-0x0000000004370000-0x00000000043CD000-memory.dmp

Filesize
372KB

Download
memory/3068-122-0x0000000004370000-0x00000000043CD000-memory.dmp

Filesize
372KB

Download