maze | 6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251

Analysis

max time kernel
506s
max time network
425s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251.dll
Size

733KB
MD5

460cb38e14fcadef06e267047ce9d69e
SHA1

b5f99fc2edba2891b6d947aacd3c32be5b43ba4c
SHA256

6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251
SHA512

312cdb07d8b4c278d0afd8de73bfa276cffa2980005ca519cff1f7c06ce8ad4811f4ae791b861d1caa6e2891615eb963800977f2efb739a04b7c54107de1d7f1
SSDEEP

12288:k5/glZ0FL3v6n2KwlrIf8U1UaqPDcGr+UJZj4vKHdyicKK6:OglOF763Kq8U1U3eixExM

Score

10^/10

maze ransomware trojan

Malware Config

Extracted

Path

C:\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6c550cb4cb94778c e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6c550cb4cb94778c b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- Osrmkj25+wp2gryHqn04Q+7NG+nWHrw6gUnRX7Vrb3AIwucIdm/hyAEHzqdP+URVZ3L55HavEg9C8h8wHARxYxW0ibRxiMdxn5pERWoQt4powGrM4ICOX4i62Pa/zSxOw0hjPHbuMSi+O1P5JWU4myY4KYlE08iqAmwZKn5LZbc/v6OQbwnO2wr8aUbleMYA7JIM0VGGtUxTchpyo/TgQsUpIG7S6RfGvnuDkUs55H1V6B8nWx+RyH563v2tZTqvp/OTwHEw6MiFBA3A5JJVVI0s03VCIMZMajIFROcSAhVlw3aNzVy7CjYZL/Nqp+PsNTZr1eq48d9Yr+EBOUtIDZTZJr36Qj0jUr0GNDfk45eeHqxJl+yYyj0E4NtNqUKSWppVtLd0A3C395bJ4RDpFOTlYkZtjyIGDNY9eyrAScLgJIS13JUGJwfC8RWj/1XhUdtUywuIFI9a5F1fcWiWFQ9JESXf0zr/yL3WuagZAk5AR12q6rZ03eTZi/GAH4bRmzGmjM+/7uXQQWTh+EZj3spqznvl07Cu6gDie7YA+EzE8dDa2km5im3Ms3xP9gnyUe1Psi1FjN1wzPl0bbQK98PI3uOI4YFm5CSrcD5tofRUYah/B9bvFgmFm0sJn+p/6K1ak3M8QXZHN8391OBDmyj1NUAmFQDvshGZVZmarH3Txt26i3z/xcvuhIpR/cpaOnb9t09UMA1AjAzqO80P5XGvOHytBhtmTimowMA+YlCA27+fcmctyWoTJImTczRdPSj8Bhwwo9cu4qmA9GJvA1JNpy0PPKStzuhmZqA+Dns6IqGiP2R/P64G7/1oKnLPwo/70A62AUdL+ymGP1d6SpFVSDo+P9yWZ049Vs5g13RzmCO+mde/c7s7Ww3zI23YyakDCAfE8bAhU38WHPHCdd4HoNd1ALpxPAiBVXmvGE5wdJ5fDgMTgfgHV5hSwcKcpODUopG/V0zzezhi53aZOBXAFABSDJ+nhcjek9LvC5bnuoGVO3EO2/U4s+rsAXwbNDtggdGOckEJgMf0sJdlplLLQDdy6aJ2Cw42fXwHWVcSRWG62MYif0wvtIVr9WPlwZS1miMylDVw9kHzGWDrHOHCVLFGOXA/zX/t6BeP0eKgwX/gFamtLwPlNnBlx+v0+oOgUdBxXdK1i5IiVU6XPEOz0GetUcOvd2cnSvNyFwArxHxfYPj7W1NzMlGianumiiXXESnHk6Hx77aVYLefkvbZR/nOJ4W1erZ0AgGK8WoeQxUbel0JvGo+8q5KjGMCfzCtVrN+rqrLf7tIIgKYkiomkx+YG4AQS3tIpw9ERk3jbEFSZ03ST2YaA9Cf74XhHlrKwOZYyTn8Fyev7m/X/i/8yn4fmRwZ/N5XtFyJ+gciBq1BXuwMiKEm6fd8BaALwT3CTg+N5jtN1Ow8KqlgG+8pW01iD4SmTGwmJsQQW2C0qcbg+yNsV3hsiViHIKLZSeAWp85IEopbaAizeeSGCkoUkEkz6TfWJPugj+nVP4dJtnHYp2OacdmdQg4MlwEoz1vU20BSKJYY17slI5eYPdHnzPgpsMTfULnU6uxHNl4MsKiYMBSu3ntP1V7G59kR7UTLtrzUc6OVKyz+XvrlJ+b5nQ6PYVHYPlkeWLbLqK7YV2tPrKdFqiUQ5BJ8OHf3rvcDxfdTtX18u82kTQPqs2ftZxmwfmqqBt2c8dMZEbiO6jYjcjR9zKC1UE9R5Vk4pCu2lh49pxYILrASDIxujlvBpF2xA7uYlG9H3qzHreE3SYSPreyxVcAn4iFxZrs5RhJ6l/Ib6B3EyVqpDlbqpgARvP51rLpSQlsO4DKUr5hequyCPHuJ6l+3yv3v9Z0j9op0MexqX4La7qjq8IbMPnTZmRnUKz02WlQrnzPD70kIYLui8Tn5ivRqE//GWeRPlKBSwTCjs2C71dm4A6GOSaCiOTFHuxoSiOQotJffhj2qFhtocTMOOEZo1hDgtBoBpNLfaHrUDrttTe0khANUmR+QOfT1fdexrs77HlUfeb1raR4f5pUnCqyMEOzOXAe+GQVdYfWnciye969fGBu0N0dMwd4G59ukOq1IxerO73hTe267JunffkGU1h4sieVx9PD/0+ZN6a+xPxsr+3TJW7x1kVkxWcmt9md2OQUo2NBWVogSKcsj31bGuUjng5Ox5S1X9vW2DZFPHlPNwjWp2YPAkFTiPhb1XBLL1DhHbaK5yWO454ze40jopf4bzcuUdRNtoAoiNgBjADUANQAwAGMAYgA0AGMAYgA5ADQANwA3ADgAYwAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAEcAUgBYAE4ATgBJAEkARQAAACoMbgBvAG4AZQB8AAAAMiZXAGkAbgBkAG8AdwBzACAANwAgAFUAbAB0AGkAbQBhAHQAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEI2fABDAF8ARgBfADIAMAA0ADgAMAAvADIANgAxADgANAAxAHwARABfAFUAXwAwAC8AMAB8AAAASABQQFiJCGCJCGiJCHDUkrADeA6AAQGKAQUyLjMuMg== ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/6c550cb4cb94778c

