maze | 4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69

General

Target

4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe
Size

354KB
MD5

09e61348c89279d1f31159cc152a33ac
SHA1

1fc77fba10690bf81fa0b25ff1d74b23ff092d7e
SHA256

4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69
SHA512

fdcdf8a50118f8cf2f379d755bdfc5c1c9c3ffa3fc333fc98ad9b24f4894763dfdb82c33e7edf6849b8c50c7b403f2a5ce64dd0935724c7cf9b973761ff237c7

Score

10^/10

maze ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps. ---------------------------- | How to get my files back? ---------------------------- The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/88380999473507da e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/88380999473507da b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer! If you have any problems our friendly support team is always here to assist you in a live chat! ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- U6KE12W4FMO3+9HsOp8AElnADJzpE5TLGXUMaGte9Yx1BaftXR4kVBt9dl25Vz3TZB1d1mb0Psd2SjQjfgrFDEboGHhXjuJzDyLzI8ivHgowF0r0Hf4SQTjiRhNCFDLo7jpcNjDuwYkgfO44W7LMXPUlUaOdPwq6AmjFeOH4sJ4HZmgSTcVcpXApqJpGZwmt2CYx9d0zy9GaMSlGfi4L+lzIeEu85blzyhlXPi3ndVW7ShkdCTVHxM9gs2so1REOhaGj5z6eN+E9qZKwXIPtSRQr1TW9LtfDrreV4+XpY6UA8ePRaZjPSIvAFJNfqXEjuD22fyEsCQRnFjLe5Jbv/sJEWMHas4R+xJ9bBEYSrO4IHNJ3Dqi1d2e9bO5BvWgyENzuKxTakHhJEsE2vxsD7aPZAv8FlismdV6kVXuBYy6kA7xlakS6+F6d9HZcBXjn8nX+kXae19h6ttfxp2Rsvw6cq1z9NSgivq/AnlADjR6UMavnRal2aTrw6b6yxBocZUrfKrulU7ZKEqQUajf5YvYAffFHRH6Jln+pJ9DxlutAaTZxBydVOIEJuqPH4e3uA9fvFH++mCpSqEGAH2yOH/10lXukzvTZXpOkYmyYVpuUAyw//DqjWA9K0bi/Z4KVN8zI+jay1i43uFVLL31HdrL9DELI81+vpmeqHXMJdyN2zA2dQN05x8a/62diCm7DdOk1t1WcVx11yJaR2Vx6kXTb7nStcH464srzGzit0c/pebtcGnowlfejIX18+UWL8DXHw1//+WF/F37TfzCgU7E1HCQPeyBfRjtwmhzgi9IvCI9eGLLK8j7sfXbEsaDjJJ4wlT/3F2QzDYZteAZUbcdGoGT46KlsYaHVqzF4HAY/z8oqlYgOyV8wh0ZMOD4lAF5WTn/vAI62pbfuH4avluzKlMMq4y3aluRW1Gp3umxgypUQA8ZdEMQvlq3ut7qeJU24gI3e/16RWYNJaTjIkH03BasqV/ppHG1DcNvlZkhsSf2wiOS7pl9daTpFRbdiwtXaK+m/hUh28zQZeA8NDGA0CR+a7wD2EEp8q6mmGQeC3SSqwblNkK/8uV1KiX9uAZEqopHRGwybTl+UVxqChi7JJKEvctl1nfRKUq6PjZCcmpwNek/wg88qrdK5ODt8sGdx/oLGv2XeByGJuCD6QQLpd/KT5YJxkmdP/Kem5OUI84ofNjrypgn1vQUfVU7YXcUy6/njGhefKcqOb/awdYFyyyZ1mPJpEG5IRFCUsC2lt0ZquHf8i207Kn2+nHIUyqnPi7YJ8Qx+ewWIM29JHNptnSho1oXaX9F5ET0YyOTZ9sI3IrklOXUvHJACMwn5T9J5nPzfs0ILA/Dt8+1boAJeqIvYYHMzXhmy/2dmo8LTDW0s8bDTetEwu97cS+AIceslYh5wt+L2xyz6OgE2pNQY8mm0qDvOaSlYjhzYWVF8xgJF8cLzwsuqLplEa9rPoKEaD9dvdXvHkJ8tcB8FvKPxLdMBrcuOWjQx1htc9uP8KsFCszdsRVERdCPzcNHGPi/bGCW4Byw4QbHWOSu1nqVjxfkZLVvvZyQy8EGbkMnkG+42ctL6NspmwkYIp4rmbCivPyQCGkP14t7V/zJcX6XKny068L8SYq1+v1NmbFFMblv++EBfIKJ4n/dri4XnIS/WO8J39vs8TBGk4vADs3I7TJ1pqAMjaFSRX1vSZ07JSR0OGk4v2qF+Iz7J2Oy4ePvxViN3HPE7vbsc0Mp4pQmnnU9aUQIys+m2Wa/aMwBxEGUgDaULYHxiFQFPSAhu0Qu+UF5vEb/JSUZVE0C35NOKqC2+WJy/D2q3YJjx85FfxqPW1tRI69wmhrLT63LIGp6Izq5uCdNFZfotO7T7V2pQWf5X8ed9QpIw2Rsy/Z75Ml11Tjmod53X4fz13W6ZU2cpyogJIo2AYQ4x6GnVK8yAGwVWu/j+v7ls0inu9j/WNKE9dhm8UZIRJUD6QOlRFF6SKA2MTSJ0UtmEbnrH6cInc6mwHDVAOm9hQsYIOLNEDwVmK9colGhNNx31MJJQ3Cd5TxyIjyVhCxBeuPBkZY90gTWRf4mVql4ft/mOqZeECX+8YCb6BRIvN1A4iEzw064yHQ16ETxYRV1yjJwZE7sOOmV3v0k8sqNTKRvr/wB0D6NKyrY8d9ih62Zd/bu2y+dE56I0nK8Wc90380JV3nvWIRTApk/7d7QbQG8qoT2IkUUoDqjkPZonT3qZNjI66Ew2KwoiOAA4ADMAOAAwADkAOQA5ADQANwAzADUAMAA3AGQAYQAAABCAYBoMQQBkAG0AaQBuAAAAIhJRAFMASwBHAEgATQBZAFEAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADkALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwt7Hae3gEgAEBigEDMi4w ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/88380999473507da

