maze | a6998e84b935d69890ee8317d7bbd4e27c18f1e07abe6d0806384ea7fa13ce4a

Analysis

max time kernel
600s
max time network
603s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-05-2022 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wordupd.exe
Size

736KB
MD5

21a563f958b73d453ad91e251b11855c
SHA1

64ed4f6b315448d518ed003a1d0c7e56790ef50d
SHA256

067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b
SHA512

3eaef227db10759c65d668317322e71cd60e60427afd4d4f5f627e9b7a9d4e6d3287b7bf32df3fa7ba2f7062ec41393a100a477668b7f4dca76c2b8932c1b9eb

Score

10^/10

maze ransomware spyware stealer suricata trojan

Malware Config

Extracted

Path

C:\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps. ---------------------------- | How to get my files back? ---------------------------- The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/89ba09ba7e010201 e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/89ba09ba7e010201 b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer! If you have any problems our friendly support team is always here to assist you in a live chat! ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- UWtN7gIb9jI6Ko0utyQvuzk7HEhc7mFwkmJN7WgY2lgYB36jFZYOFl+JMOJg9hAPw7O2VXRiWAqc+XoqYOks1IQDQ/qzOA8wUROCifh55uT6WlaBVzS9r/v3Jg0A0iP4K27GznnHfYXH28fMKZFhdF8HAmOND+XlGH5tu6OH9D3zWinfNcDt9KZ7x3Py7S0IMIh43vjCC6JGPG4yKm7QN4R8DX2UHZMFZ4i4uld6zN0MfK6SS1bRREb+Ncp2K0nfTPJGENvrpHPuAFIzb67QUXw72XmN9b+es5svy8U9hoZ+YvmzdDCLG+Bl8I0It1282IkhoHArLmgLz+9Px59UGn34NZzD5tSsoyHflIRDqflByU49Ry7L5KCFYXJYlfhHrEJoNG5UI5q5RuqhjhFx1bKyGyWnUTgAUyIN6poSDRvzFGarJk7q+9HfDEMW308OLlKEK4hYUW97evaDbLtsAr5DPg0TdvjvLFepMAmUHpo/9rAVJjZz0sTvb7traT0nbPXLoPx3fh6/GadXDzGaUnpgfaabePxA3jU8ldm6bBsbuSdj1sjqCZl23Knv1n+bLEX4RXvUCa1HYLuYQhf4U0ShamD1LpxN6S4B++xU+M8uzGEtbgHLJevDfVqrhr91lkevB6NVpA9pFcoi3v4jsjDec6Sa30VkHrDxz/Hb0FU7JspG1AHHLzgf5c12Xjc5Lv0bCVRpKviGV72iudNkt6WSR+TxBk0N16nZ+WJaoX5dyCmw4qmwZ/RRZAXjiGESvxBCF8XIhenqFoc0ZR8IfPSb81BiP2asa4tAUYnVmd2FAteNXUmIxy0yC+B2LbayrRpAlDbeagcRg18lh1H6LanIir/Bb6PZjWaXklQ5G9Vj8NJf+kFCnAI3bXmNL45ZeigdBVs/hhofsR1y26sF0Kijh/L2MWc8DNMgOX51/QJ0k+LQVCj0hsVR0P+/2LMq8ch+wnnYFV4F6Hw0nHI+SxgrsUX0bI1sstH2vh4sF9DUwRmlXRI4dxm+5Ua2NdE/Mke+WNauFPlFxV4GZWo1ZxZ9RxVlIDGs8iz3jR3JbpEL7OxoHN0pHYupE6v7JHgEvN0DOEUBrZrVgLmHTVhRkwhJXW8/a5YSryvbV+eERRA4xs1p5Ppw6+MkHGOxEdG7jVcbw9a+EfbfMF5/1w6a9BltuhPzRPXuApKPX46iUobeeKOsbt7C9O7fkOXWfo9KTQO5y/ZXLQKquFWbcEqYWG6wqVeQrgYbmyV1DjM3XZOYj727kGECFcGd5nuXpJguHnNlSp421c06mXjrVvQ8u0cv4Qdv/vHf42ABaP3ogJ7z9AOCjmphFdG/ajmGsKRaD6AJ5uUrDSff7CKb5GwWeVU/nF55eYVyvZXpD2zfbC+bmX0RH/X9BRzud5XlXu6X8Lb3otaj/WW2i9Q16+gIQx97ZF9YJMMxv/OLEg0XRwKCNDSh3J7TIZ4s/pWyxn+MFfmUfCfdhYQWGLqClcWXx8Orvd1qnIVz3Rs6p0JBw4eSk5ZEcCNTPbRi6WWapOnBIT874WeCZJfg0LpySc7FbkBobi+JWMj/ouilB3kdfdDU/59/lXHk+h6/G8qHRl4TptuqXznYJAkahCSiQ/HgD+D5iVNicEMIYs3zPDTVXWbMUEPyWbnPuJgXQVvMBqBLvzyLfaXeuVZkYVwCRoc7fYeB+xKEkEduErmUNirnGOL4U4RZgORPpYBWSMIgrRFXdxzLG5MNSUrgcs4B/UeiAeCw5DqB/F0y+DABUtgIhNQ9ya5LUYFJDuleEJQPKLxyz484tcnqgVfaxwLs7cvRAXccpouhX/G5Y7jNCztu6jpTO2dTmcMjsr/HsewIuk6/9QcPgCQo76ZXKb/bIuuX7vxeigyug8pfddW7NguivnDMCwMgGIdqs3Ehu/USZ8l1WEb4LVY+zFbFUW0i06TZaoc31ESagUgr3Vx55Rm2RVAEOCQyqd9aXhZZCxzjbMaw8BzYfIFLxQiKOejHG+LytXDWyzY8Sy6hmrwbgq7p4aXHeyiB1lcwgCFCVmMgr8RAvoGgDd4sorptiy8aJUTDaLkgHNtlRQixctKHKyU6Sup2adZUFH+uldkwlrPcfi0lTQuYbMp8uIhkWhZchomx2PKocC8dhlF1cCAzP1bimJMdITs+tWiqUwEWh8W/9HMiToUHNeULq5sC4Gz+lVYI/8WQBJOXfX96sqVLopFInlEtz2xU0OzY7s8JhnzyMYEWjYQ2MwoiOAA5AGIAYQAwADkAYgBhADcAZQAwADEAMAAyADAAMQAAABCAYBoMQQBkAG0AaQBuAAAAIhJUAFcASgBZAFgATwBVAEwAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADcALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwmMfacngQgAEBigEFMi4xLjE= ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/89ba09ba7e010201

