maze | 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e

General

Target

04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
Size

2.5MB
MD5

54c9a5fc6149007e9b727fcccdafbbd4
SHA1

503f44e1634b7cfad812c7be2a15f0fe4d9a1b58
SHA256

04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e
SHA512

d79c19c5ce44881790abdb1caf654286ab8eefc5e7baf2c9ff13a58a97a004713015ba1539819ace212e505227e2b11e503c7bd14aeaab013bc77557bb02943e

Score

10^/10

maze ransomware trojan

Malware Config

Extracted

Path

C:\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps. ---------------------------- | How to get my files back? ---------------------------- The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/8802099c16c7c49d e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/8802099c16c7c49d b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer! If you have any problems our friendly support team is always here to assist you in a live chat! ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- mkm/VmysEZYcO45tj2or6wtTIkG4inan259c901y5m73fqJYJlM7vQIRkYZMFYdkc0P5732djk4t+FxyYF4dR/TwhpoLjDYsSePH1gpQ43sWVGhmFMQAhPD5jpSaclTyFJlabbfGfwkYg8lPdjgJb1c1zyhxi5CszB7H1ExCb4mPGfwCzAOyt7JULztIFMjvP5croCe8NuTOBZ5waDLB4l1ErF4cmovsNGKqah5OXjTwOEKb8DieOTVkGBtJLS7NcM+0wgko5aavzEzXZTw9Id9nfYlm/+3hENj6PUknIKHvKq7gUJPffm/jhcmWym3B6dCSbPsVjAFeXWcI28N85KjX/HpbPuOT0suIOW5fpS0sipNM3FiDZBAbxdpzD+f/cLTLWzU+lA7DZCti96RufDu1M/uVKJwZBVXO2q/AzZzd55XpVPOa0G/BiFy3MyIkTs0+eK6u3u8zvqzzLDQ8j93PHfBPAhVx5AwcpLeyGa/1GpiZlKEBwiWUX/2YvX2n2cSvSddPCElcBnZp35x3xrNptUzDl6fYCUY2qv7c+Inwhv/STLxlx/vwgLdULfn4dfcU+TlZWMTiUozsu/yTXTw30uZFfAPUidGABkSbSpTRUde/o3RWMdYjPEfEg2iag2184k6iWRQzNn7EZk/00N/h736D/iU6V0VMGb9ITe4m/MJj90pIA1u7Z6rCRDL9yrsVO/DHY+WMMkjYm2hLxuLDlF668jE/3DEd3ewwfiqWKYl6ar5qmhE93HEX2SF09FNerL9XJoOwc0Pa/8iq0wHtpk2eVZ+0bhAADtdrtUAlcuPlxWg2hSLPTSZR2e4QzTRnTUI3itU3pFCZ9LmgizNwCDnPjqwbMDFqeLDzJLQuup+C9VziKl9szqnd8LTtFvUBN0TDJxguglegQh0RSvbw7rSTvMMCXzzOJFyJETg7nSe+TIdcRAM/qFxMglKvB8MbQisJ7/NTcvQ0k3xLkK1AOI02GlF4lAoPDEJPD8+ZlUQ+KN5sJrGjb/OTIxxd6nRsLmoXl9e7HgQnU/EuhJg7d9kb1/Aky3ZZr3K1sQE6qviSUB+dLU4S54NqnTGrL8MFv9m089IpjvJVhVoX64AwOiUUfjno6c27QAhAWvCtxCLP7TBXeZLUqUba1hkzsTjJZUW+C3gR3qojXzjibA90OaAlLS4sdCVRUwGK8ck6h0e3QwS3qr3ZVE6OXpi9Nt3zZBolXTYOYo9td/euNQ6ClsSFlPnG+0JFjv08QAHw8pVclZEsVl9F92OYcXng1qbbYDUatt5uRYjtolRNQlGSqeQ43c00tQWwbFkfuh8eBEKhjcyWkibgD6NFVpLyVi/OMhbbqvMjPrmOAMy2HsHpu/MIEyy2o01DJdKO/ieY78ZimWbOAArFqt+lqpM6wVb+WW+06K2I0lFUogWn7x2/J2bPLmQHK/kd3HBf8Cfdr3QfSrEb1VfsbxFpS7n+lepiYKSeAY0njmzeEOJB/WWGseN7hpACuyBAKNhTeHMkrMC2QzzLGsUlyNfkAiTQ8iYeL9xud47d7AcXcyyeb+pfFca/vxwVfVCysa4TgcSYRUN2tbm1JYg6fsPrT0kWSjw/dXO+iAtQBdD77cxdx0HqFwMx2OxNAViltb4jX+R44bFzpO9nrIfM42LFpz3Xf/cVx0JjqF+cakLO/hh5kA/azclzPe3aIvqSS+Os1JhCtdrYc8iz0pOx4kv90fRwnE3L5u6NImWgDZaipsuKVmFyd3GXNemJKN5PxuJBZxzuS9clouyuequi5fckiYdiIy8q1aGHv+cm+oRE2meD3krY7/jpyqY+fbbzeC/xZDr2s0p3h3ZuX8pYYXp++KpDVxX4LSCQPXkimDwUDTSWNI7pM55+l0lQ4gM776pbIim3tO4NMC2bOfk/xOXxQiu8JX2/z5xecKXfL5ytK3JOnj+5LOJyXFJurssenC2br4iw657dIOciVWB1tTMTVdbmYB71/VHTnZKssnT/V7hozcyY6m4lYru6xx4PSLT6QM7YrsetYWsSjeWLUc15zzaNn95E4eEe/akaknVlrj8NHQuvvYgk+/PdpvpJJrftHOxLIrvMLg3i+TRtMgDid8TyxSR8LyNJYQNcyt2JaL8xPfxAyU6SMuQF7WQS1cmwPRnZ/oHQq2ht3p6GgJZzKnCFJ0TQIyo6mo3/l5wWecQjN1KaVOOCMNl7bByaC+ej1f7WlwNBPgt3g+3OcacBOdV8No40IQoiOAA4ADAAMgAwADkAOQBjADEANgBjADcAYwA0ADkAZAAAABCAYBoMQQBkAG0AaQBuAAAAIhJKAEQAUQBQAFgATwBQAFIAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADUALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhw9Y+6DngNgAECigEFMi4xLjE= ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/8802099c16c7c49d

