maze | 6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3

Analysis

max time kernel
164s
max time network
188s
platform
windows7_x64
resource
win7-en-20211208
submitted
16-02-2022 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
Size

758KB
MD5

76166a976c7d3cf9c02dfa118574af10
SHA1

7c6cac9726fa19fa2f1fd33d58f915665a460fb8
SHA256

6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3
SHA512

6d84a7701f4d118b656fec9d3d3a183f4b7e093ea923066877b9319fcfa2b18ad7fa29c254b0d4a4c1ba42cca9e90ca26296fb8f6e5a6d7a1d6bef0f78fc21bf

Score

10^/10

maze ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You have a chance to get it back! It is easy to recover in a few steps. We have also downloaded a lot of data from your network, so in case of not paying this data will be released. If you dont believe we have any data you can contact us and ask a proof, also you can google "Allied Universal Maze Ransomware". When you pay us the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6c610cc54de576e6 e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6c610cc54de576e6 b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- wMZva3RZWV0HE/9YwyWy7PdEpHWgisNslN1N5mBjuzLKamPNEVDudI1hfMmIN92RveuBRvnQ+wCZOo7CPxmQFu7M4qDZKgJHxaIWLsCjdaR+Cnz/Su/ZUCfFkqrsAIWXbIDDI6WYZ2oWACKr1K8nDleXtXIj7Wy9xauJ5PZ61QeHSNuGt5TFaIJrX/mE+hHyEBAxw94W4VDQgoPDy6f0BXKUDAhnuO0rA878ci8kvsxZBqZBY1Eb+RB5lmWGKoUueVwP4BQQP/zGmTY+AnNK35xJnGSbx0tZ0FnhydMlfmPl0h1ZTMZvkayNStTu89Bq69Xmh4P8eLs+uDCToFBHTCHfBUixMxBtpaQVCO+wpe7r9UdPHZ2LNOHxMjF5z11Rd3akIEA9ZypQDLjnfOBR6+PLZCQkw3MSfXdo9D8wRI6nugo4bq+LCRpdn4byT0K2Kyf/L8WDcHFuHkFZ3cuE/hG5kJQwY4cIR3Sgb75+L/DjTfwy9MwfGcX/B6tsxNEVsGD/+nU8z1305/fJ9crH/oVNwTqlZl5UFcROKAjvy0xYq8eJ+/OxYdnTdXv3wB96BVhs8VlSQd6keP7j+5ser5s2yzC/xbSc1ntlyLciBL306vHwa45TMNAdZfvMeJaSZr4L1RvVXm46f7kk4SXEuWp/vA2wls/WTY96qSPuJhLEyTdBelQxS5aKEvjFWfW4cBfn4Wthtp3xqmLuK1QNj7OcluoXwsUbB96MIpo87MnovWUk6ClvvuQHTHwFTbk9Ebl7rDZ/LNpzB6SvZ1Vof9oiSBpuy4pc6XoiDfItym/9lTFiCsLZUEeFKjxxPLT61odpxkJvvdKqkJ1mK7H4zWQkYU1i2ft4kh5YDUFos6vY6TpJvsQa0JWdRfSYoLG3AEf7ii3Sq05ONlRyUrKWCzrE4F5XlOpTcP49m09d5ytIEeukkFoL+jp44fB+lCJwAYHlq8X7DDuQ7jCCD3bBmGFIsInJ2aN8+NmJlqEMAPGQbgydKZdQ/5esp+Mn70sMJxTDDVPLIuTOnxa/rqx7Q1Jijh29HSFGoS9ObLTqk8F2aj/P6EwB5VK8TstvbIWOygdnEaiKHbxn0AoV8Rue12dva4NLxzavP/os+octeawkTvBD62HhARUm5MY2M1zcYJnFI+PceCQM9KOjmPr8BsHwVkZFqmgjQg5TRN/TAIEXjp6WUAuNVQNWuUvIpK2Pk1CoDbMsA3avuirhepKg8Y+QxR7ywk7talLyxcvYZ151ft+O5G7S26HMWIPwnpTJiVuv0lhmmexZuzGChLraNMBG8hlZ52rdlguB3JO15hujafOi3RnH/8M0cgVEnn0JdLOcWVM2PYn4rrs6yylxBkO1OMwUxxM5w9RG221V6wX33aJVVvRd7Znt3fDp8ocORWrz+2GEjILPZQuwxrK6UZ3FqfyrNDlxPy2qqiSlPOCVn9fGnL5dAtRkDyrZkv5MCHtP3g813BSmYfduWI5iDT2MM8Hq+z+7YWDKbUAIGigq+qiGr9tprcy1oo4iVakh/CKCtdfDn4m+EMBrNWBZ70wOrQRhzU7o3AOQ46hVT2HESm47QQY9GtVYSLIVOdwS+sxaKf5IqTQmR2sEAAaFqFGaTV36n3WnQ0PCxZJo32RU65EvEJkgkBJlMLhP41wL3RJm7wTSDQUfWbbeAix7IKsbQuQzniz4ReDxRx96JhASlQAHcms9snovv0i/Y0j95mF5mCGn0TEKcvxXWZNRDj0vykwucPm8l/OmmBIAaUTUvqzlAQYpH/x74YT5v3Ci62tvEYkSWKwbbr7D13LpH3VIXIPNKbvCZkvZX0G59KV3HK+On8qxDEy0vxSCDz2GyJjuPzvGGECSP5sROkrN7Mxa4jz+HXXofgHx7C41EH+FQwulvLGj/+WmqOEmrpH5B6GHSmFtfn7pwiGUa+/bxqWB6CNbyGkes858qZkBv6+rzyZFAy/umBN80cNYG6Q4ac3SqXXicfTsLUXy6N2KOgHM8LJwti4GBgEqRPv/IY1D0PPnpHsAVqCgODiQmKpa0PsyuQDkEs5qqTR25nSUwi1DA1Bd1YgEmZROcmUszbPtABOT89WZEvKvIvLOvHWukxPPUaCduP85iY+gzWcXqIXJ/u2w6wy1b1gw2kBhB3mJFrlxHo21V4qZP9TVNW3aEgLIrIu0rHsmdAXoG/tebg78zMyPbPwx5ZcdXCdVqYTpik5sQ06hRT36jDbB9eB8gLKrAwoiNgBjADYAMQAwAGMAYwA1ADQAZABlADUANwA2AGUANgAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAFEAUwBLAEcASABNAFkAUQAAACoMbgBvAG4AZQB8AAAAMiZXAGkAbgBkAG8AdwBzACAANwAgAFUAbAB0AGkAbQBhAHQAZQAAAEI2fABDAF8ARgBfADIAMAA0ADcAOQAvADIANgAxADgANAAxAHwARABfAFUAXwAwAC8AMAB8AAAASABQQFiJCGCJCGiJCHDi/9t7eAqAAQGKAQMyLjM= ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/6c610cc54de576e6

