Overview

overview

10

Static

static

1

af64b56850...e2.msi

windows7-x64

10

af64b56850...e2.msi

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    af64b568501ce3d7e43ace3dca1183e2.bin

  • Size

    496KB

  • Sample

    231031-dbhjtsab79

  • MD5

    af64b568501ce3d7e43ace3dca1183e2

  • SHA1

    88d52d7ebe72415d1ee1ff16ffe8afda0b052df0

  • SHA256

    bff478766c3a3962228a15fcaae1fbf8c31ec337a83496c4670cd3e704ead735

  • SHA512

    b949b3cb7c80c38c38493b20c8e96e40343f79e265a5a1f73ecc9f1f34966e13079dcfc7b554ef67de5ab4e00f45b1dda5802f90084f5a64de8431d2d8f0943d

  • SSDEEP

    12288:2sUSmjkJmRAp8QbNeSAt8wCz7JIXybzHI+c0zVH:nekURQzbNeSug3JIXybzxh

Score
10/10
mazeransomwaretrojan

Malware Config

Extracted

Path

C:\$Recycle.Bin\DECRYPT-FILES.txt

Family

maze

Ransom Note
Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6dc90cd941a81769 e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6dc90cd941a81769 b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- hgl9/yKziXy4a5K/13WUd4MI564rSDXJ0xu7bWq3l7yedxisPUPatS1QyrLLf6dZGAxUJQqgblzx3vAGRKQyJ2YDxEfHwhaUUXYEnjFwsbG9P2pzqMXg8JYWkvwAsFIPTJu3iAiKI2NHW8ygOyIOTBNQ31Tvg+tXpSJgPVMgiqtwOqh5PRM7tT8lbZZzJ+VOb6NlYdY546KPTZjcbH9InxFVgIDfy7G5ElhRmrOrcBU/woC5pTzbaH1jXV7AP0P6KJ8O3f50dCVErbwOtz+M5gHnnhfgVs7PvhEkDIa4V7ZeBtA1Xev0AXRl4Se0U3QK44Bq1ksRayhZM0XUZ9SUsOesR8LjmUqsAzovVdhXpY5YmZmkLsOKyI3ICpv2E9yuOjvrwSpjcb1wXc0QuiB0G0EiGMeNdrEtw1r3Pw/zeIKfVUc8Z/yPFdiXnJfx/koyqTImmqpAWWKzqYx+Y4pUexB4acjx4tOx4IhyhkeoGzLgCJAN3LWGZgFpUEo0y4HqpqR7kDdiUXuhXCR/dsr2hTka7/t8pD6uXurJni4JPyo2hYhOI6gHxTq0zaWLu60/JZc3O7ljILdOj4JDMmXpZA1B7GluTyF+3JEH6YCpL3trVpakKa6A6f0jeO5d9yT7aBQd1AbpJwS/hUB/3TN3FgA0NLSM5oPaiviJOnvJfeoWYO7aQfBz8VMVVIwUduDXhnw2zmcJOTEUDHviE9U+/TwtFnvptm27yzEL3kL5UJV4XLo3yM1KNX3pajEITzqgPOhu52rQB2pJv+q1yfCTSVbQLBtMXbjpQ2ylaToH87sl+nipgnpMP99ixAjocrlW8WGQ/Rw+b3v1N5os9Rmt5BggV9X9AVrFSiaCz8YoKal/OZj/Uz6G/006r2TbWFDtT2gIVJItz7bg/ANqxBUvZmJq0jHnOB9mynlD94Y5kbcmj2VFs6shhksqaAFMq7Sm15bGkU6uWhYiQ1Up3Z7ZSVU22GHbt/ylJS8vILawsjCN+p5/1x8vO9vxv3mIPexTSgPLZsPwANSOcNUCBkFsnbJjpphvv8hDjw3HYtVQaDMFfmFIHXN6NhcaPlVYbQYXAofIsqFbSu+1LcACZVQ3UVptETvir/j4dG6TpQC8FV/rForltSWft4KPr7kxPyvejwHxw4MrzGOnugcNcM0WmiXxeZG66ATw3ffrox/frzX0QYcE1IRgvDqDwEJeCKeTAhdgX6OO0TBdA2hFaNVzjWOALjBPHXdmf0z2A0NBG4z/Aecn+Xh5xY9eADm7bE9jZMkEZ9OxsPlu57f8yWoKaPIICqzPTgNBeOPGlVWwnHzmNOngULR/uKmKyO90YdQO4IO3u754EQU7g0x7S00P9xoKYEiSlTEHpYq1XIEwiOz82rSNK6SkFge+i1ZdcGCOYmkGJ99eQweO4qMcnW5q+TQsTZql80UU4RH3CPskeR+WSibko8LPK6KvXYirgVU6P5GBpj8YUA1fZpKCxHAT3MbQRaRn0tR5N6ki/8xYR61E8r7TVfjp4AVW55XY9vAZmua87U8puXp3RtDxPNLo4BSabrjGqC0NaZhkwwnJk49QXhFv33ntp47NS/Ih4YeWqixScT9zxJNY5rW6K04yZYeb4LO/RfvIBOC0KMDt0pG4VXPLMLwx1gm1BI9Qw3q2B0ereJtoS3gYR3xh32MnGK6PjEEsIza/bmis8OTO933qaubiv7C1gEp0yDAY/iRHc9S+XjXTtTvNEppue06klafOwDMIumYzQ/s12804cW0GlQfdAznV1q+4hOLMxrqenI4zId6daoS7OcoOjcwt4hiTIQykcBIjSFX90YepAAmFvFT2XYykrxSgitkFQpaV/b8Uqb26C00r6+bIcKNU8UT9F/UWQCkiEuG6VJRoWFMWUcq0CT9ii3vpGOjgGwhzmyeczf8JoMCyBmOriJ6F3jmi6CQf6kWezOmdOYx0MqBr5F1rr2/f6bu2A25f0Y34iX/dBAAsHDZPMTEr91CRNGWyDZjFIUwUFKpy8hmj3FLUWwlOPlzxh2IIqFG9eRxUUSPDR4nPtxPy73BkIzZtDfgQ9tga0va9+h4L3cTHmCs9Zy5Sq7d3n9gIChdu6xmsgRR06tkj7klarNGyrTwBhGbMF64c79oA5Z+xdjps2O7VU0mbcxZSScWH8SEny7uxhsXyD48mzmwGEVjuR9wIhlCg8Ck4nydvByrfcdj/3to4iWbS0fFdGpHlkMYxnGF33JWhXQoiNgBkAGMAOQAwAGMAZAA5ADQAMQBhADgAMQA3ADYAOQAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAFUAUgBVAE8AWgBXAEcARgAAACoMbgBvAG4AZQB8AAAAMiZXAGkAbgBkAG8AdwBzACAANwAgAFUAbAB0AGkAbQBhAHQAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEJWfABDAF8ARgBfADIAMAAzADMAMwAvADIANAAxADMANgAxAHwARABfAFUAXwAwAC8AMAB8AEYAXwBGAF8AMgAwADMAOAA5AC8AMgAwADQANwA5AHwAAABIAFBAWIkIYIkIaIkIcLOQ2nt4HIABAYoBBTIuMy4y ---END MAZE KEY---
URLs

http://aoacugmutagkwctu.onion/6dc90cd941a81769

https://mazedecrypt.top/6dc90cd941a81769

Extracted

Path

C:\Users\DECRYPT-FILES.txt

Family

maze

Ransom Note
Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6beb0cb347db9a2f e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6beb0cb347db9a2f b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- kkTlyTB1zIaZ3oeJQImACTtSC+DNi1NwcEDqC0N66t3c2F2oHiKUVFklHvHIWnP+Hl3iwL+tCqBhirJW2CUKBd7FB1FUx1wXsXXPI0oK5TxAl8l3uwqqHLFd9wdGuOuxIGDz6fMADwmdqCx9u6yyBlKXNgDZAm09xM6YrlhyN/lfNZwBDBamBaMNmsaAuJRgrhKWB2kcoYIRphTwDHop2SG+ub31v0ZEVYNAVetW+errOvcr/vSZL80BMcL7s/sVisNNiqdWlWUhcjqx5hfiyZ192nW7lwaW1ry2bp7RkkU7cuhn06/REA2GC33+jgr50WqABu19UmTRDwm8sHuZ0rKELPqpnzpdvsrPRj284yXfJLzD9yxapWhbu+vdCGbwI6V7n+9a+gjhLStRpc0NjUQwgmw7LsPj3MBtL6vQm83rwzZoYyy0B/ovnb1nk4fFW/bIY9TMco9YNQOdiW4QgBEzbFNf3yu/D+qJEX1L8v+rT8bNxacUM0VnKkGd8TNDfGexonTZiV7vS8TFFJSLYG2DlGVs5MFF4b/wBvqlaRRc242YOiVSwSc/ax6JWEkUD+uhIntl8MxLmxpQodSYwF6BLMjJZyO/h8nwIg/AZUl3oq/RWHC4yOsHuB7f4GB+AlqEKlGW8FMfpMtLpnS/20L5FgpzCi8NdVAz4cF6RlW07roxceWpQu/FsjLDFkliBZDKwibgrxJviLd4BnaTZmgqRfEoGpU/Ln1oFAGveq1GQQ6tzPIU69F9K2wCG5tFJqBeD6SvvH9d8PPXQhfqkqAR8xxAxh0lO1TpBEjIR9Mbda1IJeDXflYFrPnF/JIc+GWOE0b/jLnN5Pd8eVdcWJuHda94wQ5qiIhRDrMDEK/zY8XJasWd531EoC8OtbzHCrtVYYx9TrZtgzBkYRK/bgP/scJjuVg6bLqcT56ddEKiKU1GL+JetLSFqOpFAAynOVvn7+qMd5hPRjuKw65x9h48a+C0jeM3hR2kPQQutPp+jM+m/rJrLpiWaUViQbSEWMMLA6RoMPq8yGkQzxVNzLqcrBF+s2PkbsHmEtHR728p4hF9/0mvHyRzjteKTvJ9xB/nKBx4epZggM1fZWoatIdq38FDg9//OvlIYNUWmpcUUgh77fika6UjuPi9deXZ1ohnVQHxyqLPewyFnz5CLl8qEAQfJ+JYcKiNY+WOiHpbZwfxTFXg3zX+TQJFADO3S1TJ8C58ngSmJmeK4k81P8tdRf5sLuLlYIo+CUbwRuV84MKfz7B1+y7rOCrETM/GEUL3eFQP9p02C4rhe8HfHkUXVpjVIymTmaFkWrzSH2isc4bEae0r7nMQO4B72bWrUpsgtX/IwEn7AF8D1tKJMtc52zAGj+3wv1ZqnYPCDblrGRULiRfhICllpvSSc01ID9NMoTVIAsauqhrR30ZmSoO7U6l5Dyxbwq5/nks7I351W0DR1j4P8rERFjgIjaQaWVLVWzgTbxAuIoJ6s9+3qHGgFhhMiDSLxHl00Qo8HnlRqd5+Ke8zifJhOJ9i6H6/M3ZG7cQsXdMywQ7LtG52hdK7sP4BznDPHfVZvTypfYbtuFsD+bXE9JSHa9V0M2o2Y4