maze | 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2023 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MazeRansomware.bin.exe
Size

478KB
MD5

deebbea18401e8b5e83c410c6d3a8b4e
SHA1

96d81e77b6af8f54a5ac07b2c613a5655dd05353
SHA256

6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af
SHA512

a0396c82fb68cf3931f0a2fcdba580d51ec6069c82b4e3853341fc6971a4bde4dbeb0094b94379d1dce4b1d8c43703e86266156ecbee89f9c939a71cafe9d487
SSDEEP

12288:2GOrdqXg+Hy7WxHXkzYHD9Fg0CNDG+X9MOguRTzxH/F:EjuSWxHY0C5PXmOgEhN

Score

10^/10

maze ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\odt\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps. ---------------------------- | How to get my files back? ---------------------------- The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/8858099a8c621f31 e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/8858099a8c621f31 b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer! If you have any problems our friendly support team is always here to assist you in a live chat! ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- rkkFjV/8PE10o7kGkL1DlUybBxvp2p4SDq4vBIpufXf3fnbvwQF9WGk7wNWsLgB/A/ip/XRQV+CMbXn5NAe43P50uYcWF+Yj3AnIU26lFZZlvQIT9dPRW7Nbk2Ql4rR+XmeiWqEpXSmT0kKEpFjvQno7V1/vLrfx4koha0DOiuwwphy2CSx7hL4qveKtc+mnVO9wKMBExEAaDmjHDpYFHuB8QcgGoOu0UpW9Vh1vjYhWPtYC3OhfctrlUFse9xKTQodDaFq0Kd+SxECQAj340msUQB/+NFXVqXph3JFW4DNT9PfcHZPxdwlBx6CyG3JDiRQDpazhE1aJROPURXBQQgkipS1uM9epShGmOXN4rcc2kL8Go6tL9nUetg6Bu1TEWiV/Oj3wjfLkf4ebq3+KAQ18DY3ej3evXGTc3Ixw3515llRvURCvAoz1VTQGDEFWxJ8LLq2KKX+KTuu9sbrysUu1LyuXQe8fB/cmzQ98zNNaWi42k82OnZ8M6FlIXmetWRchV2hcDduE9bfljFF7KZeIfwesAWD2gPr+drJKZVAh/DwgMzV08R6eVO/V2MUD+KHzrMwoDA/id7Us6O/tz8tdhVsBliXiDKpn4ymtT+LhgdVNe1+z+3nP+Vs2LfTsZXpvXBM+z2wRHWbaWwnBl/vAUaiPoFr6+SRdpdwbeoVZiDgfnmeSToALWeoQwdmfqua32WerKirpll9PmIEhqcd78hGfk6iSIHUP/UYfS3hUJTMD9NNxjrNL15VgWvAo+Io6VyBi8oen4woRolh7igpSDEboz6s8sNcM/aZodvSo0MQQUZPbrzeFfZahqltabJUHsV4JN1mX3wGEOeMOvDuWLsmPPDBdPQYmhutPinoQ1fjTaWx4G1nCO++VbwGiOJ818ABpQpcR9wJq9TAWoRVt/NWTMG5JEkr3cVkToQ0RGl1AlT+En5Vm0GeKal2q1KC9tppl2e+px5Dsb8FI5uOOCVC4wCcSSsh8QqqDvS0LbnPqy1n+UJhBJxjPHgCgI7UUBvqHaSPycX8L1nd0xa0dz1MPecbj9QqFIEvZLx+MY0tjrwTig+3uzPRbwOOCJ4siFuFsQJXzum3XbilK47JxdLmwz7lWK+WBNdZs0OuDBzi549++hCFwVsHq5fL7z+bZpG+qCC3DvqWql4dS3vF+OnsCgyNJ2HaBIrLynA9MPq1Wpov3LwijI1TXQonQ0lB/W7ym7vELZG/Uhc2C9MJqwC0puD+DCakjhNfSYxMUb8sGE0U83R8AEDUUmVEEzKQ+M8K4w0bOAPz9HF1cieOPzYy8X7jmKY8PYSQLqy/8ROsgdmc9nCc7zfocegbjvmRF7WXiHI/8jji6OpDCXh4n8G+26MqbXBSfgL5Lsm8YemwgSHTWCVrEy+A180EK7d2xWN0ubUpDU4UKv48QZ2F8GA5iez4HPKV8oKL9ngfEF/r/c5G4SwYPRd+ucUovOSSk3SFq2CpKJ1ly6Hbx7wiOgbaUhuIIvno85+TWmKYKxS9RFW9XGroHTJvhAkosUFHbY5zvfF4Rg/eyd2XQYNQ/rTRFACtljrwTv53x2bXKuwLfDAEqMAFYkNrsTLT29g9NW7/H1is3tuBDnIlHzsYMhEAQmDEOIyzUh4QNsIA27vadaMdXmv3rblyvuN2kKJIk9+vWFr8gOzhs7THu8/C6utbSFEHTFlutE1cDx+Y+kP/lgSmMY8gcVaYkCe4cIkZt0q0CeS1JSafyZnR4Pxab0dfx6b79Qh9qpzr8+dWwwBqOZO95TaawJdE8pnRAlLjbol7M2AyeMzJ6nIC1U+wU/nyN/hHhAzMu1cHw+tT57+KXEK3sVsFip4jjDaVdCqueyCtNO6tOnKfyuJd6Fq0vuNPkfFNoo08LD2R2etjcL8UOsdLjEMkRqW2qsoeGtrLZ1qYjIDz1CGvdaBr7LuKNZi72MhKQ1yziGY65ZKnZ4IhwCOzk1HxcDBcTYo25Cg41nh+he8A26Uw3XUHofUH+NtRmQOlnOmmXVqI0DlXdJbmjtw+eSZ+pI6uzFB+R+HR1YdsaLYXVVCpYRyva5CGqdDth3SzzXzBMzwsuNQ/QzDMr9M3ChZQRWPnu/2nw4pXQg+xiS1LsH/Z/dfNS3KAcX60Tr4dtNtVLeXXccLPBGp/fK28en4BdERy/ukkQZM6ofFTWzRg8JQpVgzal/Ab28q/l5aHULXOUqKSNp3JVzL3fmcaf79kDtui5jA3+EzPiPgoiOAA4ADUAOAAwADkAOQBhADgAYwA2ADIAMQBmADMAMQAAABCAYBoMQQBkAG0AaQBuAAAAIhJPAFoAQQBEAFMAVgBXAEgAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADkALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwj4PbcngOgAEBigEFMi4wLjk= ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/8858099a8c621f31

https://mazedecrypt.top/8858099a8c621f31

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

MazeRansomware.bin.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\BlockMove.png => C:\Users\Admin\Pictures\BlockMove.png.8Qp8M	MazeRansomware.bin.exe
File renamed	C:\Users\Admin\Pictures\FindAssert.png => C:\Users\Admin\Pictures\FindAssert.png.amvfo	MazeRansomware.bin.exe
File renamed	C:\Users\Admin\Pictures\GroupRestart.crw => C:\Users\Admin\Pictures\GroupRestart.crw.13rEE8	MazeRansomware.bin.exe
File renamed	C:\Users\Admin\Pictures\RestartRename.tif => C:\Users\Admin\Pictures\RestartRename.tif.KLoxW7E	MazeRansomware.bin.exe
File renamed	C:\Users\Admin\Pictures\StopPop.tif => C:\Users\Admin\Pictures\StopPop.tif.4sMACFO	MazeRansomware.bin.exe

Windows Defender anti-emulation file check 1 TTPs 1 IoCs

Defender's emulator always creates certain fake files which can be used to detect it.

System Information Discovery

T1082

Processes:

MazeRansomware.bin.exe

description	ioc	Process
File opened (read-only)	C:\aaa_TouchMeNot_.txt	MazeRansomware.bin.exe

Drops startup file 4 IoCs

Processes:

MazeRansomware.bin.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	MazeRansomware.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c3qdw7.tmp	MazeRansomware.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt	MazeRansomware.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\c3qdw7.tmp	MazeRansomware.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 29 IoCs

Processes:

MazeRansomware.bin.exe

description	ioc	Process
File opened for modification	C:\Program Files\GroupShow.docm	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\MeasureTrace.bin	MazeRansomware.bin.exe
File opened for modification	C:\Program Files (x86)\c3qdw7.tmp	MazeRansomware.bin.exe
File created	C:\Program Files\DECRYPT-FILES.txt	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\AddCompare.wmv	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\MeasureRead.gif	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\OutPing.ps1	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\SkipRename.MOD	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\TraceResume.png	MazeRansomware.bin.exe
File created	C:\Program Files (x86)\DECRYPT-FILES.txt	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\ConfirmSelect.aifc	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\RenameGroup.ppt	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\AssertLimit.vssx	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\BackupGroup.jpg	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\FindUse.pdf	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\PingUse.i64	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\FormatFind.asp	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\UnlockConnect.jpeg	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\InstallExport.css	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\InvokeCopy.mpeg	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\SaveMove.cfg	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\SyncCompress.odp	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\c3qdw7.tmp	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\ImportStep.ps1	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\InstallCheckpoint.vbe	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\MountSuspend.vsw	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\SkipUnprotect.mpeg2	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\TraceInstall.edrwx	MazeRansomware.bin.exe
File opened for modification	C:\Program Files\WriteDeny.vst	MazeRansomware.bin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MazeRansomware.bin.exe