https://mazedecrypt.top/89ba09ba7e010201

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
suricata: ET MALWARE Maze/ID Ransomware Activity
suricata: ET MALWARE Maze/ID Ransomware Activity
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

wordupd.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\UndoUpdate.tiff => C:\Users\Admin\Pictures\UndoUpdate.tiff.d8zv	wordupd.exe
File opened for modification	C:\Users\Admin\Pictures\UseUnblock.tiff	wordupd.exe
File renamed	C:\Users\Admin\Pictures\WatchPing.crw => C:\Users\Admin\Pictures\WatchPing.crw.d8zv	wordupd.exe
File renamed	C:\Users\Admin\Pictures\BlockResume.crw => C:\Users\Admin\Pictures\BlockResume.crw.BYm2	wordupd.exe
File opened for modification	C:\Users\Admin\Pictures\UndoUpdate.tiff	wordupd.exe
File renamed	C:\Users\Admin\Pictures\ReceiveInvoke.tif => C:\Users\Admin\Pictures\ReceiveInvoke.tif.q9Di	wordupd.exe
File renamed	C:\Users\Admin\Pictures\SuspendCompare.crw => C:\Users\Admin\Pictures\SuspendCompare.crw.q9Di	wordupd.exe
File renamed	C:\Users\Admin\Pictures\UseUnblock.tiff => C:\Users\Admin\Pictures\UseUnblock.tiff.d8zv	wordupd.exe
File opened for modification	C:\Users\Admin\Pictures\AssertJoin.tiff	wordupd.exe
File renamed	C:\Users\Admin\Pictures\ConfirmTest.raw => C:\Users\Admin\Pictures\ConfirmTest.raw.BYm2	wordupd.exe
File renamed	C:\Users\Admin\Pictures\AssertJoin.tiff => C:\Users\Admin\Pictures\AssertJoin.tiff.BYm2	wordupd.exe
File renamed	C:\Users\Admin\Pictures\UnprotectClose.raw => C:\Users\Admin\Pictures\UnprotectClose.raw.d8zv	wordupd.exe
File renamed	C:\Users\Admin\Pictures\CloseBackup.tif => C:\Users\Admin\Pictures\CloseBackup.tif.BYm2	wordupd.exe
File renamed	C:\Users\Admin\Pictures\CompleteUnprotect.png => C:\Users\Admin\Pictures\CompleteUnprotect.png.BYm2	wordupd.exe