https://mazedecrypt.top/8802099c16c7c49d

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8802099c16c7c49d.tmp	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\8802099c16c7c49d.tmp	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DisableStop.mhtml	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Program Files\ExitTrace.jpeg	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Program Files\InitializeBlock.mp3	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Program Files\ProtectUpdate.ps1	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File created	C:\Program Files\DECRYPT-FILES.txt	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Program Files\8802099c16c7c49d.tmp	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Program Files\CompleteGrant.vsdm	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Program Files\ConvertDisable.pptm	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Program Files\RenameCheckpoint.zip	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Program Files\WatchRemove.xla	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Program Files\WatchUnlock.AAC	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Program Files (x86)\8802099c16c7c49d.tmp	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Program Files\PingNew.jpeg	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File created	C:\Program Files (x86)\DECRYPT-FILES.txt	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Program Files\SelectSync.fon	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Program Files\SendCopy.pptm	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Program Files\SyncInstall.png	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Program Files\WaitUndo.jpg	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Program Files\MountDeny.html	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Program Files\RevokeUpdate.mov	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Program Files\SubmitWait.tiff	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
File opened for modification	C:\Program Files\TestAssert.m4a	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2104	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
2104	04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4192	svchost.exe
Token: SeCreatePagefilePrivilege	4192	svchost.exe
Token: SeShutdownPrivilege	4192	svchost.exe
Token: SeCreatePagefilePrivilege	4192	svchost.exe
Token: SeShutdownPrivilege	4192	svchost.exe
Token: SeCreatePagefilePrivilege	4192	svchost.exe
Token: SeBackupPrivilege	4276	vssvc.exe
Token: SeRestorePrivilege	4276	vssvc.exe
Token: SeAuditPrivilege	4276	vssvc.exe
Token: SeSecurityPrivilege	2116	TiWorker.exe
Token: SeRestorePrivilege	2116	TiWorker.exe
Token: SeBackupPrivilege	2116	TiWorker.exe

C:\Users\Admin\AppData\Local\Temp\04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe
"C:\Users\Admin\AppData\Local\Temp\04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2104-131-0x0000000002AB0000-0x0000000002AB3000-memory.dmp

Filesize
12KB

Download
memory/2104-133-0x0000000000400000-0x00000000006AB000-memory.dmp

Filesize
2.7MB

Download
memory/2104-132-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4192-135-0x00000163DD560000-0x00000163DD570000-memory.dmp

Filesize
64KB

Download
memory/4192-136-0x00000163DDB20000-0x00000163DDB30000-memory.dmp

Filesize
64KB

Download
memory/4192-137-0x00000163E01B0000-0x00000163E01B4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing