Overview

overview

10

Static

static

maze.bin.exe

windows7_x64

10

maze.bin.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    02-01-2022 11:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    maze.bin.exe

  • Size

    453KB

  • MD5

    248c960c1ae54103dea5bfae924f28e2

  • SHA1

    504ce8efee0f7f8329c09c6d045a21c795a84b42

  • SHA256

    3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363

  • SHA512

    5b3dd4be33c48cedda5b9270a6454540e837e9611db4d43b35e7290ff7e25dd3b5c0342de6de38f12e8c7d5f291c62ef026236825134d1181e7ba5bdf8103464

Score
10/10
mazeransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\DECRYPT-FILES.html

Ransom Note
<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000080; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <span class="left" style="font-size: 14px; font-weight: bold">CODE: <br>------ <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 </span> </td> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><s>0010 SYSTEM FAILURE 0010</s></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> <br> </div> <div style="text-align: center; font-size: 18px;"> <p>The only way to decrypt your files, is to buy the private key from us.</p> <p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p> <p>In order to receive the private key contact us via email: <br> <b>[email protected]</b> </p> <p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <br> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">rTNUI+k1EYQWkQKHNYkWx4dYe/3US9QqHw9IMeWpNV7/qUjg8azF41ddkpev0SfCYFb36MegHA0RlCALCeN+CMSLppK9e9hXbZWgp500FgE6fU57udZJ5pkHZXHXFS9M5/vVA0UR5sd5oHj6ZauWTSUtX9JXbBJu7Fd+w2f38DsqYYO44M0pOQwNHgrIuhuKwWQK23tk9YzR2QUDam2H5Ri+lZcx7ksjqKjMGupTIR2ivjov6BrMJQTbyyiMWGZ+mRVRSz0/041gMywyfoPJ4ZCq/9mg87N5LXbzAjZevuLJtXMql4wKjwRKWo/n/8aBTzSb/qLGLoC/I/E9GoFQSzc3f90kxixEYQfHqhkOjjSFpYJSGajtgMvx24ms1D28KWeCZ+4BF9hxu+TRtJLTGW9VtK7FO3mqxZwBxZzu/ZN60hCQh/UaIsr8ABUI73WqwYEdJJ4CVsb2u1SIXvBqWz6w++meDKTzD9XQuIvyvExSHL59tC1uIP3gZFXuxZ+DBNYjc5sK19H1jTUokBFSM+D/XmWL3PTIAJgAQANIfFsjQpLDMKDv87INTKS84tcxH9nDgdpRdharuvZqVd4iBpNcEmcsMJruFAv+mL0x3ooKMlf+dChebC0o63P9ZR+Tw9yl4FUyhMG6h5Ad/0eXyVSZpJd/DEyvKDRNKylnp7CyHx7qd0E1P+QVtAsAhgGdJy9OnmULRUWQct0tJvGj0edBFC/6ufqLZUk40F1ev0a/34MNI+aOxHnVO250Ok3GV5XBsUlaBZgerDO0F/tGmqm2VtwEeL5i7+wRR2+k9PX1vi3ibIZnAwKbBbZQ0SGC9xQYi4SOuaMcJtHRg3i4z3Z78Vr7io5KbmE5nbyJCOIzGafGP3PKa/AtfJedzj0TzlqqtttjHQNPoixTXJAnLLM0ydtioCFgxnZTliNqI/a04EOlLrUXBX2d+BNkhdwmsxrd/2MxAMotq8HeT/kDJnqqz7snEOuWc5XyvbX3dIx2xURPHZRqK9rf6Liudr9g1DeN3MpvcX6q81