Drops startup file 4 IoCs

Processes:

wordupd.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	wordupd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\89ba09ba7e010201.tmp	wordupd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt	wordupd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\89ba09ba7e010201.tmp	wordupd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 10 IoCs

Processes:

svchost.exe

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{0AF88682-368F-4686-83A6-D5E92A110729}.catalogItem	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{4EF9EFD2-CDEA-4408-B175-7D92A668238A}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{5BA42EB9-661B-4478-B321-70599C7E94AD}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{E88895AA-D8DF-46BF-AF14-1A1D68B05FC2}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{15B1774C-A2B8-499F-A26E-3683BC483FE9}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{61AC62B4-4B02-4CEE-BB32-CE661F25AB35}.catalogItem	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

wordupd.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp"	wordupd.exe

Drops file in Program Files directory 32 IoCs

Processes:

wordupd.exe

description	ioc	Process
File opened for modification	C:\Program Files\AddPop.AAC	wordupd.exe
File opened for modification	C:\Program Files\BackupSubmit.ppt	wordupd.exe
File opened for modification	C:\Program Files\UninstallSync.jpeg	wordupd.exe
File opened for modification	C:\Program Files\UpdateMeasure.dib	wordupd.exe
File opened for modification	C:\Program Files\WriteClose.iso	wordupd.exe
File opened for modification	C:\Program Files\ConnectPop.xla	wordupd.exe
File opened for modification	C:\Program Files\GrantConvertTo.mpp	wordupd.exe
File opened for modification	C:\Program Files\GrantEnable.ogg	wordupd.exe
File opened for modification	C:\Program Files\MeasureMove.wma	wordupd.exe
File opened for modification	C:\Program Files\ResetDisable.rm	wordupd.exe
File opened for modification	C:\Program Files\StepPush.mpv2	wordupd.exe
File opened for modification	C:\Program Files\89ba09ba7e010201.tmp	wordupd.exe
File opened for modification	C:\Program Files\ConvertImport.wdp	wordupd.exe
File opened for modification	C:\Program Files\DismountOut.tiff	wordupd.exe
File opened for modification	C:\Program Files\FindUnlock.jpeg	wordupd.exe
File opened for modification	C:\Program Files\OptimizeSearch.xml	wordupd.exe
File opened for modification	C:\Program Files\PublishReceive.potx	wordupd.exe
File created	C:\Program Files\DECRYPT-FILES.txt	wordupd.exe
File opened for modification	C:\Program Files\CompressCompare.ppt	wordupd.exe
File opened for modification	C:\Program Files\GetExport.svg	wordupd.exe
File opened for modification	C:\Program Files\InitializeConvertTo.ex_	wordupd.exe
File opened for modification	C:\Program Files\PublishResume.png	wordupd.exe
File opened for modification	C:\Program Files\RequestRedo.mpg	wordupd.exe
File opened for modification	C:\Program Files\UnpublishStep.vbs	wordupd.exe
File created	C:\Program Files (x86)\DECRYPT-FILES.txt	wordupd.exe
File opened for modification	C:\Program Files (x86)\89ba09ba7e010201.tmp	wordupd.exe
File opened for modification	C:\Program Files\ResizeSubmit.3gpp	wordupd.exe
File opened for modification	C:\Program Files\SendReceive.tmp	wordupd.exe
File opened for modification	C:\Program Files\ShowEnter.pub	wordupd.exe
File opened for modification	C:\Program Files\ExportUnblock.tif	wordupd.exe
File opened for modification	C:\Program Files\StepMount.xlsx	wordupd.exe
File opened for modification	C:\Program Files\TraceFormat.eprtx	wordupd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

