Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
31-12-2022 15:41
General
-
Target
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
-
Size
473KB
-
MD5
f83fb9ce6a83da58b20685c1d7e1e546
-
SHA1
01c459b549c1c2a68208d38d4ba5e36d29212a4f
-
SHA256
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
-
SHA512
934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396
-
SSDEEP
12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ
Score
10/10
Malware Config
Extracted
Path
C:\DECRYPT-FILES.html
Ransom Note
<html>
<head>
<script>
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
</script>
<style>
html{ margin:0; padding:0; width:100%; height:100%; }
body { background: #000000; color: #ececec; font-family: Consolas };
.tooltip {
position: relative;
display: inline-block;
border-bottom: 1px dotted black;
}
.tooltip .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5 px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.tooltip .tooltiptext::after {
content: "";
position: absolute;
top: 100%;
left: 50%;
margin-left: -5px;
border-width: 5px;
border-style: solid;
border-color: #555 transparent transparent transparent;
}
.tooltip:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
p#base64{
-ms-word-break: break-all;
word-break: break-all;
-webkit-hyphens: auto;
-moz-hyphens: auto;
-ms-hyphens: auto;
hyphens: auto;
}
p#base64:hover{
cursor: hand;
}
</style>
</head>
<body>
<table style="position: absolute;" width="100%">
<tr>
<td style="width: 25%;">
<td style="width: 50%;">
<div style="text-align: center; font-size: 20px;">
<p><b>Maze ransomware</b></p>
<p>*********************************************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>*********************************************************************************************************************</p>
</div>
<div style="text-align: center; font-size: 18px;">
<p><b>What is going on?</b><br>Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system</p>
<p>You can read more about this cryptosystem here: <a href=https://en.wikipedia.org/wiki/RSA_(cryptosystem)>https://en.wikipedia.org/wiki/RSA_(cryptosystem)</a></p>
<p>The only way to recover (decrypt) your files is to buy decryptor with the unique private key</p>
<p><u>Attention! Only we can recover your files! If someone tell you that he can do this, kindly ask him to proof!</u></p>
<p>By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.</p>
<p>In order to either buy the private key or make test decryption contact us via email: <br> <u><b>Main e-mail: [email protected]<br>Reserve e-mail: [email protected]</b></u>
<p>Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies
<p>If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one</p>
<p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<p>Base64: </p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">lIwaUpHTQMTDHmibKCC7ZZwLcxeufyViypH1R7X52JDtFWFI0ztmmrStDP1QHoFXnaHT8Ip2sVNdnuR4+pCG5cRetFM69SN1VWKti7k/qPvtjHwvbMKnRPmi3y2c4H6XoephcW4KrcBsZZMELkn7jS+goTYdKIhywk08Uzv0w4Z8lykmfx03dRURMp9wKeDcOcZ4woAgd0wj9ICJYJ2tWZusu+4LpbGBdaf5hSaoe+NHe//Nc7aF2Q2j/9frtJl8zBSPiyEdlqVnQAjGRL62AaOk4yvaAr5wnyg3H7zz78LiHdC4CWwb044USRLD7m0yykfgRAOwfuRmxWaZcXpb49zfU5uf0WwOvsU3+6rlNF4WCVv8d5KG9CbyWy/Gff5DB0jnVAS4kmkflAjibrZ0N1bi3ntMbgsedhp6sDeqpWb+3rx91BmPFxXKp98p9OtI7S2M+Q+69D042jS55hTSb8