https://mazedecrypt.top/6c550cb4cb94778c

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\StartWatch.png => C:\Users\Admin\Pictures\StartWatch.png.4i7ZJi	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\DisconnectRevoke.crw => C:\Users\Admin\Pictures\DisconnectRevoke.crw.acEv	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\DismountLock.png => C:\Users\Admin\Pictures\DismountLock.png.acEv	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\ImportPing.crw => C:\Users\Admin\Pictures\ImportPing.crw.qHOgr	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\LockTrace.tif => C:\Users\Admin\Pictures\LockTrace.tif.qHOgr	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\RenameSend.png => C:\Users\Admin\Pictures\RenameSend.png.qHOgr	regsvr32.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c550cb4cb94778c.tmp	regsvr32.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\111.bmp"	regsvr32.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RestoreWatch.tiff	regsvr32.exe
File opened for modification	C:\Program Files\SelectRevoke.m3u	regsvr32.exe
File created	C:\Program Files (x86)\DECRYPT-FILES.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\6c550cb4cb94778c.tmp	regsvr32.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt	regsvr32.exe
File opened for modification	C:\Program Files\CompleteShow.asf	regsvr32.exe
File opened for modification	C:\Program Files\RestartClose.ico	regsvr32.exe
File opened for modification	C:\Program Files\RestoreUnpublish.midi	regsvr32.exe
File opened for modification	C:\Program Files\DisableHide.ocx	regsvr32.exe
File opened for modification	C:\Program Files\JoinReset.search-ms	regsvr32.exe
File opened for modification	C:\Program Files\NewWatch.3g2	regsvr32.exe
File opened for modification	C:\Program Files\ReceiveSearch.xps	regsvr32.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt	regsvr32.exe
File created	C:\Program Files\DECRYPT-FILES.txt	regsvr32.exe
File opened for modification	C:\Program Files\6c550cb4cb94778c.tmp	regsvr32.exe
File opened for modification	C:\Program Files\CheckpointApprove.zip	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6c550cb4cb94778c.tmp	regsvr32.exe
File opened for modification	C:\Program Files\RevokeGrant.mpg	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6c550cb4cb94778c.tmp	regsvr32.exe
File opened for modification	C:\Program Files\InvokeConvert.ini	regsvr32.exe
File opened for modification	C:\Program Files\OutTest.rmi	regsvr32.exe
File opened for modification	C:\Program Files\ReadDisable.pps	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6c550cb4cb94778c.tmp	regsvr32.exe
File opened for modification	C:\Program Files\MeasureDisconnect.scf	regsvr32.exe
File opened for modification	C:\Program Files\RenameResume.jpeg	regsvr32.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1008	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeBackupPrivilege	1304	vssvc.exe
Token: SeRestorePrivilege	1304	vssvc.exe
Token: SeAuditPrivilege	1304	vssvc.exe
Token: SeIncreaseQuotaPrivilege	804	wmic.exe
Token: SeSecurityPrivilege	804	wmic.exe
Token: SeTakeOwnershipPrivilege	804	wmic.exe
Token: SeLoadDriverPrivilege	804	wmic.exe
Token: SeSystemProfilePrivilege	804	wmic.exe
Token: SeSystemtimePrivilege	804	wmic.exe
Token: SeProfSingleProcessPrivilege	804	wmic.exe
Token: SeIncBasePriorityPrivilege	804	wmic.exe
Token: SeCreatePagefilePrivilege	804	wmic.exe
Token: SeBackupPrivilege	804	wmic.exe
Token: SeRestorePrivilege	804	wmic.exe
Token: SeShutdownPrivilege	804	wmic.exe
Token: SeDebugPrivilege	804	wmic.exe
