Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    25-09-2023 08:16

General

  • Target

    e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

  • Size

    473KB

  • MD5

    f83fb9ce6a83da58b20685c1d7e1e546

  • SHA1

    01c459b549c1c2a68208d38d4ba5e36d29212a4f

  • SHA256

    e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684

  • SHA512

    934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396

  • SSDEEP

    12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ

Malware Config

Extracted

Path

C:\Users\DECRYPT-FILES.html

Ransom Note
<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000000; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5 px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><b>Maze ransomware</b></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> </div> <div style="text-align: center; font-size: 18px;"> <p><b>What is going on?</b><br>Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system</p> <p>You can read more about this cryptosystem here: <a href=https://en.wikipedia.org/wiki/RSA_(cryptosystem)>https://en.wikipedia.org/wiki/RSA_(cryptosystem)</a></p> <p>The only way to recover (decrypt) your files is to buy decryptor with the unique private key</p> <p><u>Attention! Only we can recover your files! If someone tell you that he can do this, kindly ask him to proof!</u></p> <p>By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.</p> <p>In order to either buy the private key or make test decryption contact us via email: <br> <u><b>Main e-mail: koreadec@tutanota.com<br>Reserve e-mail: yourrealdecrypt@airmail.cc</b></u> <p>Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies <p>If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">C+NJg9f+ox+DPJRscPPvT3bcl29qyUH1x+ilORt8qPEG+zADaxdubdUx1Wu29uU8e/4kF/Uj92TONrIbB4wt7F+SnuCy1TOIFr2Bmw77Zagc/UneMh8DuvO6VB/WBy4MBLT8bMrRwoF4cw5vwlHxuiaZXAKQJdzI516gdSppCqDT+wf+LTvU7DNCo3mAK86+zrBW20WVgLu7eGa6SjGR7wFirOh70pLHEh0MzZjNpdb7NQBXDTuJIlyWAIurAb4I24FehbIjmCSEqkchRiE1fsDPYhCDFUDtNgrTA0Bn5lZHgKC3Egg+7DQr2sG9UtUhVkuBtykiV43GiKEQYBAZQFGDHn678ry1r4NjJU/+3dTAc3UEiuVEx8ZYZtg/xc73/UJxkZHDO8t68NVg1Vn1GB46ybESPgkbL0DWW4o1tEb7k5TTq+CoHGQiPRfjG18p0jk5//GCErrIqz2d9efB5P6FrGWAQX0NgB2loS2O7BU12pD0/ZhBfKtb5PmC6afyFxTTxw4AmP4Ipnq+KCtflGJyKYlNTR69bWaayhEYm2NUK3LExgWxIvgnPY/yOwsTiCq5IF/23uulEYK6fXj/FVV6vKfRd+s7PvqOmb0ZtH3WRDzlpqs2nRLdMt2/Q/e2BqKE2VkuYE7+QGfFrcH7/JNkZmle1nK7zmNW3ch/l+ivwPqxM3jPrACVRK6OoBDkJJKSLHz/km2df7Sk+U7g6tvV8Gqctweb3QDWZrS7iAEUU7pEI/xf9PEZ1ePpEF0rwd5nACDQxk/vnKQFsbmte7+0vvwU2gdL1DFLbEmx3u3AQlf3MOq7otvWhWFiKDQJg5iE3mg5qifFWdHc8fcMsSmPQal8g28IFvHZd/+aiz2VkIlneYa5dqNedGWzAVv4dcIThkpSYniIG2DxE659VUu7fzS4X13TfKnKaGyw1yjaRj+MzkfvYN0sfuR4Pgcx0U8Mu74QQLGTdTvrkmpkzF2SCzQ0WZ8aMqvi9bd5iVIaGA6cqwgDHCoLO7kOoLfWXh2qeSGxW12FpptVG50w21QfZK60NG8yezsx7RG4YzEkBFGSH5NQsD06e3/oOHGqrMMzl8WfppmEl2p8dc9RtDAU2Db6wYGnXuJhIAQ8wunIT1Pq7NHK1x1aKqRci2h0vszI/cA66ZiH1otFjLDyAQZk8xtsZ8sofjVksu/RND//cUFIqhfbT1lSFTo3kpTZLdx69qn/0Ha4pUexH4g8OICHLgDwRg9fJA+QzA7U2uPZQSvueMcdYBKrsfjpM7uYGr4d2AScpTKkBYW6t+Ep6qOzmCzxAhgLpl2yKcW9KulOMxNAypmZoUKzhspJVtIghp6EFqe3AeXZt6IwgN4L9JSSfodP5UMgsKIhaOVjATOXzuqTM4qbKiWAeAe12NZ+kbBG9BRUxIDWaPyLJNWFAapclcnNLwWG1lRGEaGpv8/hfYqZ8PR1rIK+1srGV9wDI2VBfeUoHfJm1o4cGWJSibEndl3p64mBXAG6IXiMBXNYmS9SLLcPGjcwwKtBpCUZmHVDB8Oc27WfB7GXRj4t4JKixQo6KR62kyNLun7gWbBdz73HKqjp9wHN+jj91Hd4spBO5lD8nHlWDPneP7xouSL6ifPQpTSzfA1silM8XFTELeKzbdJotf9l3bAOk10M7eCXc+JXh7391m4uXU22Du6PwPG9UAC7lK18CxoSTALYU88xyHIruw9hsbU0xtzuEVm8a02rAC9Xq/PE0AyZjxn7RSaHwcCvIOuwBLaKkUPcJ+BVJ55xoKHILcqukqrgJYywNqq3uiGXJy7TyJIcgJWDc2fAkvAPc4fjq9fHHsnjjuK016AJM8NEj84Wz8zptBNEsAF6ZscX9tx3U4N3lmtvBPwmhI4Oj1miTERCYVmoemY0W8PvvF7F4l1EhN3KwUG2BBLSVRB7ERM69WE9iZ1STxqRDvITzWXf3zoi8fsn3Pb9Xw6mXmHXlar8OhOXuTAgQIQ06gwuIHErrTs5LGudIw4ZsXy3HjoU8wy8M3AYG3WawER/mOsX+jxSe5BOAerDpRS7e+RS4cMAPFULvJTNNHFKvMPUcdvoTmq1G+JXxkVRaqrlKGUQphS94LpjY1LZb7qJ6l50xyUWRVyiIDZc5HpUJm/j3cufWQ5+oEKmPmrbhADri2C/MWXh4/I4UvBVua2bqPsBM7sg6m78lfnStJpcS2Y0MZb9/W7NA+UkGFruyhsoaG9+B+FBjlBVzKabIAoiOAA4ADAAYwAwADkAOQAwAGIAOAAyADIAZQBiADEAZAAAABCAYBoMQQBkAG0AaQBuAAAAIhJOAEcAVABRAEcAUgBNAEwAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCVnwAQwBfAEYAXwAyADAANAA4ADYALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAAzADgAOQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHDTkdl7eAOAAQKKAQUxLjAuMg==<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"></tr></table></body></html>
Emails