oDrRZT1Twn6yS6tQJXdbRLqjjFDaoaUHDwBNmHe8grBgti8wp7nWbDp3IkDYP0UhHE8fiXD0a7mI8ixna/5GY1AdmPCef/i3Xv5XHg3JRBhVmZXsP0RWjllrlXJ+8Y14CfdTcS1EeKfkLyRxk0w+d6BtX0Gj6SvPeqYHr5qe1p3InjSq9TblQla5Cm43HmPtYUdtAnis5fCoTJ66XLbZUgloSR0t0B02rdqyxbbOz0S+nkp8619+8RA8tKVWXOxunTLr5ZqDmTjZ0EJlSgk4UDSNmHCENOnFNLdUlacovmEZbjcSQlFPwB+aDvvD/toCv/otVI4Kiw8Yu9mkDplh9LGwEyGdDBp/TAvbXkBdPn0vxBol8cVeNwpiKdUi20pHaMdA1SDBo9dZd1bZv+upcPFevlbV9kyA5W6uATvffV/3eXJ/matEHIwZW5un4zAkPd3uFe/lfULQ0tQVQNYrjoK/RYFxMAXyOXz2cRieG3CltmCC0Vp6pk1n4pvP4njmP7Rmh4u3P5vlro1h040C/QfJ0UF8337l+8B4oLTF8CgLbR3mPmjbCokBG33ISW8slTZmbgKUWkgHEGsvoJKM4BJmd2bdlDJK/2tzBy4yb0T/tYw3riCfDrJXGDoljOPiBflMo4UNO66IcMBS6eAKKogwy8UnYpW+VU6bPdNTrvjyHWrDEc1G8yWB1EB/0vnL9gwYmzb789gfApKOkwgo25LeRXKw5OMmRfnft570ZgorfHnMkLrPHutb55y7kRmclhgXgxMktNCQ7CM7z61/+08c8xiOuNb2p9Ip7P6lBXU8PvYMUDiZKAMQXGtmr0ARFysoKWSN8L+FIw61pbKP+wHhh/CqJuFrYnnsNJMZSddjlol9ttLrgloRY1zMtewZ7d1m2z/OjIWw0IKiOko2Uk4FIwQUzbwRtia0DLnwRL+8aZxphrtKCd47LWVmQRLPzxCt613/04m2w1HGIpQ8lGXYH2/OZZM2GAGZgeDucQxw6Iy1w4iaqtnDxHN769fSvIbnI53LIwWy+9RVNp6dyVbHAQDF77mq+gGF1nebzUS+BZpBFp1QTkwZegQ45qEvYb9xZ4aa7HVL+M1UNHgSGZV/mmdIvBUs5gF6a4z9EKRck27sijYpMeyfhNy9XlAlbY9Sc66MkqsW+JRb8rJ3SgSuWtIZ6IBby73Z4wILZsEhkTBeLG+QBS6CLmeu260cYlFlP0/hcPHRwJngnLTJVnA2KnbGNWM53Nqihrv6rmGJHVau5flXnSQvu0MhOpu8G57KyQNHVt/U4coYGgx949sxzqHuLnTqpEdYuxLUn+frcasqSKkHVm4tQbCbXylwc7+oM5VwhQJxkKNEPDc/Q5/1CjOiD8dIEUhRQh7+EfeefyJDjU1SoMCqyrg28fb8Vi6UNAVmE/wKlKE2QMpeMmjkuVabjNlpx50Xd7xPQ7dulk2gSkX4ESogdrGPJYaNoIvOrzov4tUSQp2OO1JbSLPr+D8dsNESurmmJBgKf+YitKvJbAJYGnYBiMBMd94L/1/mHaArHJxYeUkydfOILEJCsW4yVxPGGhe6P/L+U7HfCr+P2VF3MIvRvU8tNE7wg6hGXrQiwUM4h91asvPd5MOBUJfcLAt2+6RPb1A1FoUY7ft4mEnFK9Luwgu+tUUS6+XzbWl31HJSwnCaNey9TG8dU+Rfie8ADXYqHA9YNi2/O5u43FbUM5d68z8hl1Pn0JMDMBn4bFmGf4AHjNtfm9HPIC+rdG50aCCQoGMQc1vDTO1woiOAA4ADIAYwAwADkAOAA4ADkANABhADgAOQBkADgAYwAAABCAYBoMQQBkAG0AaQBuAAAAIhJHAFIAWABOAE4ASQBJAEUAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADkALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwo7qwA3gDgAECigEFMS4wLjI=<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"></tr></table></body></html>
Emails
[email protected]<br>Reserve
[email protected]</b></u>
Extracted
Path
C:\Users\Public\Desktop\DECRYPT-FILES.html
Ransom Note
Maze ransomware
*********************************************************************************************************************
Attention! Your documents, photos, databases, and other important files have been encrypted!
*********************************************************************************************************************
What is going on?
Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system
You can read more about this cryptosystem here: https://en.wikipedia.org/wiki/RSA_(cryptosystem)
The only way to recover (decrypt) your files is to buy decryptor with the unique private key
By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.
In order to either buy the private key or make test decryption contact us via email:
Main e-mail: [email protected]
Reserve e-mail: [email protected]
Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies
If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one
Below you will see a big base64 blob, you will need to email us and copy this blob to us.
you can click on it, and it will be copied into the clipboard.