OxaeTDrx3/yEhpffPo/losR8BtKBqt41teYyDVE1/0k27kcmYgt04e/iDkLiCy07COngO8JfuvXXA7RgDwKnrQzR+1dtD6mlYqYp8vkLGhfFYPmvoncYaHdAxnR2GQx3H0jpha8Jeqv75LHodb/OoF5ygXMayMW4defOJ7EkcGAC5jG0+GXwjeiHASdpeW5bvZufhK/pLTeDn55bHvAqSMah4H/Asne6RYngHYyiOzg8psPN1C5s719VYaO0bdyHHs8WvExmSKHemGZ8Tuu+vxLmSwCArZcu1hTjpp/sQrC5JeHGzyFgx72ahdVnCws7zvlMMjJLrrxVItVGWmOzq0EswQiQFOA8RF6ApsfuvcMWBHsKYAW7yHbuu2pnImNtpxXLRSs7+NnRRED8B+zlkGfyxFrK0jmho73P87ZfetQd7Exsx1izgIgEVIGAzCSyXPVW04WAax9PMrca0/5fzc+8xeC9sztEG+eMxh/MRXl1/BvxXfx/CH2WsbprHoT1o6E96HppQX17nyU/oRrRIqtSjmnTG9YffE1DMt+0fsTDxR1HQixbGa56SP7kL3HCATUkx8IBJDlEDR/oPDLsqyxZg07aozeST02bTgtz7W5aIHxhmqEwmEwqwQii+AJOoC6chkiLs5FNb4hfOtK7p7XQWlUo5bsF0vFjpMk08Ad+gqzJ0TZmwgiZf5XlI065DBZ1I+S1bqudkkHbZVDcz8jYFrbdZD2A1aEXoiazoi+H+/dTn03jeXNaxQzN7NmwZw7yJPKlu//fAaQP7GVN+YIk8VgSUqRA7gdBLwCD/3sCvG+ApO/u9r2Mu/S4mYyUs1xTUV8Bs/b8x9nyjmeaw3QDv9NBSlJpcLMJESVLWuGiiX51EyVgVZUYSWn1GNdsAqtu/u45t+iFZs+Vr0O/HHntGKaiwsAjdeuiJmprfokKpNH3V5jHKz5I8QNQZ3xkI5z4h74ioDgRNZbMmDTlp+6lgmJt3BZ3grBqNowGgVPKNjnpV7fo2CfKasFdo99y+wNlU81itREXjl3G6oPS0vfNXPVMM+ZyEebqZewKYqEnlFcPKZA8rBoTwmzVsBDR/kzC/6DT6weoQXct4K9/I4aTguZxIRB5Z4uMEcAFt8VplN4t08kTY/cc8YEG6jz2NKI4SabGjM1TgH2IHUlI3WL+ieb6311B7y+sXWT5zlbaPfvTFzNdSaKAoiOAA3AGEANgAwADkAOABlAGEAZQA1ADQANwBkADEAYQAAABCAYBoMQQBkAG0AaQBuAAAAIhJNAEgASwBLAEgAVQBZAEkAAAAqDG4AbwBuAGUAfAAAADIeVwBpAG4AZABvAHcAcwAgADEAMAAgAFAAcgBvAAAAQjZ8AEMAXwBGAF8AMgAwADQANwA1AC8AMgA2ADEAOAA0ADEAfABEAF8AVQBfADAALwAwAHwAAABIAFBAWIkIYIkIaIkIcJj/1nt4AYABAYoBCDAuOS5vZmZs<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00</span></td></tr></table></body></html>
Emails

Signatures

  • Maze

    Ransomware family also known as ChaCha.

    trojanransomwaremaze
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\maze.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\maze.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\system32\wbem\wmic.exe
      "C:\ghtm\qixh\w\..\..\..\Windows\lwcae\mhj\tg\..\..\..\system32\bgt\qwvmp\emkdo\..\..\..\wbem\utrvc\t\reeoj\..\..\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1016
    • C:\Windows\system32\wbem\wmic.exe
      "C:\b\..\Windows\ye\..\system32\o\..\wbem\c\lv\gvtae\..\..\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2392
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:944

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2336-115-0x0000000002580000-0x00000000025D9000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2336-118-0x0000000002580000-0x00000000025D9000-memory.dmp

    Filesize

    356KB

    Download