maze | 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9

Analysis

max time kernel
164s
max time network
183s
platform
windows7_x64
resource
win7-en-20211208
submitted
16-02-2022 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
Size

727KB
MD5

27c5ecbb94b84c315d56673a851b6cf9
SHA1

326f4984644aac4370c8237984fd369f1c9db29b
SHA256

195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9
SHA512

7a811abc5bc380eab6fd3e447e858c382edfba1e5088cb66065df4c393e9cc01b37bbd875b3de173fabc72f6055467e80a6a8a1b7eb8744d1a40b58877d86b32

Score

10^/10

maze ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps. ---------------------------- | How to get my files back? ---------------------------- The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/892e099c398b21b2 e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/892e099c398b21b2 b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer! If you have any problems our friendly support team is always here to assist you in a live chat! ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- SmaTb7hLKvJgoMKDUQslkJTq6krfxE+cDJcSlpdezLYlKtHINSx41Z93gHwIHdFv5OWmmg40rkrNjQR6Ef6/5FfXyQ1MHJhw2PqA3m0zFwNFUMPPYlYHW8JOHjmqJHmj9Y0Ug2iVVQxq2fi7dFFUVj7Vamt0XxeCQEf0Qx3yjymwACL9dGzw2PqrujiD2jL4fAiU7utl4dR1Xswrb/kB0Fh0vB5V/pOEH0/l3EL91+piz+cYAdssukQSdZ9mXaizLgQRtBgQ3nkGG6MkOUe2PG6of3ZNdHuamXiQx9CqpR0ddP9wdAuLE+SXOAOtBtP1QittJvK7XxdJehYVrFcDurJxVYjUDqqDENtYlzFMfa9ju7jHdvidtK6KAyULn1dnK/PXXJTOzqcJX8+6EOQDnuCvTXzZkHL09ZA72wCuR0dIE/ghG/CSOaSnXebwUxv9eFyZjfd8lvJTYyobOdpB4Sv2iFPXkcTE5RuGKvqL0o5rRRYgQX0YEZLaNGns4O5NhRgGwd45kZcGXuxrghsHycOyEO4N1eTQ7TgtdJBNnmsQMNhx7/aOp7uUhaj3XKFUsycPG20SuYHW9VPFvdGfh9zPiWwaG29HAADQUPouUWaCIZ6cnAyFWSjIjPD60JGtBEptb6IFABbtssOEf7Ml3nMCuX49988yZcosH6AFfFEFOVfSloOldhcoHer5BvfKBj6QzmWULbzAi0Ve9HAVtlhJciOl+G6FdZ1Iiy68tZTJP0QPAof50qalPQkPwbgxuwNYmUjbsqqB2cQz9nz/MmUXUH+RGNg/RTNRmOq2bwOZCAmvTmiWmwkWLTf8uwsNUmR6jwki+pVuSrwZ0hb6wLhcdbbyk4lbRZtbckrWQfQoiAlGaWXDoX0cmRHOYWY8Gm/Ho16zZVHsHdQO7GCWsC+BRA1gPthGztICGZedUAbKKMpNa0Yqiki9366uV7YnmcJgINzFUYoK3wpyRPLVpypCsV9kcpCop+U6gs8t4Er/q92nfq7NWYCtkn9/KsUP476uH3PcTd4bV9xdHwuRbHyAX26+9KLR93jZRPdCL9/1+Ihrxki5iOcNn9eYjbDYwik+2GlTr28XtKteH8KD1sqxq3J3l0e9UlkuGx3oPP5gUrb1+pBA67FM4VJQ31cq9NEzMOGt00FssUueRXnKzg3vyVG8RzslqcRXHvycLHqMQdjFmRjnmWRk/WQbcbKB1ylHFbwV2Aw7wEbh1wmMv+dtRYGA7RuIJYg9bBx0NvjUzfF0X4lDVTG81cd1dhe4YSraddiebVR2lP/QzDiBE2+JSEvOUpk+AjJpSla2vraGnxGkfbQNvU/SnzFstvLGphm3yDJPHuP10jVRejbr2+RwJkMdu2oiHR8Q6F1Af8DRwnjhiARKSngF839rcp7KXYh9cqjny6zAly+67JSPPYizRATR0IX50vOefGDRgbZmf1hn+lA5K7Vis5N00NqmErfikSwJEMZIoYYFAAA4vpz2qqqaYcz/vpJ+JB4W9EohV9+uiSY7jHoaPFqRbuOsxSYSD6o9qkKG+ywnJyoIaxe8O9Fhzelnk6kg62qzY1Yeue2zfy3BVdjy5HsPrmdc1m0oVNMImi+45CEJ+h2EQFRUC4nKrC3sG9ggTMwBTLf5A72jCMYr2SZXZjvKfQ862N1hWKwjAb2Lw9LB+Z1u8FcH1TRViPASH/MksW1WQ0AaE/ycYxNRSLIcN8eUH3brJ8eKhj2LvFFZRL+tCNzUo/UZqKGKS6AQ9EKiiOr8lw9v6enotu4/ZCJJ1EIOVu85ttuRT6yc683Ou9asr0cvEF9upeOuchkyAPUXq2HovmBv+lsKrL++Su6vi0Ez07DZWVJjdDh25wT3LYXj5Q+GKjrCxqMpUUQER8K8DMcMMv1XTZhGwVJ7uzTq8Ca7B00Y1kGB6JZxA3TIoH5SsBZeK5U5a8EZC00xjcQIgZzgOKmlPg+JmPGDSN3KfgpR9CHfwDGxWyg8t7H3/95qSiNmooSBg4roTHWUdKnHMeWCdSP3wdM6ETGZC72JEa3DTGL18SCiXeTJREAeOY6g8+WUuZobpJGeP+3WElajGq1ihDB6OZN5jJkLERIcW/Sq/b5LtDwKUOC2epLLL77MrVSRHpPkKDvdm5QFH+X7HLOpuPXuIe6HpBfkyf0NGEWCgNC2tGH7q5EtZU0J3Y/NRDRLRWwI6+cBHZukxhGaEXiiuboK2ha1XXXkimush+hWGozdohfmYAoiOAA5ADIAZQAwADkAOQBjADMAOQA4AGIAMgAxAGIAMgAAABCAYBoMQQBkAG0AaQBuAAAAIhJWAFEAVgBWAE8AQQBKAEsAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCNnwAQwBfAEYAXwAyADAANAA4ADMALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwztjYe3gQgAEBigEFMi4xLjE= ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/892e099c398b21b2