pid	Process
1284	MazeRansomware.bin.exe
1284	MazeRansomware.bin.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

vssvc.exewmic.exe

description	pid	Process
Token: SeBackupPrivilege	3932	vssvc.exe
Token: SeRestorePrivilege	3932	vssvc.exe
Token: SeAuditPrivilege	3932	vssvc.exe
Token: SeIncreaseQuotaPrivilege	528	wmic.exe
Token: SeSecurityPrivilege	528	wmic.exe
Token: SeTakeOwnershipPrivilege	528	wmic.exe
Token: SeLoadDriverPrivilege	528	wmic.exe
Token: SeSystemProfilePrivilege	528	wmic.exe
Token: SeSystemtimePrivilege	528	wmic.exe
Token: SeProfSingleProcessPrivilege	528	wmic.exe
Token: SeIncBasePriorityPrivilege	528	wmic.exe
Token: SeCreatePagefilePrivilege	528	wmic.exe
Token: SeBackupPrivilege	528	wmic.exe
Token: SeRestorePrivilege	528	wmic.exe
Token: SeShutdownPrivilege	528	wmic.exe
Token: SeDebugPrivilege	528	wmic.exe
Token: SeSystemEnvironmentPrivilege	528	wmic.exe
Token: SeRemoteShutdownPrivilege	528	wmic.exe
Token: SeUndockPrivilege	528	wmic.exe
Token: SeManageVolumePrivilege	528	wmic.exe
Token: 33	528	wmic.exe
Token: 34	528	wmic.exe
Token: 35	528	wmic.exe
Token: 36	528	wmic.exe
Token: SeIncreaseQuotaPrivilege	528	wmic.exe
Token: SeSecurityPrivilege	528	wmic.exe
Token: SeTakeOwnershipPrivilege	528	wmic.exe
Token: SeLoadDriverPrivilege	528	wmic.exe
Token: SeSystemProfilePrivilege	528	wmic.exe
Token: SeSystemtimePrivilege	528	wmic.exe
Token: SeProfSingleProcessPrivilege	528	wmic.exe
Token: SeIncBasePriorityPrivilege	528	wmic.exe
Token: SeCreatePagefilePrivilege	528	wmic.exe
Token: SeBackupPrivilege	528	wmic.exe
Token: SeRestorePrivilege	528	wmic.exe
Token: SeShutdownPrivilege	528	wmic.exe
Token: SeDebugPrivilege	528	wmic.exe
Token: SeSystemEnvironmentPrivilege	528	wmic.exe
Token: SeRemoteShutdownPrivilege	528	wmic.exe
Token: SeUndockPrivilege	528	wmic.exe
Token: SeManageVolumePrivilege	528	wmic.exe
Token: 33	528	wmic.exe
Token: 34	528	wmic.exe
Token: 35	528	wmic.exe
Token: 36	528	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

MazeRansomware.bin.exe

description	pid	Process	procid_target
PID 1284 wrote to memory of 528	1284	MazeRansomware.bin.exe	97
PID 1284 wrote to memory of 528	1284	MazeRansomware.bin.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\MazeRansomware.bin.exe
"C:\Users\Admin\AppData\Local\Temp\MazeRansomware.bin.exe"
1⤵
- Modifies extensions of user files
- Windows Defender anti-emulation file check
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\system32\wbem\wmic.exe
  "C:\pw\..\Windows\chk\..\system32\wyxp\rolc\..\..\wbem\bhbd\grgvd\ttb\..\..\..\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\odt\DECRYPT-FILES.txt

Filesize
8KB

MD5
54210341759de7c5ee6eab041f06b60d

SHA1
1e2462511d44969eaf64cd328cd10c592abdfab6

SHA256
7e61a42f9cd32dd68d257bfcc3c972de22d35c310c048d87f62d6b920237dd87

SHA512
d5062e5cb3804e6764d38d9fefb850d0add0f2f11b2ea4e44ed8899eeeb55e9ce34ada1d46e6097587d08e74c93484b7ca7c3401820462a9a31a68e4d558bb90

Download Submit
memory/1284-133-0x0000000000E80000-0x0000000000EDD000-memory.dmp

Filesize
372KB

Download
memory/1284-137-0x0000000000E80000-0x0000000000EDD000-memory.dmp

Filesize
372KB

Download
memory/1284-139-0x0000000000E80000-0x0000000000EDD000-memory.dmp

Filesize
372KB

Download
memory/1284-143-0x0000000000E80000-0x0000000000EDD000-memory.dmp

Filesize
372KB

Download
memory/1284-900-0x0000000000E80000-0x0000000000EDD000-memory.dmp

Filesize
372KB

Download