Analysis
-
max time kernel
88s -
max time network
91s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2023 14:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Maze.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
Maze.exe
-
Size
736KB
-
MD5
21a563f958b73d453ad91e251b11855c
-
SHA1
64ed4f6b315448d518ed003a1d0c7e56790ef50d
-
SHA256
067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b
-
SHA512
3eaef227db10759c65d668317322e71cd60e60427afd4d4f5f627e9b7a9d4e6d3287b7bf32df3fa7ba2f7062ec41393a100a477668b7f4dca76c2b8932c1b9eb
-
SSDEEP
12288:VIeWyYCERmabd3LPwPqnk7HLhccQ5VSdQpRSZN9dSz6:VIeHERmabdbPwP4k71cXrEEwH9dSz6
Score
10/10
Malware Config
Extracted
Path
C:\odt\DECRYPT-FILES.txt
Family
maze
Ransom Note
Attention!
----------------------------
| What happened?
----------------------------
All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms.
You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps.
----------------------------
| How to get my files back?
----------------------------
The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers.
To contact us and purchase the key you have to visit our website in a hidden TOR network.
There are general 2 ways to reach us:
1) [Recommended] Using hidden TOR network.
a) Download a special TOR browser: https://www.torproject.org/
b) Install the TOR Browser.
c) Open the TOR Browser.
d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/897e09afca93b1b
e) Follow the instructions on this page.
2) If you have any problems connecting or using TOR network
a) Open our website: https://mazedecrypt.top/897e09afca93b1b
b) Follow the instructions on this page.
Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use.
On this page, you will see instructions on how to make a free decryption test and how to pay.
Also it has a live chat with our operators and support team.
----------------------------
| What about guarantees?
----------------------------
We understand your stress and worry.
So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer!
If you have any problems our friendly support team is always here to assist you in a live chat!
-------------------------------------------------------------------------------
THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU
---BEGIN MAZE KEY---
VxLKEbdzef10keZjJ5flfFBDz5654cIBNvEmchOarCWlvXBkWB1jmViA3CxaTXPcPRACUMM9c7y31GhZkr92pm3ztPy77XKkVbMxWU2baUXRQ3VWbUW8y40JjYkwqjWR8Mz4T7pFXquySIoTEMoZekS9g3wcaWkPAk7sSBcvmTr3IxcIXQr/WnWdMDlcOKaWlqhi+7QIU/bIY8iT9T69ervPYTcvrugHfs4JeYyxOCOqfLkuafw1IrRsqzjBiyH8KTn3kQIim609nY79zEtbOZvcMoTB8zdWUiS1GMW8DwdDop5TNkBFzleE3/yA5s4qQj4fBZyGYAMi9Ho14NivZapVYuwqHPkODbFLbahTpWTOnjrppr73ZzIxwh7mWlXonozwtKozypaBxucTvXI2IHbW3HJiCh1scXZLW3MYwwcBfRVQENqlsgvgCvZCOjJ9yJa2JhDDwggaVAuNkYlhU1qduYpEUJhCdKa66AN61aY+x/KFedK6wNOD7pYLR6eDfBqge4Tf3vfoaeyjPHWRzJeF3fUqj6Sa+sMG32tJs7UYs8qSwH27V82b5DpLyC9uhVroeZYk52RaDf3XZMiOSQXTE2DgC6lXIZmoiqeTHNLVhmUy6zkEwJlFk7X4lJshVMsO85rZxfI1edDk+aWOODEe5SCvZKCB2M0gHlAIXVkzeyTPqJIrEE2d+m8We4fd9I/6gZae60ou8Oom5uwFe+y8COlyAhTWYsiyVXoBPyxTXY2XRQLQBDeMrINPY+B76wMjsZNPDxhW7LKUnam3E3N+hnYMGkzoGRq7K2rkaUc/DVbu19sPgvdJ082i4XCE31psXzmHl2TVTym2jr6vXa9Gt364cxsFNMH7/kXuLSZMda0+2txpZG4ZuX9yrexOhNFZIYPFrHryIMPRYDeiLnaPLy3q4ucUKEhmAf+NDxBehyK33o81pc29sk1PkvZkBzkImWB9ONRed6j5C1cqhsLCiPJQVmRoIaN5cTqSQ/xhJZDbCsVMIx7GVN1Qs1nPynznMwCeXiKA53KpkhmABE96FYyA6e26XzX2GZtEI/aDC4ZKY5XjnWe7Tr7yzRhvyyXAYzdw0hsIrf+8bNnAzCqg3Rlr7YFZl+iFP/rNXeQF+qZqCvCpREvpLgflDOCRcCRgHfmUxDSLj4Nv287xsOSJXTs0Xg70sRE9eTS15JBIw5zNxF/nk6M7hmS8p6mhl8ku8Z18j/aW2C1Rf/uVqHR45JaRR9apuxRmQkIyUMGdWgP3m2K1N37BITJ0Y1i1tJFNXRYEFSWXHqSM2JgGnS8W37ePuQYSGUIeJNH7pq1xX0C89tMVo4fpXjQKUaAsyB/+MI/sDJgIFc2pYyJwljQ+95wn1nIfY0hykXns7QsjhntZvGkrbneuNNBn0SBhqI2OWtMGFobQirqicpFJuYMYHgwn6XL2xOZZ23d8fZdt1TgP9Q5ZpAk1DkB5bfPtZ+e1RaRRKv3ludv1773s3F1kcVlfdmGgqHSeHvW0/kV9F6ImQoMiJoAtNIUaRBAPyDiL9Ayoi5/iQhLKNgVEJv6GKE4yzj9ce84LxEIHJftV17zKMoi4I2IROG6LcQm2vKobGIf+SHycoGB9r+mFjDGLAtpVIVKa6PqMOK1pyY7ZzwWChPnlbhhZqN0LiOlVclY+qaZKuRWQH+r/rsAZ1W2s5AfmOtC9JqrcL5Imo5zxtPNxkjtcHVbShtcEQvXrCL0WeWtS0HqBbTzHIAapnOM8NcpiPLazw/taedh3i/nuQVe85g22mPra2nLxuMcICfWP1jrI5slN3lHDaJSgTslymIRKlQu2v0Knj8dz4Yw3/+DR2DNttAYObi4EztcqO3yvXI2q66qZn5qVKDP6JNSrktogwJGgS9XpqroNl61QG48hQtjao5rOwXT73v+v6ZgwRf6HA1ACn7/kFp2NumjmMZM3iXBjh2G8RHgmQvQYdFdZV9MFhKdOoq2ylgKd8nej/OMcxxNu7VoedDKb9YNh/pjyA5IpyjrelbBTMHYNrum3bQ197j+uoj6hpnqnE5FgrjdP34A6GSIS/AVWDfupRDvJLIlOjUlL6sUdy4+ogOTKKwAvFOEkgo78VJlLaHM6SAvLg87vIMaLT8WJzPLyS0c74CvmhkbBE77z/7kRVssyY4XLxeXYCUZk9wUs+nxykqXfF4Xx8ZE1wr8e95Mp/oe4q4ZLshZ1qM/0ANJMvtjk343bkEg9Lla7zqqLDYKVUwogOAA5ADcAZQAwADkAYQBmAGMAYQA5ADMAYgAxAGIAAAAQgGAaDEEAZABtAGkAbgAAACISTABZAFYAVABZAEcAUwBJAAAAKgxuAG8AbgBlAHwAAAAyLFcAaQBuAGQAbwB3AHMAIAAxADAAIABFAG4AdABlAHIAcAByAGkAcwBlAAAAQjZ8AEMAXwBGAF8AMgAwADQANwA5AC8AMgA2ADEAOAA0ADEAfABEAF8AVQBfADAALwAwAHwAAABIAFBAWIkIYIkIaIkIcN+N23J4EIABAYoBBTIuMS4x
---END MAZE KEY---
URLs
http://aoacugmutagkwctu.onion/897e09afca93b1b
https://mazedecrypt.top/897e09afca93b1b
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\BlockRestore.raw => C:\Users\Admin\Pictures\BlockRestore.raw.gNfm6 Maze.exe File renamed C:\Users\Admin\Pictures\DenyLock.raw => C:\Users\Admin\Pictures\DenyLock.raw.gNfm6 Maze.exe File opened for modification C:\Users\Admin\Pictures\OutAdd.tiff Maze.exe File opened for modification C:\Users\Admin\Pictures\StopPublish.tiff Maze.exe File renamed C:\Users\Admin\Pictures\StopPublish.tiff => C:\Users\Admin\Pictures\StopPublish.tiff.ijS5Oy Maze.exe File renamed C:\Users\Admin\Pictures\UninstallSearch.tif => C:\Users\Admin\Pictures\UninstallSearch.tif.ijS5Oy Maze.exe File renamed C:\Users\Admin\Pictures\MergeRename.tif => C:\Users\Admin\Pictures\MergeRename.tif.WB5Gg5 Maze.exe File renamed C:\Users\Admin\Pictures\OutAdd.tiff => C:\Users\Admin\Pictures\OutAdd.tiff.WB5Gg5 Maze.exe File renamed C:\Users\Admin\Pictures\WriteDisconnect.crw => C:\Users\Admin\Pictures\WriteDisconnect.crw.ijS5Oy Maze.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\897e09afca93b1b.tmp Maze.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt Maze.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\897e09afca93b1b.tmp Maze.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt Maze.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" Maze.exe -
Drops file in Program Files directory 40 IoCs
description ioc Process File opened for modification C:\Program Files\SkipAssert.reg Maze.exe File opened for modification C:\Program Files\StartConvertFrom.wvx Maze.exe File opened for modification C:\Program Files\UnregisterRename.M2TS Maze.exe File created C:\Program Files (x86)\DECRYPT-FILES.txt Maze.exe File opened for modification C:\Program Files\AssertConnect.tiff Maze.exe File opened for modification C:\Program Files\RenameHide.xps Maze.exe File opened for modification C:\Program Files\ReceivePublish.xps Maze.exe File opened for modification C:\Program Files\ReceiveSuspend.pub Maze.exe File opened for modification C:\Program Files\UnlockExpand.js Maze.exe File opened for modification C:\Program Files\UnregisterRead.dotx Maze.exe File opened for modification C:\Program Files\AssertWait.css Maze.exe File opened for modification C:\Program Files\FormatTrace.DVR Maze.exe File opened for modification C:\Program Files\CompleteConvertFrom.ini Maze.exe File opened for modification C:\Program Files\OpenHide.mp4v Maze.exe File opened for modification C:\Program Files\RedoCompress.temp Maze.exe File opened for modification C:\Program Files\ResetStop.mp2 Maze.exe File opened for modification C:\Program Files\RevokeStart.3gp Maze.exe File opened for modification C:\Program Files (x86)\897e09afca93b1b.tmp Maze.exe File opened for modification C:\Program Files\BlockGet.vst Maze.exe File opened for modification C:\Program Files\CloseGroup.emz Maze.exe File opened for modification C:\Program Files\RenameUpdate.svg Maze.exe File opened for modification C:\Program Files\SelectOpen.au Maze.exe File opened for modification C:\Program Files\ConfirmPop.scf Maze.exe File opened for modification C:\Program Files\ExitUninstall.AAC Maze.exe File opened for modification C:\Program Files\StepComplete.mpp Maze.exe File opened for modification C:\Program Files\UnprotectRestore.cab Maze.exe File opened for modification C:\Program Files\WatchUninstall.vsx Maze.exe File created C:\Program Files\DECRYPT-FILES.txt Maze.exe File opened for modification C:\Program Files\897e09afca93b1b.tmp Maze.exe File opened for modification C:\Program Files\GroupSet.cab Maze.exe File opened for modification C:\Program Files\MeasureComplete.wm Maze.exe File opened for modification C:\Program Files\ProtectReceive.cfg Maze.exe File opened for modification C:\Program Files\RestartClear.wmf Maze.exe File opened for modification C:\Program Files\RestoreHide.zip Maze.exe File opened for modification C:\Program Files\UnlockAdd.css Maze.exe File opened for modification C:\Program Files\GetAdd.ps1 Maze.exe File opened for modification C:\Program Files\GroupRestore.nfo Maze.exe File opened for modification C:\Program Files\TraceSync.3g2 Maze.exe File opened for modification C:\Program Files\AssertWatch.jpeg Maze.exe File opened for modification C:\Program Files\RenameDisable.bin Maze.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1196 5040 WerFault.exe 83 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 232 Maze.exe 232 Maze.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 1952 Maze.exe 1952 Maze.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 4872 taskmgr.exe Token: SeSystemProfilePrivilege 4872 taskmgr.exe Token: SeCreateGlobalPrivilege 4872 taskmgr.exe Token: SeBackupPrivilege 4448 vssvc.exe Token: SeRestorePrivilege 4448 vssvc.exe Token: SeAuditPrivilege 4448 vssvc.exe Token: SeIncreaseQuotaPrivilege 2608 wmic.exe Token: SeSecurityPrivilege 2608 wmic.exe Token: SeTakeOwnershipPrivilege 2608 wmic.exe Token: SeLoadDriverPrivilege 2608 wmic.exe Token: SeSystemProfilePrivilege 2608 wmic.exe Token: SeSystemtimePrivilege 2608 wmic.exe Token: SeProfSingleProcessPrivilege 2608 wmic.exe Token: SeIncBasePriorityPrivilege 2608 wmic.exe Token: SeCreatePagefilePrivilege 2608 wmic.exe Token: SeBackupPrivilege 2608 wmic.exe Token: SeRestorePrivilege 