https://mazedecrypt.top/88380999473507da

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CopyInvoke.crw => C:\Users\Admin\Pictures\CopyInvoke.crw.2nZVk	4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe
File renamed	C:\Users\Admin\Pictures\DebugCompress.png => C:\Users\Admin\Pictures\DebugCompress.png.2nZVk	4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe
File renamed	C:\Users\Admin\Pictures\NewMount.raw => C:\Users\Admin\Pictures\NewMount.raw.t1Qei	4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe
File opened for modification	C:\Users\Admin\Pictures\PingEnter.tiff	4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe
File renamed	C:\Users\Admin\Pictures\PingEnter.tiff => C:\Users\Admin\Pictures\PingEnter.tiff.t1Qei	4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe
File renamed	C:\Users\Admin\Pictures\ShowReceive.tif => C:\Users\Admin\Pictures\ShowReceive.tif.5KU5u8	4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe

Drops startup file 2 IoCs

Processes:

4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lmxr27f.tmp	4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp"	4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe

pid process

1128 4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe

pid	process
1128	4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

vssvc.exewmic.exe

description	pid	process
Token: SeBackupPrivilege	1480	vssvc.exe
Token: SeRestorePrivilege	1480	vssvc.exe
Token: SeAuditPrivilege	1480	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1616	wmic.exe
Token: SeSecurityPrivilege	1616	wmic.exe
Token: SeTakeOwnershipPrivilege	1616	wmic.exe
Token: SeLoadDriverPrivilege	1616	wmic.exe
Token: SeSystemProfilePrivilege	1616	wmic.exe
Token: SeSystemtimePrivilege	1616	wmic.exe
Token: SeProfSingleProcessPrivilege	1616	wmic.exe
Token: SeIncBasePriorityPrivilege	1616	wmic.exe
Token: SeCreatePagefilePrivilege	1616	wmic.exe
Token: SeBackupPrivilege	1616	wmic.exe
Token: SeRestorePrivilege	1616	wmic.exe
Token: SeShutdownPrivilege	1616	wmic.exe
Token: SeDebugPrivilege	1616	wmic.exe
Token: SeSystemEnvironmentPrivilege	1616	wmic.exe
Token: SeRemoteShutdownPrivilege	1616	wmic.exe
Token: SeUndockPrivilege	1616	wmic.exe
Token: SeManageVolumePrivilege	1616	wmic.exe
Token: 33	1616	wmic.exe
Token: 34	1616	wmic.exe
Token: 35	1616	wmic.exe
Token: SeIncreaseQuotaPrivilege	1616	wmic.exe
Token: SeSecurityPrivilege	1616	wmic.exe
Token: SeTakeOwnershipPrivilege	1616	wmic.exe
Token: SeLoadDriverPrivilege	1616	wmic.exe
Token: SeSystemProfilePrivilege	1616	wmic.exe
Token: SeSystemtimePrivilege	1616	wmic.exe
Token: SeProfSingleProcessPrivilege	1616	wmic.exe
Token: SeIncBasePriorityPrivilege	1616	wmic.exe
Token: SeCreatePagefilePrivilege	1616	wmic.exe
Token: SeBackupPrivilege	1616	wmic.exe
Token: SeRestorePrivilege	1616	wmic.exe
Token: SeShutdownPrivilege	1616	wmic.exe
Token: SeDebugPrivilege	1616	wmic.exe
Token: SeSystemEnvironmentPrivilege	1616	wmic.exe
Token: SeRemoteShutdownPrivilege	1616	wmic.exe
Token: SeUndockPrivilege	1616	wmic.exe
Token: SeManageVolumePrivilege	1616	wmic.exe
Token: 33	1616	wmic.exe
Token: 34	1616	wmic.exe
Token: 35	1616	wmic.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe

description	pid	process	target process
PID 1128 wrote to memory of 1616	1128	4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe	wmic.exe
PID 1128 wrote to memory of 1616	1128	4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe	wmic.exe
PID 1128 wrote to memory of 1616	1128	4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe	wmic.exe
PID 1128 wrote to memory of 1616	1128	4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe
"C:\Users\Admin\AppData\Local\Temp\4feb2e00c0dc0c42f42fd2c93f48e350c37386768e7774f82cdc98c8bc8dbc69.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\system32\wbem\wmic.exe
"C:\mjwv\yifx\..\..\Windows\u\ccto\..\..\system32\rawsv\..\wbem\sdlf\..\wmic.exe" shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616