wordupd.exe

pid	Process
4200	wordupd.exe
4200	wordupd.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

vssvc.exewmic.exeAUDIODG.EXEAUDIODG.EXE

description	pid	Process
Token: SeBackupPrivilege	4628	vssvc.exe
Token: SeRestorePrivilege	4628	vssvc.exe
Token: SeAuditPrivilege	4628	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2516	wmic.exe
Token: SeSecurityPrivilege	2516	wmic.exe
Token: SeTakeOwnershipPrivilege	2516	wmic.exe
Token: SeLoadDriverPrivilege	2516	wmic.exe
Token: SeSystemProfilePrivilege	2516	wmic.exe
Token: SeSystemtimePrivilege	2516	wmic.exe
Token: SeProfSingleProcessPrivilege	2516	wmic.exe
Token: SeIncBasePriorityPrivilege	2516	wmic.exe
Token: SeCreatePagefilePrivilege	2516	wmic.exe
Token: SeBackupPrivilege	2516	wmic.exe
Token: SeRestorePrivilege	2516	wmic.exe
Token: SeShutdownPrivilege	2516	wmic.exe
Token: SeDebugPrivilege	2516	wmic.exe
Token: SeSystemEnvironmentPrivilege	2516	wmic.exe
Token: SeRemoteShutdownPrivilege	2516	wmic.exe
Token: SeUndockPrivilege	2516	wmic.exe
Token: SeManageVolumePrivilege	2516	wmic.exe
Token: 33	2516	wmic.exe
Token: 34	2516	wmic.exe
Token: 35	2516	wmic.exe
Token: 36	2516	wmic.exe
Token: SeIncreaseQuotaPrivilege	2516	wmic.exe
Token: SeSecurityPrivilege	2516	wmic.exe
Token: SeTakeOwnershipPrivilege	2516	wmic.exe
Token: SeLoadDriverPrivilege	2516	wmic.exe
Token: SeSystemProfilePrivilege	2516	wmic.exe
Token: SeSystemtimePrivilege	2516	wmic.exe
Token: SeProfSingleProcessPrivilege	2516	wmic.exe
Token: SeIncBasePriorityPrivilege	2516	wmic.exe
Token: SeCreatePagefilePrivilege	2516	wmic.exe
Token: SeBackupPrivilege	2516	wmic.exe
Token: SeRestorePrivilege	2516	wmic.exe
Token: SeShutdownPrivilege	2516	wmic.exe
Token: SeDebugPrivilege	2516	wmic.exe
Token: SeSystemEnvironmentPrivilege	2516	wmic.exe
Token: SeRemoteShutdownPrivilege	2516	wmic.exe
Token: SeUndockPrivilege	2516	wmic.exe
Token: SeManageVolumePrivilege	2516	wmic.exe
Token: 33	2516	wmic.exe
Token: 34	2516	wmic.exe
Token: 35	2516	wmic.exe
Token: 36	2516	wmic.exe
Token: 33	924	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	924	AUDIODG.EXE
Token: 33	5076	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5076	AUDIODG.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

wordupd.exe

description	pid	Process	procid_target
PID 4200 wrote to memory of 2516	4200	wordupd.exe	92
PID 4200 wrote to memory of 2516	4200	wordupd.exe	92

C:\Users\Admin\AppData\Local\Temp\wordupd.exe
"C:\Users\Admin\AppData\Local\Temp\wordupd.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\system32\wbem\wmic.exe
  "C:\inc\bhv\vtu\..\..\..\Windows\vqnpk\su\f\..\..\..\system32\ubt\r\f\..\..\..\wbem\fa\..\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2516

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x2fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x2fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2516-132-0x0000000000000000-mapping.dmp

Download
memory/4200-130-0x0000000000970000-0x0000000000A11000-memory.dmp

Filesize
644KB

Download
memory/4200-131-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download