https://mazedecrypt.top/6c610cc54de576e6

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\SwitchRequest.tif => C:\Users\Admin\Pictures\SwitchRequest.tif.nP7bEjH	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File renamed	C:\Users\Admin\Pictures\UnprotectGrant.png => C:\Users\Admin\Pictures\UnprotectGrant.png.PDbP	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File renamed	C:\Users\Admin\Pictures\UnregisterCompress.crw => C:\Users\Admin\Pictures\UnregisterCompress.crw.QER8I	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File renamed	C:\Users\Admin\Pictures\RenameOut.tif => C:\Users\Admin\Pictures\RenameOut.tif.cjphpA	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File renamed	C:\Users\Admin\Pictures\SearchMove.raw => C:\Users\Admin\Pictures\SearchMove.raw.IL1TRk	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c610cc54de576e6.tmp	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\StopInvoke.tiff	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\UseSubmit.rtf	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File created	C:\Program Files\DECRYPT-FILES.txt	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\EnterGet.xps	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\FormatUnblock.mp3	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\NewUse.ps1xml	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\StepSearch.contact	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6c610cc54de576e6.tmp	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\6c610cc54de576e6.tmp	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\BackupOut.gif	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\DismountSwitch.php	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\UnpublishUnlock.3gpp	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\ConvertCompare.au3	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\RepairPush.mpe	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6c610cc54de576e6.tmp	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\AssertReceive.vstm	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\GetExport.vstm	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\ProtectComplete.vsdm	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\StartMove.mhtml	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files (x86)\6c610cc54de576e6.tmp	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\DenyDisconnect.hta	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\FindDismount.cr2	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\LockCompress.xlsb	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\RenameEnable.reg	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\UnblockNew.au3	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6c610cc54de576e6.tmp	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\DebugCopy.kix	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\FormatLimit.jpeg	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\OutUnblock.cab	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\UseConfirm.mpeg	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File created	C:\Program Files (x86)\DECRYPT-FILES.txt	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\UnregisterSwitch.pot	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\BackupUnregister.cmd	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\EnableAssert.m3u	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\RestoreDisable.pps	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\SubmitSearch.AAC	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\TraceRegister.wps	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
File opened for modification	C:\Program Files\ShowRead.ttf	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1272	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeBackupPrivilege	272	vssvc.exe
Token: SeRestorePrivilege	272	vssvc.exe
Token: SeAuditPrivilege	272	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1588	wmic.exe
Token: SeSecurityPrivilege	1588	wmic.exe
Token: SeTakeOwnershipPrivilege	1588	wmic.exe
Token: SeLoadDriverPrivilege	1588	wmic.exe
Token: SeSystemProfilePrivilege	1588	wmic.exe
Token: SeSystemtimePrivilege	1588	wmic.exe
Token: SeProfSingleProcessPrivilege	1588	wmic.exe
Token: SeIncBasePriorityPrivilege	1588	wmic.exe
Token: SeCreatePagefilePrivilege	1588	wmic.exe
Token: SeBackupPrivilege	1588	wmic.exe
Token: SeRestorePrivilege	1588	wmic.exe
Token: SeShutdownPrivilege	1588	wmic.exe
Token: SeDebugPrivilege	1588	wmic.exe
Token: SeSystemEnvironmentPrivilege	1588	wmic.exe
Token: SeRemoteShutdownPrivilege	1588	wmic.exe
Token: SeUndockPrivilege	1588	wmic.exe
Token: SeManageVolumePrivilege	1588	wmic.exe
Token: 33	1588	wmic.exe
Token: 34	1588	wmic.exe
Token: 35	1588	wmic.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 1588	1272	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe	35
PID 1272 wrote to memory of 1588	1272	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe	35
PID 1272 wrote to memory of 1588	1272	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe	35
PID 1272 wrote to memory of 1588	1272	6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe	35

C:\Users\Admin\AppData\Local\Temp\6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe
"C:\Users\Admin\AppData\Local\Temp\6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\system32\wbem\wmic.exe
  "C:\vn\i\u\..\..\..\Windows\hf\..\system32\jubs\dmfc\..\..\wbem\dsnyh\tu\mlg\..\..\..\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1272-55-0x00000000006EE000-0x000000000076A000-memory.dmp

Filesize
496KB

Download
memory/1272-56-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download
memory/1272-57-0x00000000006EE000-0x000000000076A000-memory.dmp

Filesize
496KB

Download
memory/1272-58-0x00000000000F0000-0x000000000014E000-memory.dmp

Filesize
376KB

Download
memory/1272-62-0x00000000000F1000-0x000000000012A000-memory.dmp

Filesize
228KB

Download