vIBpAzI4si0tm/y2CD5PzPA392BBKEtqMo1Jggz5rJZJj9YINrYqCnq+72JXLpuvcHphua+uAQy20OxLiKMJBKLJOo0LP6ml4l3zRetxBCm2pOWr+/pcJZ9d+q7f+09L+IsOw6fvEdFQqbyd6+55x1l6mFrYH86zEJuE1/Anc/F7TLnr2DexxS71HfF5Fv5iw10q9xQ2ura6VNx99f/faShuFm4soHXNRIx++/c/isiQMydOG8uQyDe7OaykyZwB4ZwKa5mOz8RU/1dhzicC27xr3SP6EGBOnyR8HMwtxrVeFyjr2woMSvlkvmj9OWZHHfIdbu9vZShtd3AtS13u0E0OYGd/2qJf8ztmW7fitATcHlDjDgRDeEsMLK7rwan3b8HNC+1AeQRBJfkPvZW7lH3w6muQqzhxsLmNHeRC4Dl5BlOqKgr/0m9zXa03KcQriC8VH4k7noEZmiX8mDuv49DgAN4akKoZ0h1IdywsVdgrB6Y/9xPnIqN4786hmSWZiEPlzkW/DcssZM6mnHET7JCF0RPkuOOEHRjc8htrKlPrl7/7B5E8fwD/LRp9RmsDzzlJxy3/bSLs8UYGzW0tjbF1aUH+EWKb6aQJj3Vo6ekr1moWOgGmZEYQ53yA97BPh6IgoiNgBiAGUAYgAwAGMAYgAzADQANwBkAGIAOQBhADIAZgAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAEYARQBVAFQAWgBDAEkASQAAACoMbgBvAG4AZQB8AAAAMixXAGkAbgBkAG8AdwBzACAAMQAwACAARQBuAHQAZQByAHAAcgBpAHMAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEJWfABDAF8ARgBfADIAMAAxADgAOQAvADIANAAxADMANgAxAHwARABfAFUAXwAwAC8AMAB8AEYAXwBGAF8AMgAwADQAMgAxAC8AMgAwADQANwA5AHwAAABIAFBAWIkIYIkIaIkIcO3o43J4HIABAYoBBTIuMy4y ---END MAZE KEY---
URLs

http://aoacugmutagkwctu.onion/6beb0cb347db9a2f

https://mazedecrypt.top/6beb0cb347db9a2f

Targets

    • Target

      af64b568501ce3d7e43ace3dca1183e2.bin

    • Size

      496KB

    • MD5

      af64b568501ce3d7e43ace3dca1183e2

    • SHA1

      88d52d7ebe72415d1ee1ff16ffe8afda0b052df0

    • SHA256

      bff478766c3a3962228a15fcaae1fbf8c31ec337a83496c4670cd3e704ead735

    • SHA512

      b949b3cb7c80c38c38493b20c8e96e40343f79e265a5a1f73ecc9f1f34966e13079dcfc7b554ef67de5ab4e00f45b1dda5802f90084f5a64de8431d2d8f0943d

    • SSDEEP

      12288:2sUSmjkJmRAp8QbNeSAt8wCz7JIXybzHI+c0zVH:nekURQzbNeSug3JIXybzxh

    Score
    10/10
    mazeransomwaretrojan

    • Maze

      Ransomware family also known as ChaCha.

      trojanransomwaremaze

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Drops startup file

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks