Analysis
-
max time kernel
160s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-05-2022 23:17
General
-
Target
38cc87cc48cdb89a2ab1ffaa0897c10ba4a26ff645f16d9cd5a8bc8debf255c6.exe
-
Size
3.7MB
-
MD5
e14c0622af40260fec213c4100605bfb
-
SHA1
2cc388e5e5ccb150604e3e5c0a715a8974a274c7
-
SHA256
38cc87cc48cdb89a2ab1ffaa0897c10ba4a26ff645f16d9cd5a8bc8debf255c6
-
SHA512
e0ae9b2f70b6460672079b907cd30fc228b2245b60315561651a09de1516424aeb770383b5cd7468926c5cfb221f130787d536d87b0941fe09cdb47af40a2d05
Score
10/10
Malware Config
Extracted
Path
C:\DECRYPT-FILES.txt
Family
maze
Ransom Note
Attention!
----------------------------
| What happened?
----------------------------
All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms.
You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps.
----------------------------
| How to get my files back?
----------------------------
The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers.
To contact us and purchase the key you have to visit our website in a hidden TOR network.
There are general 2 ways to reach us:
1) [Recommended] Using hidden TOR network.
a) Download a special TOR browser: https://www.torproject.org/
b) Install the TOR Browser.
c) Open the TOR Browser.
d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/87c609897feb7e9c
e) Follow the instructions on this page.
2) If you have any problems connecting or using TOR network
a) Open our website: https://mazedecrypt.top/87c609897feb7e9c
b) Follow the instructions on this page.
Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use.
On this page, you will see instructions on how to make a free decryption test and how to pay.
Also it has a live chat with our operators and support team.
----------------------------
| What about guarantees?
----------------------------
We understand your stress and worry.
So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer!
If you have any problems our friendly support team is always here to assist you in a live chat!
-------------------------------------------------------------------------------
THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU
---BEGIN MAZE KEY---
fsit1qeF9PWNDh8G0h7MrGP0C8mxPyTf51BYUBmYPVjIYx9kW3xbVouL7DAMj4ujqt1bxPDrZgjH3mH3JtqR7SyIwUDy44M8X8rkTCLpU0gUlbaofTVE0IfWKJszK5jiNF+vek5R+Ou9kTTkg/x4WGSGN/gzzRRZKMKdyBRVpotEX05ezPMwjHmBnet/iz50NC18iFEJ88ScstKLhU7rcoQFv7jpPiC9ARst9AXUvUXXKN+hGdav54KXivwdhpvucRI9iwTk0LEw4yaSaYPFkGxfJgibtj1UK/H2p6XEbRSMsoi1gBqvYJKR73OMqF15N6q08pdd9GBHdCK/eBQ5DLFA8tPP//1XPx3C4LCZJ6zA6L+onsNC1WosYlbRSHKWqA9DDzAA09Aw6pEqixofSbXuVT/Nyw+Dj98YayuPTZ8v+FjbTiLczOQwSH0qpbeGBG5h1yocJuG6RfxdHPoDEEfPWsnXy6Vk9AUl0PoYwALCBpOd40X/9NOXEV1O5cVREdu6/hj1BOoWjIEQsp0Pxk9x873LkjAjBs4XJjRj2G5rsfjQ1h0Qg+DynYuB3pqaYnAOIYP6/nbeWgNu/IWmFeBgyW59w6Zof9ziYriLEh27vShTyOVYbstKdcoTB