https://mazedecrypt.top/892e099c398b21b2

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\InvokeUnblock.tif => C:\Users\Admin\Pictures\InvokeUnblock.tif.PZuS9H	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File renamed	C:\Users\Admin\Pictures\RevokeEnter.tif => C:\Users\Admin\Pictures\RevokeEnter.tif.VLB2l1	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\892e099c398b21b2.tmp	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp"	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File created	C:\Program Files\DECRYPT-FILES.txt	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files\ClearStep.docm	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files\ConvertToRead.vsd	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files\ConvertToTrace.wmf	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files\DenyDisconnect.midi	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files\InitializeEnable.ttc	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files\ResolveOpen.wdp	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files\SyncExit.wma	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\892e099c398b21b2.tmp	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files\GrantAssert.cmd	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files\MergeInitialize.php	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files\RemoveStop.mpeg2	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files\892e099c398b21b2.tmp	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files\ExitAdd.midi	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File created	C:\Program Files (x86)\DECRYPT-FILES.txt	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\892e099c398b21b2.tmp	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files\DismountDisable.wax	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files\ReceiveEnable.vsdm	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files\RedoDebug.xlsx	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files\AssertResume.gif	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files\DebugUnlock.odp	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files\SuspendInvoke.cab	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files (x86)\892e099c398b21b2.tmp	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\892e099c398b21b2.tmp	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1096	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeBackupPrivilege	1632	vssvc.exe
Token: SeRestorePrivilege	1632	vssvc.exe
Token: SeAuditPrivilege	1632	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1936	wmic.exe
Token: SeSecurityPrivilege	1936	wmic.exe
Token: SeTakeOwnershipPrivilege	1936	wmic.exe
Token: SeLoadDriverPrivilege	1936	wmic.exe
Token: SeSystemProfilePrivilege	1936	wmic.exe
Token: SeSystemtimePrivilege	1936	wmic.exe
Token: SeProfSingleProcessPrivilege	1936	wmic.exe
Token: SeIncBasePriorityPrivilege	1936	wmic.exe
Token: SeCreatePagefilePrivilege	1936	wmic.exe
Token: SeBackupPrivilege	1936	wmic.exe
Token: SeRestorePrivilege	1936	wmic.exe
Token: SeShutdownPrivilege	1936	wmic.exe
Token: SeDebugPrivilege	1936	wmic.exe
Token: SeSystemEnvironmentPrivilege	1936	wmic.exe
Token: SeRemoteShutdownPrivilege	1936	wmic.exe
Token: SeUndockPrivilege	1936	wmic.exe
Token: SeManageVolumePrivilege	1936	wmic.exe
Token: 33	1936	wmic.exe
Token: 34	1936	wmic.exe
Token: 35	1936	wmic.exe
Token: SeIncreaseQuotaPrivilege	1936	wmic.exe
Token: SeSecurityPrivilege	1936	wmic.exe
Token: SeTakeOwnershipPrivilege	1936	wmic.exe
Token: SeLoadDriverPrivilege	1936	wmic.exe
Token: SeSystemProfilePrivilege	1936	wmic.exe
Token: SeSystemtimePrivilege	1936	wmic.exe
Token: SeProfSingleProcessPrivilege	1936	wmic.exe
Token: SeIncBasePriorityPrivilege	1936	wmic.exe
Token: SeCreatePagefilePrivilege	1936	wmic.exe
Token: SeBackupPrivilege	1936	wmic.exe
Token: SeRestorePrivilege	1936	wmic.exe
Token: SeShutdownPrivilege	1936	wmic.exe
Token: SeDebugPrivilege	1936	wmic.exe
Token: SeSystemEnvironmentPrivilege	1936	wmic.exe
Token: SeRemoteShutdownPrivilege	1936	wmic.exe
Token: SeUndockPrivilege	1936	wmic.exe
Token: SeManageVolumePrivilege	1936	wmic.exe
Token: 33	1936	wmic.exe
Token: 34	1936	wmic.exe
Token: 35	1936	wmic.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1936	1096	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe	35
PID 1096 wrote to memory of 1936	1096	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe	35
PID 1096 wrote to memory of 1936	1096	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe	35
PID 1096 wrote to memory of 1936	1096	195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe	35

C:\Users\Admin\AppData\Local\Temp\195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe
"C:\Users\Admin\AppData\Local\Temp\195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\system32\wbem\wmic.exe
  "C:\iaj\..\Windows\smvo\djqsk\wcrw\..\..\..\system32\tcwe\f\gdbs\..\..\..\wbem\d\ol\vca\..\..\..\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1096-54-0x00000000004C0000-0x000000000055F000-memory.dmp

Filesize
636KB

Download
memory/1096-55-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1096-56-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download