maze | 4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-02-2023 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
Size

898KB
MD5

61b32a82577a7ea823ff7303ab6b4283
SHA1

9107c719795fa5768498abb4fed11d907e44d55e
SHA256

4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
SHA512

86ac9d3d0804f5dd3ebe08ab59058363bceeaa3f42d2d482f97ce688837b3b81693fde2b973250b93ee3223318b0f8e4f2faf6b0f91017807feacabce979d700
SSDEEP

12288:20lnPLRBrenjExzDKNg6dNoQl+vtMyOo/mSVTWa5QLeuXwuxbvRr/LpiRPMBp:201PLX0GferoQOMyySVa/VFbvhtiRPo

Score

10^/10

maze ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6c2f0cc3f86cdd43 e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6c2f0cc3f86cdd43 b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- 6sCEHAmQpTz4YZf2FJsURwg8TOnhdIxisyTo66P+ZtxHkO5uG+VdgPt+QIQ+ek8ziIEKhNlk1PKG/aK5sYQqEQefZCeBcCTFmbvYO8qHidXyufV1IJy/xQdVjfwiE25LBPfVDG273SufijvzKjAdNL/UFM3YbqTJPu79AoruYgEw6pV8PWUxZ+3QRPml6BwYZoYgHItKKlILHHpZn2yFYNGDVsVHWIQWjr22kHAZzaLf++z5Jk2CQeWQS0g9RQaK8Cv+R7PxvFfc4mpVswh4Rp3HcFIzh4rrPQ3MNTGhQ5cdcmZOvJG/xcVbvNU/0lFpG7eQ3/7Frw6KngtW9jy9J4FK52AmY2mXziHpfOmaHXYNbjV9+/Bc16/fFVNlAOzNMJ1b2s9jYctJp1PRrobFzvjYWeoXimsZY3Hty/236t5h3NcLkstdekyc3PDpIncCFPN0vGRW0cZVbf0Opu0BaF6AUJI6l3SrHgSWyB83jCy3MtjGTixf5cZYyyfCVt+auXCumswtz0uacMB8lYuovJdywychwdfSWmY9ENiMMPGi64CzBH/e/rPhvMSQlZz6OIcjTBBnEqIIIaRpHHllnopQLCH16thYbPVKlOVQ768aI2WnbZquf5KZr9i7u+C6pHkYzOlFmrClan/4U428RsKm3n20v4iGmkQTNaHK3baUm/SU7wM5sBHvkQko7LFpHEJexAa+vjA7ykly0VrTtLnKnesUUC4yXNdLcX5dg7AQm2mdGHmpqeMF2ZNUm8GWcJQVUAgG8gEdTHP81oOQjW+GijKjTd2ONEIz+4XyELRGCwL1G2fAH0wpiqUz2t19btTjid8+nibWquBkUFvA0fSgJD7sm7CPHd9TT3AOIK2MtGyJ97Tqws9FpNmRbQGlT8Z6+OJ9cA/MAm1k/7doexaudxGZNL7gPB+ttSmMSanARpOHNGIUWjGvxvfgQ6kf5hoj1SLhCZBNSl4cEUseTfAhdnlnmIrC76wjHCuZxZGSBFUDHzKkziKf5AaAAPrGyOC/HC31mO118xt6T70K4T4MhSYV8Fma73tDNXNPD1/WyONmarFWFRKp3WEV40O6rg3tEdL3QIQzrDSx5suY8hwB4kndWMkcoHYZOEbfSLZW4zIO5Va7SP2EKvHnRLJvQnhnquCQaFKki3VSv/fFPky8mhHxpxpzTz3S8XEmiBmfsxWGOQAgm2cNCfI3E+R/2PoiYr877kjH40uQ6feLXe/AFiYTVU0GomXVEuZD7YTQuiFvWd0D9Mgi9u7vGneDiWQL74pFcR6Z04m9eNVOMuks+3NmBp+ke/Aw0hRf+P0TgzxWkyvsMeflFDV1SN+72ChpXvlL6+j4QTK0xxbkggvTjuTuYf3jROWCnGIxB38vct6ZgAx6CcV+tKqjFvBymhbWcANV6mez2TbQlaNWV32fnJRVnU96YTR7IEGjb/Ldp7YY57EK14Z4PpDtFWfe2z6cNAX5GZRC5+WgWdNQ7ql44TRAPK6s9qIAZpLitAx2orfzqVt1tRiiMZlKXyVZtrN4sKTzqawex5vwkMeeqUeJ+bVH1Z/+xJJb628RCnxTt1USyk83/3IVIJWMF4aqjRjdkPgIjdN9wPSNIgJ2ZPq1aXE0yAg0E23PrMvDydnSMYatr8WYMj+vdtdNwEYDGr2HLJp9Acw2/OR24Vk8EXyYBbQiUpf91FlJS2/8Judt2/PS7QRl2cUWj89Os4a+pJQtWsbI6MqPV6W66YnCvBIfi7e0qV3LrVpeqU0ve67cH2mZy+XFqhsq4nCPsfzNxtEFaMvctCC3jp4VmGy/Pkfijq3fVg+7XtR9m9SW+HV9MzXD9BIBsWaq2R1cl3hPpHqcmAHEGnqKnfoxmhiac1BYrou6Bn4JwT8ceKQgJ1iN3O1ESKC8leRIBDr85NWqui7Zcd/YJzwA8jW5V/O421b6fFPVOG1kJk+gYpM8J83i0m94EKURp9gbt+xHMwq+oxY7sD1GOQo3GzM01mUQiUCorP9Ad6dktzhcfPkf5E3Ik6tV7SDmhhisR0Ny+zFfjtkF2uoR9KLZxkhvvLa09iHVKHHXlCY3rLg7L4SNi4xJki6NYlFWthBOeoPMZ0atzMC2ZuX1h2lZnO9jLmWzHFZ2X1gJeiUUL+jU5L8HNIJ6zAKfqrAioklUDh26jPgyweuAZu52CTib2nuO/zeTXh2XOATsxo+1NLagPWudlagxja3r6wkqlLIeyRlpTarrPMaQCgoiNgBjADIAZgAwAGMAYwAzAGYAOAA2AGMAZABkADQAMwAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAEIAUABPAFEATgBYAFkAQgAAACoMbgBvAG4AZQB8AAAAMiZXAGkAbgBkAG8AdwBzACAANwAgAFUAbAB0AGkAbQBhAHQAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEI2fABDAF8ARgBfADIAMAA0ADgAMAAvADIANgAxADgANAAxAHwARABfAFUAXwAwAC8AMAB8AAAASABQQFiJCGCJCGiJCHDIkbADeAyAAQGKAQUyLjMuMQ== ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/6c2f0cc3f86cdd43