2UGclQU897cP1tdci3mddyx+jw18TcAVv+/kmuy3mTiYVeUkzuuigA7eiZ0crNyEf8J44eUUXhoERtaRRO2EqQ4poWbVwVV7hT4i1KTZLu+66cvX/EPx8gS0VLbE4PfVC+9sCoYemIU6VAqBA3wcQAqGhGKfkUvPbe5vd6eIvvuyTw5vA90yPKxs0RYCcoyzmJz9XW/AfS+XSDT4FoWo53SpRwvsq6sXggDwIOqGFnJa5cyH9c5VKp4XkF2TAvdbDW0SdwuIrBLO8r3tG9IYY1SsS4qdEwnyxrX5y0zT8B7owJFhwFlxkHf5GswQXY+O22yo7QxRLNEu9R6XuR1oK6Y8v5ZHyFjkLh6Cv5V+3NbQVrjj48V4b7Mkf+QhTwoliYXX7ZlkYhPFWflnY2fmdzEmCak7pr3J38M8R8C+9B6R5OjLjKhlLgZmLWn4rEKCq6DE/PWMTSa9c18DNQDcqUZya1Sjd1aJUrjSNZpOyTSDSAawwGkqiEObtzwDCZ9tcSD4OBisqZKrhmI9tjayJoRP8ULdbwpAlaetWDTO/FOvMQ5216DzzQkGwnm8ZHmZknDMC1+9Cnv0cSOdvIMCmEjOA+OLtnq9UhgAmxIJGl1hBh2IeuiR1dNgiUtCbaemyx/QvY4vzsEBYD6YyIzrtDU20WVBaTMpt8KsA68IlYARYFiAXdprb33/hc6ZaeK4JcJLY4ruWiFEx+IxmqWSTyi0ZFtJu+oAKbnO1FRuCMMEONsBn83o1pxCbE3Kh/C3Wwa8rqq/rDXJ1dg0ZBdwSI4gfv5JZmfhrJwPC6Vp2VVpTe/xo0/JEluxRWD3N5cgRrHC9DcbJAm2WW+7smB2kGl2ei456hX7QJty0bCjdtW1l4ODokThA5THLO3X7yfvqm448v8iE/J8ke73jW+8/lL7tK6uxSUlxpk8W/0aMuX9sb2fgzImdUHxA7+OSLI0eP1A9ZRhvvyTjmQz6Kv4bstkaQHFgmkMnNOwRKRkd3lfq9l9AMO4bAvzVl/rOEKNTi8mEr1iDvG+9UBul3KIYStjV9mvsq7cPSYN63rGtg/NYLxtuhgqMSeBEeL5iAcS8Y53+82OG/hTmoQsSMdzpkrrjJzYFjS/tg3W8iIPWivRpnhGkX/tN27hkC194y+3azNwMmrUGmYLvgYcIC6DwQ5bA3OV3uFypd047XQqLqvD0byLEQj4nhL8PxAlocdh0+FjLIbQnOpuwlq5SVf7F2U6uWqYiVKZg3hNSyGDBMWgSJRM4GJKm2U3c+G9hGbuBx44ZnyyEmm71cgh5eaQn29Ilm1fkAKUyRxzfximXLi32DPIrCQ+A0piK5MjAHzSF5JEUWfBrXCwXPvCMB3U3bp0US4Q+HaiWCg9N0yNT5ffeSVKRNaioXfebZ27zy9/ER1FDndcWtrjFXpVmEYTXEuPhEo6Y/trhw58/Avi/qpHs2A2lKE2TO3CqVFKDyI2NIDlKrwNYXrv2f7aDWCde/rVTMi8zn66TA347FeWSlOze8tAQemOBCOXmGhBlltJygUVm0Nv0fX5iS3+5NDr54OvoGZzRMyI0Szf6WtLzpK8dq2b/0CPOx/y1pvQdAxE2dJcglFhgoiOAA3AGMANgAwADkAOAA5ADcAZgBlAGIANwBlADkAYwAAABCAYBoMQQBkAG0AaQBuAAAAIhJGAFMASABMAFIAUABUAEIAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADkALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwrsbdcngQgAEBigEFMi4xLjE=
---END MAZE KEY---
URLs
http://aoacugmutagkwctu.onion/87c609897feb7e9c
https://mazedecrypt.top/87c609897feb7e9c
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
suricata: ET MALWARE Maze/ID Ransomware Activity
suricata: ET MALWARE Maze/ID Ransomware Activity
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 4 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 2 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Program Files directory 23 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\38cc87cc48cdb89a2ab1ffaa0897c10ba4a26ff645f16d9cd5a8bc8debf255c6.exe"C:\Users\Admin\AppData\Local\Temp\38cc87cc48cdb89a2ab1ffaa0897c10ba4a26ff645f16d9cd5a8bc8debf255c6.exe"1⤵
- Modifies extensions of user files
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\v\..\Windows\u\gerj\..\..\system32\gef\sob\chr\..\..\..\wbem\yp\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
-
Filesize
7.8MB
-
Filesize
644KB
-
Filesize
7.8MB