maze | e0f7bff1502dfca58121b84627d51ff2622857fd247123b4160833a5806b2bf2

General

Target

f45a18ae5714d1aeb067f1b4f4923073.dll
Size

364KB
MD5

f45a18ae5714d1aeb067f1b4f4923073
SHA1

e6f53d26e2734bbcb91ec828883465db3d40666d
SHA256

e0f7bff1502dfca58121b84627d51ff2622857fd247123b4160833a5806b2bf2
SHA512

bad89a98965bb21239fd644c4a0d3de4a09e51e0e4f8b24d2e158621d07730e395e287d91317b374e4443bef0ad4c919140bf36fc165b5e59a4b72a674c812f9
SSDEEP

6144:5HTs5cIzrLrLrLgsVJIS+Nn49MS0BqQOrCV50DErFNg/ydlb4fQ6wFMv53:uYha0QdDENg6dNoQl+vB

Score

10^/10

maze ransomware trojan

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-1154728922-3261336865-3456416385-1000\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6c210cb7a929f79d e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6c210cb7a929f79d b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- OS15VWap+bFA3SnN/JqRIpwRepq9J2EZme/XrVr/3ZlBQbabnxCrXeUDX1BvkIGUy7gN850wVr1bSMGKBbf7jiyFfEIHcd7KxzwjEUwesfRkv3wmJgtDO3qIg8o6vAum7k2Ds0SK6D4ywBklBpeOdJ0xMt592hlDDPZXubnCA5VCqTjbHKN23uz4qyrhmq/mk2xhfxyUilJpn9GgsXD0UkQ4WFqOPAGNXWDyPyqlvSLGzERARIStfKPP7Deeg7aGMOyTNYq097FPgWdTrS8d63tK1r+OqVdIDs8gLktPTmfsukGxTqVABgZifmJMGNmf1xoZhrG24BnkV79Nyz+c/J1EPVFpVtrw36AraTrMAd5j+DzFwhpcPFHPD8c8cZIOr4XN5yclGEjcU5yF0Vyvah0hzFbAigoR6F5xRR9gXmDmQn5g4yQ7w+/J/+Wpky0cFJ8ywP7KuL8f8WMgYNvptUdD48qjT+reZZww5O9JSvRpZqA1v4dZTG+xg9R0e/whLupMRwk4wlyqjjXjiOZlBBoX7zbPCUP13/drqGMrOoaho1pH2llpNwg2lJWtSAkBZ6UwqICR4wIRq44t3jPSsJY2QWyBEAEkX/KFBFhycpplTvs3EHqRrOprCH1kjutlVuyx4q5FWmEHbjJQs9M/ga4lqr3EeY/ap303iQfRyxFgm4Fl2O/bk4IvCNyeU+LFbnmPyEHgWoYYL0xkFSI4tXqlieInQRASK4laOENvBz8z1VMg3nd69UVeUHekfn1IaCyUbc4xl9gS5fKlaeUdzdZZLviy4LlsQThPHIrJSsOZCAUZePOM+5SoVRi3i0LbpqqxSAxv7ahswBVMTbBvfoQWO5DNAQuu8/iTBb7RaF7mJ39YChG8UgB8G3km3uVBqcbtHKAmyBNYoQOPhRoOJ1yrjb2+i3BuqOYpESgIUutc9llksW4i9fb+FcLgfaLBpGYzwuR3G6XECDeHht5LGRC9niDUUZg5MOrH+W78dTSGtmYIxa+UU1wpO1iQOSMwepbBnZTVFGRS5HRAXZ49gBQ10vGahNCMv4KP/t+KTuoEPf6cIjPs2cOqHOI9+TmRkN6Z0cuytrOJ/FbkvRhCfgu0O2gP6rert7YqKbTdM0FLpE71pzPBriIssTZkw2v6MEFSkauaEoJY48AhZCd7XzQfTZ5z/YBrcekUFwKPsJNF3XCP85zdH7HEAibWsmzEAUDlfeESpKt+dlaiC7+pUd/yzbvFXa2QteuJ3UJ8XDprS+n9LX8FsFh7vKToENg0QUFClmWkXd5sSpoK1C5gHd+qAvHEYrY2oITBV8bNiZ1YTWz64rqIQLqz+xKrxrlScC/6D4t9qoWbWJ363rJO/UMueDlC4IPC7Jo+8JLmZt0u4mlP7r2XJl7Wgchk4OblySaS84YurikxgQTXWKJqO9xFsWrIx9OFJjepIKeqB1sZU5Obuzebh1rWT1V26n+luEH+zR+Q8ZqYCJnbYhOkXGfcN0HYtj5Uv98IDPUevVZ5JWvomVgHTr1zeZHxWg4LDTLLDOEHMnLgpWlad8Ld2kkn2OiVZEZgO9g3VcSwDT3CTKUsrEI7f0uj+ezxyd+4f9qgaPnzibWCpqhwzydpk8RMyD4d4RKBKzeMnD4wEJH5GU80JXVfH3UTdTRlMImsz1PitlY4cmV5XxES6E81CQ2CTs/PqXccRLdBkrwuPPIlX4sTG+hfWv681Q6Hk/hfyrJg8w5PItNJLxbuisVvhTVJQaCwKzzSViSoTnSsl8wy7MNGGtlzdCL0NIjtKI2H4YXaPX1ppI4fH7J+BqanzEOxtY3sK28gicpvmGQVsyr4vINqbFqhF314ntNWA+4Qa3AQTzJZLwkXhUaEaIYSzYY+FmDouRMv3X4ldK/CtewIKa9MW50gpNO9Z/Ut2bVQQBeeyLxQHeXkDUlQciflt2fp1fgd3yeCrhOjDn1kkgMLkaSg3ZRkqcFemzBLlryOnTaEB3AWD9z/HQti6e7vQCIj1sjdazjo4+GGjAi9xr/a0IYSk6v8Vyy+LHIhwzJz6Hy0hymSM9qssWInO/7eLDojp8uLAwyAEJcCynGtRtVNlRYMMo/ToueSRxmJ80vyvXzUmJosUpy6JzPzqMv2/Y8ezzP2HM44injkHr3c8jaPvYHGXY5VyKFrSKbuOmufr1ykkP0cRvssfIdiB5pTWwrEJh5679LYE+YSbhpmXEfjM8RRkaGyEaIHroJmmZ0bD5nxPwoiNgBjADIAMQAwAGMAYgA3AGEAOQAyADkAZgA3ADkAZAAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAFQATABJAEQAVQBRAEMAUQAAACoMbgBvAG4AZQB8AAAAMiZXAGkAbgBkAG8AdwBzACAANwAgAFUAbAB0AGkAbQBhAHQAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEJWfABDAF8ARgBfADIAMAA0ADcANQAvADIANAAxADMANgAxAHwARABfAFUAXwAwAC8AMAB8AEYAXwBGAF8AMgAwADMAOAA5AC8AMgAwADQANwA5AHwAAABIAFBAWIkIYIkIaIkIcILr2Ht4HIABAYoBBTIuMy4y ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/6c210cb7a929f79d