https://mazedecrypt.top/6c2f0cc3f86cdd43

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\DebugUnpublish.png => C:\Users\Admin\Pictures\DebugUnpublish.png.nlHw	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File renamed	C:\Users\Admin\Pictures\FormatUnregister.raw => C:\Users\Admin\Pictures\FormatUnregister.raw.SXvjG	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c2f0cc3f86cdd43.tmp	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp"	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\UnprotectCheckpoint.emz	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Program Files\UnpublishExport.mp4	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File created	C:\Program Files (x86)\DECRYPT-FILES.txt	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6c2f0cc3f86cdd43.tmp	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6c2f0cc3f86cdd43.tmp	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Program Files\InvokeDeny.TS	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Program Files\UninstallRepair.mp4v	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Program Files (x86)\6c2f0cc3f86cdd43.tmp	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6c2f0cc3f86cdd43.tmp	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Program Files\ConvertFromClose.iso	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Program Files\UnblockRestore.xps	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Program Files\DismountRename.cr2	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Program Files\EnterOpen.mpe	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Program Files\ExpandConvertTo.cr2	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Program Files\ReadOut.jpg	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File created	C:\Program Files\DECRYPT-FILES.txt	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Program Files\6c2f0cc3f86cdd43.tmp	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Program Files\InstallRename.emf	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Program Files\SendUninstall.svg	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Program Files\UnblockResume.au	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Program Files\UnregisterClear.ico	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Program Files\ConnectRepair.aifc	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
File opened for modification	C:\Program Files\InstallFind.tif	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1424	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeBackupPrivilege	996	vssvc.exe
Token: SeRestorePrivilege	996	vssvc.exe
Token: SeAuditPrivilege	996	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1500	wmic.exe
Token: SeSecurityPrivilege	1500	wmic.exe
Token: SeTakeOwnershipPrivilege	1500	wmic.exe
Token: SeLoadDriverPrivilege	1500	wmic.exe
Token: SeSystemProfilePrivilege	1500	wmic.exe
Token: SeSystemtimePrivilege	1500	wmic.exe
Token: SeProfSingleProcessPrivilege	1500	wmic.exe
Token: SeIncBasePriorityPrivilege	1500	wmic.exe
Token: SeCreatePagefilePrivilege	1500	wmic.exe
Token: SeBackupPrivilege	1500	wmic.exe
Token: SeRestorePrivilege	1500	wmic.exe
Token: SeShutdownPrivilege	1500	wmic.exe
Token: SeDebugPrivilege	1500	wmic.exe
Token: SeSystemEnvironmentPrivilege	1500	wmic.exe
Token: SeRemoteShutdownPrivilege	1500	wmic.exe
Token: SeUndockPrivilege	1500	wmic.exe
Token: SeManageVolumePrivilege	1500	wmic.exe
Token: 33	1500	wmic.exe
Token: 34	1500	wmic.exe
Token: 35	1500	wmic.exe
Token: SeIncreaseQuotaPrivilege	1500	wmic.exe
Token: SeSecurityPrivilege	1500	wmic.exe
Token: SeTakeOwnershipPrivilege	1500	wmic.exe
Token: SeLoadDriverPrivilege	1500	wmic.exe
Token: SeSystemProfilePrivilege	1500	wmic.exe
Token: SeSystemtimePrivilege	1500	wmic.exe
Token: SeProfSingleProcessPrivilege	1500	wmic.exe
Token: SeIncBasePriorityPrivilege	1500	wmic.exe
Token: SeCreatePagefilePrivilege	1500	wmic.exe
Token: SeBackupPrivilege	1500	wmic.exe
Token: SeRestorePrivilege	1500	wmic.exe
Token: SeShutdownPrivilege	1500	wmic.exe
Token: SeDebugPrivilege	1500	wmic.exe
Token: SeSystemEnvironmentPrivilege	1500	wmic.exe
Token: SeRemoteShutdownPrivilege	1500	wmic.exe
Token: SeUndockPrivilege	1500	wmic.exe
Token: SeManageVolumePrivilege	1500	wmic.exe
Token: 33	1500	wmic.exe
Token: 34	1500	wmic.exe
Token: 35	1500	wmic.exe
Token: 33	668	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	668	AUDIODG.EXE
Token: 33	668	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	668	AUDIODG.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1500	1424	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe	34
PID 1424 wrote to memory of 1500	1424	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe	34
PID 1424 wrote to memory of 1500	1424	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe	34
PID 1424 wrote to memory of 1500	1424	4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
"C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\system32\wbem\wmic.exe
  "C:\m\..\Windows\fxp\akt\..\..\system32\rg\y\..\..\wbem\facw\sqhh\..\..\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1792

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x478
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\DECRYPT-FILES.txt

Filesize
10KB

MD5
0420bd8b21103f5406a0ec449c469b79

SHA1
2ac3ce31519d2c5e021b8f6fbdff2465c1a72c1b

SHA256
75ab7ece26c2ae01953f642129f1f676e8951e26254bb849c8e76944ca696a42

SHA512
f8350f841f621718c3afa9f6ead82d976d84d10bb7f567c67a0773c010298fbac4b85415e9923b436bf8f5e7979b9ef395b28bd8feed4ed878f00f48976576a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_7C2A6CE78DF0421AB82F6B81DFCB8CB4.dat

Filesize
940B

MD5
a48d270bc83536563d303aab58517840

SHA1
6a5cd52ff7b0eacd7bbdff32207b4bbfa701b0c5

SHA256
131c23cb1de4f06bbd7fe5ba356b375fd8a2e4696a12759c15481b6d4f4e5451

SHA512
4f304c3f8764fda1f5337cc936520eb66aaff2b8afd1a4d7fc27fd657a298effffc5c2950633f7b845f32f0275e849b27071dba16e3cb823f04d847e39a3ba0e

Download Submit
memory/1424-54-0x0000000000220000-0x000000000027E000-memory.dmp

Filesize
376KB

Download
memory/1424-58-0x0000000000220000-0x000000000027E000-memory.dmp

Filesize
376KB

Download
memory/1424-60-0x0000000000220000-0x000000000027E000-memory.dmp

Filesize
376KB

Download
memory/1424-64-0x0000000000220000-0x000000000027E000-memory.dmp

Filesize
376KB

Download
memory/1424-857-0x0000000000220000-0x000000000027E000-memory.dmp

Filesize
376KB

Download