Token: SeSystemEnvironmentPrivilege	804	wmic.exe
Token: SeRemoteShutdownPrivilege	804	wmic.exe
Token: SeUndockPrivilege	804	wmic.exe
Token: SeManageVolumePrivilege	804	wmic.exe
Token: 33	804	wmic.exe
Token: 34	804	wmic.exe
Token: 35	804	wmic.exe
Token: SeIncreaseQuotaPrivilege	804	wmic.exe
Token: SeSecurityPrivilege	804	wmic.exe
Token: SeTakeOwnershipPrivilege	804	wmic.exe
Token: SeLoadDriverPrivilege	804	wmic.exe
Token: SeSystemProfilePrivilege	804	wmic.exe
Token: SeSystemtimePrivilege	804	wmic.exe
Token: SeProfSingleProcessPrivilege	804	wmic.exe
Token: SeIncBasePriorityPrivilege	804	wmic.exe
Token: SeCreatePagefilePrivilege	804	wmic.exe
Token: SeBackupPrivilege	804	wmic.exe
Token: SeRestorePrivilege	804	wmic.exe
Token: SeShutdownPrivilege	804	wmic.exe
Token: SeDebugPrivilege	804	wmic.exe
Token: SeSystemEnvironmentPrivilege	804	wmic.exe
Token: SeRemoteShutdownPrivilege	804	wmic.exe
Token: SeUndockPrivilege	804	wmic.exe
Token: SeManageVolumePrivilege	804	wmic.exe
Token: 33	804	wmic.exe
Token: 34	804	wmic.exe
Token: 35	804	wmic.exe
Token: 33	1428	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1428	AUDIODG.EXE
Token: 33	1428	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1428	AUDIODG.EXE
Token: 33	1716	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1716	AUDIODG.EXE
Token: 33	1716	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1716	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1116	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1008	1480	regsvr32.exe	28
PID 1480 wrote to memory of 1008	1480	regsvr32.exe	28
PID 1480 wrote to memory of 1008	1480	regsvr32.exe	28
PID 1480 wrote to memory of 1008	1480	regsvr32.exe	28
PID 1480 wrote to memory of 1008	1480	regsvr32.exe	28
PID 1480 wrote to memory of 1008	1480	regsvr32.exe	28
PID 1480 wrote to memory of 1008	1480	regsvr32.exe	28
PID 1008 wrote to memory of 804	1008	regsvr32.exe	34
PID 1008 wrote to memory of 804	1008	regsvr32.exe	34
PID 1008 wrote to memory of 804	1008	regsvr32.exe	34
PID 1008 wrote to memory of 804	1008	regsvr32.exe	34

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251.dll
  2⤵
  - Modifies extensions of user files
  - Drops startup file
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\system32\wbem\wmic.exe
    "C:\i\..\Windows\e\..\system32\f\..\wbem\hett\syief\..\..\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1776

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:688

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\DECRYPT-FILES.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:1116

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x548
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1976

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Desktop\DECRYPT-FILES.txt

Filesize
10KB

MD5
a630b2dbce1d8c7da8fbbae5b2805823

SHA1
2b0a1e9ef2f210caf4168e378e3e09911632f776

SHA256
804a386348dd4de3a64712f35c9a505dac8d471bea95ecfaf7688b02def1750b

SHA512
b0e1bd71973bfb685435f33295e49e09b3efe9010eb9a1e843fc32df2ef3553a24d49dfa289807958eb977d51a51d9f8d6782659e7aebed47ee734c2c0e030ec

Download Submit
memory/1008-56-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1008-57-0x0000000001E40000-0x0000000001E9E000-memory.dmp

Filesize
376KB

Download
memory/1008-61-0x0000000001E40000-0x0000000001E9E000-memory.dmp

Filesize
376KB

Download
memory/1008-62-0x0000000001E40000-0x0000000001E9E000-memory.dmp

Filesize
376KB

Download
memory/1008-65-0x0000000001E40000-0x0000000001E9E000-memory.dmp

Filesize
376KB

Download
memory/1480-54-0x000007FEFC0D1000-0x000007FEFC0D3000-memory.dmp

Filesize
8KB

Download