maze | d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125

General

Target

d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
Size

351KB
MD5

391370b48b8f64f86c628742b03de53a
SHA1

0c4ef4daef2458ae999d2d3bf3ee837491369a25
SHA256

d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125
SHA512

62527b56eb597c1a177f154793f0734ed3e54df7dfd36e619f07a44cee2e22190920fbd15d34a5c8fcdd54853cbad95a797c6fbadc0f5f19ddf25b13945b4adf
SSDEEP

6144:nNlHAp8tUArLrLrLfMemq5MmsCdKSXZ/cJlCJ6AWJE9V50DErTNg/ydlb4fQ6wFL:G4DmGw6yDKNg6dNoQl+v

Score

10^/10

maze ransomware spyware stealer trojan

Malware Config

Extracted

Path

F:\DECRYPT-FILES.html

Ransom Note

<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000080; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <span class="left" style="font-size: 14px; font-weight: bold">CODE: <br>------ <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 </span> </td> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><s>0010 SYSTEM FAILURE 0010</s></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> <br> </div> <div style="text-align: center; font-size: 18px;"> <p>The only way to decrypt your files, is to buy the private key from us.</p> <p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p> <p>In order to receive the private key contact us via email: <br> <b>filedecryptor@nuke.africa</b> </p> <p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <br> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">mFQ9h1O+r1yAr58j5TPCT65WSB+zEcNA76NIDBwsbm+MkvaoNBLiDbspMTCGRGqlgvs8fslybHKgycZAwDzUTjTQHGSJSYctccLWhcerkKUaLSztJLuSR8vcsz2FoCXihkZmK/YGK5L4f9yPBgAyVUFBV891RizfSbmHkZkM1m+aNWq5rcjmXRLfZ9b2MXfltPtHykOYs6nN0XeugfU+bXVIDluTEk0fIz4W7PV/GuSHt/j0i5EJ777/4h7QqgTqldamC0XYp3yxQj9GqKVNsa1MxvURBg6+1WbbYsR1bdfZ+vqY2PMEQ6tXQzqEOU0QET9jfspREqGh7vkV+WPiAi43h+6wknIOFt4sri2RsyPkGfK5JqYyD3KRM0u7Z7rw9Nqe6mwhliuDgu8dw1o+HrDrbS78RP0EHbxejRTmw48nJZvqeOsxMZNLs+gmO8bJoxJKePtmLJKtRuGNnBRFmoFT7J9IL5/D8PRI9+3UCu2esZeghvoAYj1Fzxp5udNT4D8Y8LxFmb3ZJNl+GboMG1eofshBEbcWGOyUWGU1rnJPf9zc9lPNJUL1tolsmp0jP69TUPT2E+BPkxgP9PqGRBaBLTubjcRP15yO3mjTcv77+SZlcEv2ZHz4zNkRlL6aFkcvDmFD44msqP+awQ9e864e9KjV6eXv/kHenBb5/jgUfz8qnHXPvzNxG3SGFVC3nlaEWCmsZo6KT8spAncstSKmumpcQM6WWrYfz6xtdqyRX2S3Lxm3W973qJU4qWdF0G3ssXKT9q7i/6tFwiki5hfl4C0GzikNNKwT4wwTWkFgguAUj5CtXW6pQCmrTwHREa/pABK1kwEdW+BiDZ/Zvb91giYxJ7OS4j2xMfnfxXuKkrY9wILB02gMsupdNCz3PmiQ0/DDlGnLwUGyBWSFpJaoGT9p1HI+h02RnV/RKAIxu+Sa1l1/MtJgxQ/vEixDqb0DN6/0FJL28GbR3pnJTs4dIBiUy+A2j1lbNT1eQ0ZpyWjQyud3lFN5kP2FcdHQERGPL11v3Jx66XJ8E32MxBHohvinEhIZybWDEceSweykb/U36EyOfLi2MQdQHfehZfPwMMy+5V5nKCdxpbZ0oE1gw0iDiqLcBsYsF9ckMtO8GrmiD0dU1HA7sJZ/VdPpvQRPGj6RHh8Z8CdhJws4xQHVpdXtdrPleciW84v02PTTOcmCMGCRy5Q4UXn5oYlH3x4O1i0++CxnuwgEy1THSMACicJ3gMaPd8g9uNCEC0wSyl/5Ez+jD3pY6+8WXNwPzTBHEtNw6fYaPbLPs+kJH/h6NDenKsyhA0Tm2IertE8E9J1+ZRurtKYcqHRn37JfOS9Xzk5TNLTtBF+ILa30JkqglvCGh2ChBYYSsUq7kAFAvseXw5dn5uAhWkf/jjW0j/2AvHXVKMXqf1If+UbT4f3aQqkULB/rnGBeSJggh9koYrExqb6RwbbGajfwyNDqXEEZZ/VyKmuAWNJQ6pc/I1Mt7OesP9nON22EVFHdBBkrO+PZvU2qk1gg0P2hCMp3IWVArimpZZj6URoZfbcSJPM1fBLijpoDya8/m8agMQ1unfOYBLnXSzMsLY6inOGb63TGYiJv5o27ElLoBXg8dfXAlM6oaVo30NMlP6uvw3e2CVJK7spmYUIvJKlOeea8c2Mmq8y4xFr4qqKMBHZerXVX4pNTUprZHPCImWPMqmh7RC5YB5LIQsJDStLfj58J8XwNMv/JQYkBQEEbLIYspBRW1ef6w9UqE1ahNmzACOaBJXuyDVLppQzMsvVKOT6RE4qLJQ76fd4K8xwnpwq+ygNl42xuUrKRd50cWBj7ICxPE03S3nNZjyue3e0VX6ul6LZwjMND5QhYITNHSu3u82UlFNYA5dZbdGXWcQMbYgvMrOhiaGq1Ted9HHM3hw9/9UduhxK3UCIC9nrbQmwrpKYW8s7yB54hge5xiNigxQabSSmD8CHv5wdwhxU9SVop2hF/2KvHPIU2FnDqG+D4VoPqDvSeuyt/V2eGYMzXMrawK3GxuYRuQ2H7VrUeoaCwBrmKwOPHCTDRETFbaNh6ynwhtgSn9IG4HoeXjoNl/In2LKDTymIUyrDc3aDbdJ72M9hB+/7Jr5XZWyQZ7dnYlSzrPDBVvipChNOGkDEZwdmfMgcsR3LfLOTlMfRTqkWAOGB3GogSrVQ0wXrQpO7cr7aamYZyaMG98rVL0URBV4rEJ2N5lka7eSpvuAUnwbA9hkMvHgoiOAA3AGEAMAAwADkAOAAxAGIAZQBkAGQAZgBiADYAYgAAABCAYBoMQQBkAG0AaQBuAAAAIhJLAEcAUABNAE4AVQBEAEcAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCVnwAQwBfAEYAXwAyADAANAA4ADYALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAAzADgAOQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHDMmNl7eASAAQGKAQMxLjA=<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>