2608 wmic.exe Token: SeShutdownPrivilege 2608 wmic.exe Token: SeDebugPrivilege 2608 wmic.exe Token: SeSystemEnvironmentPrivilege 2608 wmic.exe Token: SeRemoteShutdownPrivilege 2608 wmic.exe Token: SeUndockPrivilege 2608 wmic.exe Token: SeManageVolumePrivilege 2608 wmic.exe Token: 33 2608 wmic.exe Token: 34 2608 wmic.exe Token: 35 2608 wmic.exe Token: 36 2608 wmic.exe Token: SeIncreaseQuotaPrivilege 2608 wmic.exe Token: SeSecurityPrivilege 2608 wmic.exe Token: SeTakeOwnershipPrivilege 2608 wmic.exe Token: SeLoadDriverPrivilege 2608 wmic.exe Token: SeSystemProfilePrivilege 2608 wmic.exe Token: SeSystemtimePrivilege 2608 wmic.exe Token: SeProfSingleProcessPrivilege 2608 wmic.exe Token: SeIncBasePriorityPrivilege 2608 wmic.exe Token: SeCreatePagefilePrivilege 2608 wmic.exe Token: SeBackupPrivilege 2608 wmic.exe Token: SeRestorePrivilege 2608 wmic.exe Token: SeShutdownPrivilege 2608 wmic.exe Token: SeDebugPrivilege 2608 wmic.exe Token: SeSystemEnvironmentPrivilege 2608 wmic.exe Token: SeRemoteShutdownPrivilege 2608 wmic.exe Token: SeUndockPrivilege 2608 wmic.exe Token: SeManageVolumePrivilege 2608 wmic.exe Token: 33 2608 wmic.exe Token: 34 2608 wmic.exe Token: 35 2608 wmic.exe Token: 36 2608 wmic.exe Token: 33 4068 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4068 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 232 wrote to memory of 2608 232 Maze.exe 104 PID 232 wrote to memory of 2608 232 Maze.exe 104 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Maze.exe"C:\Users\Admin\AppData\Local\Temp\Maze.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\system32\wbem\wmic.exe"C:\pw\fs\..\..\Windows\cemi\eis\dqt\..\..\..\system32\vthd\..\wbem\hwwx\sx\uh\..\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4872
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4464
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4448
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 444 -p 5040 -ip 50401⤵PID:3920
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5040 -s 17921⤵
- Program crash
PID:1196
-
C:\Users\Admin\AppData\Local\Temp\Maze.exe"C:\Users\Admin\AppData\Local\Temp\Maze.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1952
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x508 0x3cc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4068
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\DECRYPT-FILES.txt1⤵PID:2284
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_678C68874BBB44028B8FA15A464A04BE.dat
Filesize940B
MD53751b4ab7d53f97cc02d20e353c9089c
SHA1eb601432637c4c4aec035e423b4d30fdce7f8a1a
SHA2566f7f21d4ec5ff3cc7858285f990de27905a7eb9a64330b0cbd4043c66cbd73c7
SHA512f8a41ec61d7964a360424c333b6171aa09e413e99c2349689abfc3430a32b4d1e6b05d99b836ec73b386a0b37701465a4300c74d78eb78998a51ae9c1c5f7119
-
Filesize
8KB
MD582836433b178f89ff6aa4c92bc6e4360
SHA15ac332999950c5199a097eee342e681188041672
SHA2562929c32cff3c3801f49ce84076b83900c99eb897a7915a3c906727fb5aacb1d1
SHA5120ee0a24c11f25fd5cecd6b86587f10ccb7ed7c48cbf698a642ccc49d19dd38da8f86fbea8e548e8237be31b75443241368b386bd977da5b5637407b7f6fbfc7b
-
Filesize
8KB
MD582836433b178f89ff6aa4c92bc6e4360
SHA15ac332999950c5199a097eee342e681188041672
SHA2562929c32cff3c3801f49ce84076b83900c99eb897a7915a3c906727fb5aacb1d1
SHA5120ee0a24c11f25fd5cecd6b86587f10ccb7ed7c48cbf698a642ccc49d19dd38da8f86fbea8e548e8237be31b75443241368b386bd977da5b5637407b7f6fbfc7b