https://mazedecrypt.top/6c210cb7a929f79d

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RemoveRename.docx	rundll32.exe
File opened for modification	C:\Program Files\RestoreReceive.pps	rundll32.exe
File created	C:\Program Files (x86)\DECRYPT-FILES.txt	rundll32.exe
File opened for modification	C:\Program Files\ResumeInitialize.mhtml	rundll32.exe
File opened for modification	C:\Program Files\StepUnprotect.m1v	rundll32.exe
File opened for modification	C:\Program Files\SwitchReset.wps	rundll32.exe
File opened for modification	C:\Program Files\UndoLimit.m4a	rundll32.exe
File opened for modification	C:\Program Files\MoveSubmit.xps	rundll32.exe
File opened for modification	C:\Program Files\SubmitCompare.mp2v	rundll32.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt	rundll32.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6c210cb7a929f79d.tmp	rundll32.exe
File opened for modification	C:\Program Files\ExportWrite.htm	rundll32.exe
File opened for modification	C:\Program Files\JoinDisable.cfg	rundll32.exe
File opened for modification	C:\Program Files\SaveSet.wpl	rundll32.exe
File opened for modification	C:\Program Files (x86)\6c210cb7a929f79d.tmp	rundll32.exe
File opened for modification	C:\Program Files\RenameUnprotect.m4v	rundll32.exe
File opened for modification	C:\Program Files\SplitMerge.mpg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6c210cb7a929f79d.tmp	rundll32.exe
File opened for modification	C:\Program Files\UpdateJoin.mov	rundll32.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6c210cb7a929f79d.tmp	rundll32.exe
File created	C:\Program Files\DECRYPT-FILES.txt	rundll32.exe
File opened for modification	C:\Program Files\InstallLimit.ttc	rundll32.exe
File opened for modification	C:\Program Files\MergeRestore.xsl	rundll32.exe
File opened for modification	C:\Program Files\PushInvoke.cab	rundll32.exe
File opened for modification	C:\Program Files\6c210cb7a929f79d.tmp	rundll32.exe
File opened for modification	C:\Program Files\MoveSkip.wav	rundll32.exe
File opened for modification	C:\Program Files\UninstallLimit.mpeg	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1912	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1396	vssvc.exe
Token: SeRestorePrivilege	1396	vssvc.exe
Token: SeAuditPrivilege	1396	vssvc.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1912	2644	rundll32.exe	28
PID 2644 wrote to memory of 1912	2644	rundll32.exe	28
PID 2644 wrote to memory of 1912	2644	rundll32.exe	28
PID 2644 wrote to memory of 1912	2644	rundll32.exe	28
PID 2644 wrote to memory of 1912	2644	rundll32.exe	28
PID 2644 wrote to memory of 1912	2644	rundll32.exe	28
PID 2644 wrote to memory of 1912	2644	rundll32.exe	28

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f45a18ae5714d1aeb067f1b4f4923073.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f45a18ae5714d1aeb067f1b4f4923073.dll,#1
  2⤵
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

F:\$RECYCLE.BIN\S-1-5-21-1154728922-3261336865-3456416385-1000\DECRYPT-FILES.txt

Filesize
10KB

MD5
a6bc87ffab145ec344f4bca0fd578ae6

SHA1
84287315dc22e9395176ba73672b81167ecf6564

SHA256
e0bca39a8d65aa5d6fa66c73cdfb5f914f4b738bcd92e757f0e919d0ba3dfc91

SHA512
a7e7c1f5927ae7c7e345ae2d876c875993b93c8a417dfc96aa1ce8e9865ba67a2c9198801de9f75fa630a5d9f8a02cfa99d3391ae7e489785139980b5cdd88cc

Download Submit

Analysis

Sharing