koreadec@tutanota.com<br>Reserve

yourrealdecrypt@airmail.cc</b></u>

Signatures

  • Maze

    Ransomware family also known as ChaCha.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
    "C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"
    1⤵
    • Drops startup file
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\system32\wbem\wmic.exe
      "C:\jcjwk\j\..\..\Windows\l\..\system32\nwjci\vcls\..\..\wbem\o\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2732
    • C:\Windows\system32\wbem\wmic.exe
      "C:\x\df\p\..\..\..\Windows\qbvqm\alw\..\..\system32\ybg\..\wbem\grd\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2868
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2568
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
    1⤵
      PID:2932
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\GroupRevoke.wma.4Ax2
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:572
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\GroupRevoke.wma.4Ax2"
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1996

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Defense Evasion

    Indicator Removal

    1
    T1070

    File Deletion

    1
    T1070.004

    Modify Registry

    1
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    System Information Discovery

    1
    T1082

    Collection

    Data from Local System

    1
    T1005

    Impact

    Inhibit System Recovery

    1
    T1490

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
      Filesize

      3KB

      MD5

      edd75ab59496847a2d0c8e73982f7a1c

      SHA1

      51cc13fc90e9e09b5f7e5b496aefc9a220354022

      SHA256

      bebeb0e653ee953d98bdb0e9b5cc6a6ff0b6d90917f717cf86a2d74ead849394

      SHA512

      46040d0d34591cadea5fe2742a0051f5250bba3730d37a2fac34381fe466f68cb08f786796cb2f5172ac640db441a0b754aea12cb07715350f1e66669571dfd8

    • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_ED66E6A8328745CF89A50A716B5CA0B8.dat
      Filesize

      940B

      MD5

      e3f3f89380c9ee6aee108491e9b98715

      SHA1

      56760b5ad12929d05381044ad1913d9bcd2322f9

      SHA256

      d60e0bbc5098fafc765f35affc549addc029c87a7402ab29a28f9a39a46fd992

      SHA512

      bc045e29760ece914d02d85f84affca262a9bce866c84acd8c42f124d45e325fd82337f002ac6faad390388fdc80541f20dee028dd0876a768072718896da077

    • C:\Users\Admin\Desktop\GroupRevoke.wma.4Ax2
      Filesize

      298KB

      MD5

      5e3323fcbdaaed6cde4f9c8595b709b0

      SHA1

      85de5ace9b5656896caa48739a29d99bae2f3d31

      SHA256

      2999075bc0f46094cf80bef5d78722a582604674a52c6d11abfdc5d8d24f33fe

      SHA512

      36f4fc530cba38ad77be4a33b1f5b5c591b53de14f193639220e5ece671f973af4149446ea6062e66f1f0c73004aadc5a9be6c144cfce87912b355825a87ef89

    • C:\Users\DECRYPT-FILES.html
      Filesize

      6KB

      MD5

      5c0f52f4f89609b9f8a41cbd4ac84b64

      SHA1

      d6bf7f59f8ea4aa312e6f260930a55b9710b3767

      SHA256

      7d717c0034d41a2411919beef0dec4b3c0bff2879e79b7d4d25f4053a6e7a22e

      SHA512

      6c3063c4bedfbfaea05538d142235fdfb6c239ecd1f7e8edc7a27b73a859ecdc4d1bc7091974196dbdffe3f8f22556635b642f1b45ae40372c5c77d248342523

    • memory/1916-0-0x0000000000180000-0x00000000001D9000-memory.dmp
      Filesize

      356KB

    • memory/1916-1-0x0000000000540000-0x000000000059B000-memory.dmp
      Filesize

      364KB

    • memory/1916-6-0x0000000000540000-0x000000000059B000-memory.dmp
      Filesize

      364KB

    • memory/1916-10-0x0000000000540000-0x000000000059B000-memory.dmp
      Filesize

      364KB

    • memory/1916-14-0x0000000000540000-0x000000000059B000-memory.dmp
      Filesize

      364KB

    • memory/1916-1780-0x0000000000540000-0x000000000059B000-memory.dmp
      Filesize

      364KB