Malware Analysis Report

2024-09-22 14:32

Sample ID 230530-rhw8fsaa43
Target Maze.exe
SHA256 067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b
Tags
maze ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b

Threat Level: Known bad

The file Maze.exe was found to be: Known bad.

Malicious Activity Summary

maze ransomware spyware stealer trojan

Maze

Deletes shadow copies

Modifies extensions of user files

Reads user/profile data of web browsers

Drops startup file

Sets desktop wallpaper using registry

Drops file in Program Files directory

Unsigned PE

Program crash

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-05-30 14:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-30 14:12

Reported

2023-05-30 14:13

Platform

win10v2004-20230220-en

Max time kernel

88s

Max time network

91s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Maze.exe"

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\BlockRestore.raw => C:\Users\Admin\Pictures\BlockRestore.raw.gNfm6 C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File renamed C:\Users\Admin\Pictures\DenyLock.raw => C:\Users\Admin\Pictures\DenyLock.raw.gNfm6 C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Users\Admin\Pictures\OutAdd.tiff C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Users\Admin\Pictures\StopPublish.tiff C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File renamed C:\Users\Admin\Pictures\StopPublish.tiff => C:\Users\Admin\Pictures\StopPublish.tiff.ijS5Oy C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File renamed C:\Users\Admin\Pictures\UninstallSearch.tif => C:\Users\Admin\Pictures\UninstallSearch.tif.ijS5Oy C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File renamed C:\Users\Admin\Pictures\MergeRename.tif => C:\Users\Admin\Pictures\MergeRename.tif.WB5Gg5 C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File renamed C:\Users\Admin\Pictures\OutAdd.tiff => C:\Users\Admin\Pictures\OutAdd.tiff.WB5Gg5 C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File renamed C:\Users\Admin\Pictures\WriteDisconnect.crw => C:\Users\Admin\Pictures\WriteDisconnect.crw.ijS5Oy C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\897e09afca93b1b.tmp C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\897e09afca93b1b.tmp C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\SkipAssert.reg C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\StartConvertFrom.wvx C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\UnregisterRename.M2TS C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\AssertConnect.tiff C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\RenameHide.xps C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\ReceivePublish.xps C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\ReceiveSuspend.pub C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\UnlockExpand.js C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\UnregisterRead.dotx C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\AssertWait.css C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\FormatTrace.DVR C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\CompleteConvertFrom.ini C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\OpenHide.mp4v C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\RedoCompress.temp C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\ResetStop.mp2 C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\RevokeStart.3gp C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files (x86)\897e09afca93b1b.tmp C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\BlockGet.vst C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\CloseGroup.emz C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\RenameUpdate.svg C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\SelectOpen.au C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\ConfirmPop.scf C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\ExitUninstall.AAC C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\StepComplete.mpp C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\UnprotectRestore.cab C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\WatchUninstall.vsx C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\897e09afca93b1b.tmp C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\GroupSet.cab C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\MeasureComplete.wm C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\ProtectReceive.cfg C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\RestartClear.wmf C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\RestoreHide.zip C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\UnlockAdd.css C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\GetAdd.ps1 C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\GroupRestore.nfo C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\TraceSync.3g2 C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\AssertWatch.jpeg C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
File opened for modification C:\Program Files\RenameDisable.bin C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Maze.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 232 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\Maze.exe C:\Windows\system32\wbem\wmic.exe
PID 232 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\Maze.exe C:\Windows\system32\wbem\wmic.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Maze.exe

"C:\Users\Admin\AppData\Local\Temp\Maze.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 444 -p 5040 -ip 5040

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5040 -s 1792

C:\Users\Admin\AppData\Local\Temp\Maze.exe

"C:\Users\Admin\AppData\Local\Temp\Maze.exe"

C:\Windows\system32\wbem\wmic.exe

"C:\pw\fs\..\..\Windows\cemi\eis\dqt\..\..\..\system32\vthd\..\wbem\hwwx\sx\uh\..\..\..\wmic.exe" shadowcopy delete

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x508 0x3cc

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\DECRYPT-FILES.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 40.125.122.151:443 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 109.133.99.20.in-addr.arpa udp
US 40.125.122.176:443 tcp
RU 91.218.114.4:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 91.218.114.4:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 254.129.241.8.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 91.218.114.4:80 tcp
US 20.42.65.85:443 tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 240.232.18.117.in-addr.arpa udp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
RU 91.218.114.4:80 tcp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp
RU 91.218.114.11:80 tcp
US 209.197.3.8:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp

Files

memory/232-133-0x0000000000770000-0x0000000000811000-memory.dmp

memory/4872-134-0x000001B376F10000-0x000001B376F11000-memory.dmp

memory/4872-135-0x000001B376F10000-0x000001B376F11000-memory.dmp

memory/4872-136-0x000001B376F10000-0x000001B376F11000-memory.dmp

memory/4872-141-0x000001B376F10000-0x000001B376F11000-memory.dmp

memory/4872-140-0x000001B376F10000-0x000001B376F11000-memory.dmp

memory/4872-142-0x000001B376F10000-0x000001B376F11000-memory.dmp

memory/4872-143-0x000001B376F10000-0x000001B376F11000-memory.dmp

memory/4872-144-0x000001B376F10000-0x000001B376F11000-memory.dmp

memory/4872-145-0x000001B376F10000-0x000001B376F11000-memory.dmp

memory/4872-146-0x000001B376F10000-0x000001B376F11000-memory.dmp

memory/232-147-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/232-148-0x0000000000770000-0x0000000000811000-memory.dmp

C:\odt\DECRYPT-FILES.txt

MD5 82836433b178f89ff6aa4c92bc6e4360
SHA1 5ac332999950c5199a097eee342e681188041672
SHA256 2929c32cff3c3801f49ce84076b83900c99eb897a7915a3c906727fb5aacb1d1
SHA512 0ee0a24c11f25fd5cecd6b86587f10ccb7ed7c48cbf698a642ccc49d19dd38da8f86fbea8e548e8237be31b75443241368b386bd977da5b5637407b7f6fbfc7b

memory/232-240-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1952-956-0x0000000002170000-0x0000000002211000-memory.dmp

memory/1952-961-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/232-962-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1952-963-0x0000000002170000-0x0000000002211000-memory.dmp

memory/1952-964-0x0000000000400000-0x00000000004BB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_678C68874BBB44028B8FA15A464A04BE.dat

MD5 3751b4ab7d53f97cc02d20e353c9089c
SHA1 eb601432637c4c4aec035e423b4d30fdce7f8a1a
SHA256 6f7f21d4ec5ff3cc7858285f990de27905a7eb9a64330b0cbd4043c66cbd73c7
SHA512 f8a41ec61d7964a360424c333b6171aa09e413e99c2349689abfc3430a32b4d1e6b05d99b836ec73b386a0b37701465a4300c74d78eb78998a51ae9c1c5f7119

C:\Users\Public\Desktop\DECRYPT-FILES.txt

MD5 82836433b178f89ff6aa4c92bc6e4360
SHA1 5ac332999950c5199a097eee342e681188041672
SHA256 2929c32cff3c3801f49ce84076b83900c99eb897a7915a3c906727fb5aacb1d1
SHA512 0ee0a24c11f25fd5cecd6b86587f10ccb7ed7c48cbf698a642ccc49d19dd38da8f86fbea8e548e8237be31b75443241368b386bd977da5b5637407b7f6fbfc7b