If you have troubles copying it, just send us the file you are currently reading, as an attachment.
Base64:
lIwaUpHTQMTDHmibKCC7ZZwLcxeufyViypH1R7X52JDtFWFI0ztmmrStDP1QHoFXnaHT8Ip2sVNdnuR4+pCG5cRetFM69SN1VWKti7k/qPvtjHwvbMKnRPmi3y2c4H6XoephcW4KrcBsZZMELkn7jS+goTYdKIhywk08Uzv0w4Z8lykmfx03dRURMp9wKeDcOcZ4woAgd0wj9ICJYJ2tWZusu+4LpbGBdaf5hSaoe+NHe//Nc7aF2Q2j/9frtJl8zBSPiyEdlqVnQAjGRL62AaOk4yvaAr5wnyg3H7zz78LiHdC4CWwb044USRLD7m0yykfgRAOwfuRmxWaZcXpb49zfU5uf0WwOvsU3+6rlNF4WCVv8d5KG9CbyWy/Gff5DB0jnVAS4kmkflAjibrZ0N1bi3ntMbgsedhp6sDeqpWb+3rx91BmPFxXKp98p9OtI7S2M+Q+69D042jS55hTSb8oDrRZT1Twn6yS6tQJXdbRLqjjFDaoaUHDwBNmHe8grBgti8wp7nWbDp3IkDYP0UhHE8fiXD0a7mI8ixna/5GY1AdmPCef/i3Xv5XHg3JRBhVmZXsP0RWjllrlXJ+8Y14CfdTcS1EeKfkLyRxk0w+d6BtX0Gj6SvPeqYHr5qe1p3InjSq9TblQla5Cm43HmPtYUdtAnis5fCoTJ66XLbZUgloSR0t0B02rdqyxbbOz0S+nkp8619+8RA8tKVWXOxunTLr5ZqDmTjZ0EJlSgk4UDSNmHCENOnFNLdUlacovmEZbjcSQlFPwB+aDvvD/toCv/otVI4Kiw8Yu9mkDplh9LGwEyGdDBp/TAvbXkBdPn0vxBol8cVeNwpiKdUi20pHaMdA1SDBo9dZd1bZv+upcPFevlbV9kyA5W6uATvffV/3eXJ/matEHIwZW5un4zAkPd3uFe/lfULQ0tQVQNYrjoK/RYFxMAXyOXz2cRieG3CltmCC0Vp6pk1n4pvP4njmP7Rmh4u3P5vlro1h040C/QfJ0UF8337l+8B4oLTF8CgLbR3mPmjbCokBG33ISW8slTZmbgKUWkgHEGsvoJKM4BJmd2bdlDJK/2tzBy4yb0T/tYw3riCfDrJXGDoljOPiBflMo4UNO66IcMBS6eAKKogwy8UnYpW+VU6bPdNTrvjyHWrDEc1G8yWB1EB/0vnL9gwYmzb789gfApKOkwgo25LeRXKw5OMmRfnft570ZgorfHnMkLrPHutb55y7kRmclhgXgxMktNCQ7CM7z61/+08c8xiOuNb2p9Ip7P6lBXU8PvYMUDiZKAMQXGtmr0ARFysoKWSN8L+FIw61pbKP+wHhh/CqJuFrYnnsNJMZSddjlol9ttLrgloRY1zMtewZ7d1m2z/OjIWw0IKiOko2Uk4FIwQUzbwRtia0DLnwRL+8aZxphrtKCd47LWVmQRLPzxCt613/04m2w1HGIpQ8lGXYH2/OZZM2GAGZgeDucQxw6Iy1w4iaqtnDxHN769fSvIbnI53LIwWy+9RVNp6dyVbHAQDF77mq+gGF1nebzUS+BZpBFp1QTkwZegQ45qEvYb9xZ4aa7HVL+M1UNHgSGZV/mmdIvBUs5gF6a4z9EKRck27sijYpMeyfhNy9XlAlbY9Sc66MkqsW+JRb8rJ3SgSuWtIZ6IBby73Z4wILZsEhkTBeLG+QBS6CLmeu260cYlFlP0/hcPHRwJngnLTJVnA2KnbGNWM53Nqihrv6rmGJHVau5flXnSQvu0MhOpu8G57KyQNHVt/U4coYGgx949sxzqHuLnTqpEdYuxLUn+frcasqSKkHVm4tQbCbXylwc7+oM5VwhQJxkKNEPDc/Q5/1CjOiD8dIEUhRQh7+EfeefyJDjU1SoMCqyrg28fb8Vi6UNAVmE/wKlKE2QMpeMmjkuVabjNlpx50Xd7xPQ7dulk2gSkX4ESogdrGPJYaNoIvOrzov4tUSQp2OO1JbSLPr+D8dsNESurmmJBgKf+YitKvJbAJYGnYBiMBMd94L/1/mHaArHJxYeUkydfOILEJCsW4yVxPGGhe6P/L+U7HfCr+P2VF3MIvRvU8tNE7wg6hGXrQiwUM4h91asvPd5MOBUJfcLAt2+6RPb1A1FoUY7ft4mEnFK9Luwgu+tUUS6+XzbWl31HJSwnCaNey9TG8dU+Rfie8ADXYqHA9YNi2/O5u43FbUM5d68z8hl1Pn0JMDMBn4bFmGf4AHjNtfm9HPIC+rdG50aCCQoGMQc1vDTO1woiOAA4ADIAYwAwADkAOAA4ADkANABhADgAOQBkADgAYwAAABCAYBoMQQBkAG0AaQBuAAAAIhJHAFIAWABOAE4ASQBJAEUAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADkALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwo7qwA3gDgAECigEFMS4wLjI= Click here to copy
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
Signatures
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 43 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\w\ns\..\..\Windows\u\xm\..\..\system32\k\nikq\..\..\wbem\x\pm\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wbem\wmic.exe"C:\jxq\kvd\..\..\Windows\vol\..\system32\puw\..\wbem\bcwc\fnsr\gke\..\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5101⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Public\Desktop\DECRYPT-FILES.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:236 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD53cec68e7be057292ae56b2deefa47e95
SHA101440639310f18edb8706678201598476a022700
SHA2561d3717838f8c0b5e9406d30fce79af12f8a840b0c4dca958ef33ac335e672423
SHA51250bae73605834293e8ab10f50f5972bb6154123bc84d1c0f355e30886d415c5bc906ea97bdc85c6da0e17af22ec0207c7f6a698387042ee03a3dd44f38aac78a
-
Filesize
6KB
MD53cec68e7be057292ae56b2deefa47e95
SHA101440639310f18edb8706678201598476a022700
SHA2561d3717838f8c0b5e9406d30fce79af12f8a840b0c4dca958ef33ac335e672423
SHA51250bae73605834293e8ab10f50f5972bb6154123bc84d1c0f355e30886d415c5bc906ea97bdc85c6da0e17af22ec0207c7f6a698387042ee03a3dd44f38aac78a
-
Filesize
6KB
MD53cec68e7be057292ae56b2deefa47e95
SHA101440639310f18edb8706678201598476a022700
SHA2561d3717838f8c0b5e9406d30fce79af12f8a840b0c4dca958ef33ac335e672423
SHA51250bae73605834293e8ab10f50f5972bb6154123bc84d1c0f355e30886d415c5bc906ea97bdc85c6da0e17af22ec0207c7f6a698387042ee03a3dd44f38aac78a
-
Filesize
601B
MD59269c8d1cae42cae6833d0f58b4ce7f0
SHA1a2c2b95d50c0cd4ecf8f678fc5226b7e9400a285
SHA25628bf4c8bd0026ce73c6db8c332013184d154a66a649dc910e4b926d900cbf65f
SHA512c693247ddbda7ed47b8d8a0836f18383fec0e1b77d4e4d27ac49951559ab6736984be43d7fa68db7842b2cfffc8b0c95a3dc6d195b9552ecee7f3b769b7fb47c
-
Filesize
6KB
MD53cec68e7be057292ae56b2deefa47e95
SHA101440639310f18edb8706678201598476a022700
SHA2561d3717838f8c0b5e9406d30fce79af12f8a840b0c4dca958ef33ac335e672423
SHA51250bae73605834293e8ab10f50f5972bb6154123bc84d1c0f355e30886d415c5bc906ea97bdc85c6da0e17af22ec0207c7f6a698387042ee03a3dd44f38aac78a
-
Filesize
8KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
356KB
-
Filesize
216KB
-
-