Emails

<b>filedecryptor@nuke.africa</b>

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 2 IoCs

Processes:

d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html	d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e75d.dat	d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp"	d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe

pid process

628 d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe

pid	process
628	d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exevssvc.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2700	wmic.exe
Token: SeSecurityPrivilege	2700	wmic.exe
Token: SeTakeOwnershipPrivilege	2700	wmic.exe
Token: SeLoadDriverPrivilege	2700	wmic.exe
Token: SeSystemProfilePrivilege	2700	wmic.exe
Token: SeSystemtimePrivilege	2700	wmic.exe
Token: SeProfSingleProcessPrivilege	2700	wmic.exe
Token: SeIncBasePriorityPrivilege	2700	wmic.exe
Token: SeCreatePagefilePrivilege	2700	wmic.exe
Token: SeBackupPrivilege	2700	wmic.exe
Token: SeRestorePrivilege	2700	wmic.exe
Token: SeShutdownPrivilege	2700	wmic.exe
Token: SeDebugPrivilege	2700	wmic.exe
Token: SeSystemEnvironmentPrivilege	2700	wmic.exe
Token: SeRemoteShutdownPrivilege	2700	wmic.exe
Token: SeUndockPrivilege	2700	wmic.exe
Token: SeManageVolumePrivilege	2700	wmic.exe
Token: 33	2700	wmic.exe
Token: 34	2700	wmic.exe
Token: 35	2700	wmic.exe
Token: SeIncreaseQuotaPrivilege	2700	wmic.exe
Token: SeSecurityPrivilege	2700	wmic.exe
Token: SeTakeOwnershipPrivilege	2700	wmic.exe
Token: SeLoadDriverPrivilege	2700	wmic.exe
Token: SeSystemProfilePrivilege	2700	wmic.exe
Token: SeSystemtimePrivilege	2700	wmic.exe
Token: SeProfSingleProcessPrivilege	2700	wmic.exe
Token: SeIncBasePriorityPrivilege	2700	wmic.exe
Token: SeCreatePagefilePrivilege	2700	wmic.exe
Token: SeBackupPrivilege	2700	wmic.exe
Token: SeRestorePrivilege	2700	wmic.exe
Token: SeShutdownPrivilege	2700	wmic.exe
Token: SeDebugPrivilege	2700	wmic.exe
Token: SeSystemEnvironmentPrivilege	2700	wmic.exe
Token: SeRemoteShutdownPrivilege	2700	wmic.exe
Token: SeUndockPrivilege	2700	wmic.exe
Token: SeManageVolumePrivilege	2700	wmic.exe
Token: 33	2700	wmic.exe
Token: 34	2700	wmic.exe
Token: 35	2700	wmic.exe
Token: SeBackupPrivilege	2508	vssvc.exe
Token: SeRestorePrivilege	2508	vssvc.exe
Token: SeAuditPrivilege	2508	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1980	wmic.exe
Token: SeSecurityPrivilege	1980	wmic.exe
Token: SeTakeOwnershipPrivilege	1980	wmic.exe
Token: SeLoadDriverPrivilege	1980	wmic.exe
Token: SeSystemProfilePrivilege	1980	wmic.exe
Token: SeSystemtimePrivilege	1980	wmic.exe
Token: SeProfSingleProcessPrivilege	1980	wmic.exe
Token: SeIncBasePriorityPrivilege	1980	wmic.exe
Token: SeCreatePagefilePrivilege	1980	wmic.exe
Token: SeBackupPrivilege	1980	wmic.exe
Token: SeRestorePrivilege	1980	wmic.exe
Token: SeShutdownPrivilege	1980	wmic.exe
Token: SeDebugPrivilege	1980	wmic.exe
Token: SeSystemEnvironmentPrivilege	1980	wmic.exe
Token: SeRemoteShutdownPrivilege	1980	wmic.exe
Token: SeUndockPrivilege	1980	wmic.exe
Token: SeManageVolumePrivilege	1980	wmic.exe
Token: 33	1980	wmic.exe
Token: 34	1980	wmic.exe
Token: 35	1980	wmic.exe
Token: SeIncreaseQuotaPrivilege	1980	wmic.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe

description	pid	process	target process
PID 628 wrote to memory of 2700	628	d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe	wmic.exe
PID 628 wrote to memory of 2700	628	d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe	wmic.exe
PID 628 wrote to memory of 2700	628	d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe	wmic.exe
PID 628 wrote to memory of 2700	628	d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe	wmic.exe
PID 628 wrote to memory of 1980	628	d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe	wmic.exe
PID 628 wrote to memory of 1980	628	d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe	wmic.exe
PID 628 wrote to memory of 1980	628	d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe	wmic.exe
PID 628 wrote to memory of 1980	628	d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe	wmic.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
"C:\Users\Admin\AppData\Local\Temp\d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\system32\wbem\wmic.exe
"C:\r\..\Windows\klsfc\qat\kdh\..\..\..\system32\avw\..\wbem\yb\x\catxs\..\..\..\wmic.exe" shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\system32\wbem\wmic.exe
"C:\o\..\Windows\rw\uyiw\wkxjr\..\..\..\system32\jhcst\x\vkvm\..\..\..\wbem\fwpp\ofa\sfi\..\..\..\wmic.exe" shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_6C05534B928E4F6F91125D9EE0A20666.dat
Filesize
940B

MD5
ceacb585d206b94d693d2ad175a610a6

SHA1
d26f83a6c068cf41b5f65e7567272c7331c72601

SHA256
a7169f1aa3c74f3021bde36d4d7d63510d8b5a29ac52c64c224db5177023efb4

SHA512
5e53ce7e3b07d9c9a999ae4a1e30f805e3d8a57c6ac30fb3bff05859befe9263aa2ffcb6225243748a57a3a908ffa83a14155883a65121f05866eb7935454134

Download Submit
F:\DECRYPT-FILES.html
Filesize
6KB

MD5
f3f4beb786bc21026ab08dd48a55f3d8

SHA1
3e9fb69b7cd51934931d4fd18238b658eb219cff

SHA256
5e08dfec4d64c1d4ecb2bb51b59fb41bc135c52ee0ba484214654e00053ae6a1

SHA512
d54a891fb64c63b53e8a88545b927e64b4a1171cfaa87ac7cf2302a2f72ec5da35297ad3d8324dd33715734ccbaf851288fcd5db022945c1a3458b7bb88094a6

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads