Overview

overview

10

Static

static

1

af64b56850...e2.msi

windows7-x64

10

af64b56850...e2.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    31-10-2023 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af64b568501ce3d7e43ace3dca1183e2.msi

  • Size

    496KB

  • MD5

    af64b568501ce3d7e43ace3dca1183e2

  • SHA1

    88d52d7ebe72415d1ee1ff16ffe8afda0b052df0

  • SHA256

    bff478766c3a3962228a15fcaae1fbf8c31ec337a83496c4670cd3e704ead735

  • SHA512

    b949b3cb7c80c38c38493b20c8e96e40343f79e265a5a1f73ecc9f1f34966e13079dcfc7b554ef67de5ab4e00f45b1dda5802f90084f5a64de8431d2d8f0943d

  • SSDEEP

    12288:2sUSmjkJmRAp8QbNeSAt8wCz7JIXybzHI+c0zVH:nekURQzbNeSug3JIXybzxh

Score
10/10
mazeransomwaretrojan

Malware Config

Extracted

Path

C:\$Recycle.Bin\DECRYPT-FILES.txt

Family

maze

Ransom Note
Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6dc90cd941a81769 e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6dc90cd941a81769 b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- hgl9/yKziXy4a5K/13WUd4MI564rSDXJ0xu7bWq3l7yedxisPUPatS1QyrLLf6dZGAxUJQqgblzx3vAGRKQyJ2YDxEfHwhaUUXYEnjFwsbG9P2pzqMXg8JYWkvwAsFIPTJu3iAiKI2NHW8ygOyIOTBNQ31Tvg+tXpSJgPVMgiqtwOqh5PRM7tT8lbZZzJ+VOb6NlYdY546KPTZjcbH9InxFVgIDfy7G5ElhRmrOrcBU/woC5pTzbaH1jXV7AP0P6KJ8O3f50dCVErbwOtz+M5gHnnhfgVs7PvhEkDIa4V7ZeBtA1Xev0AXRl4Se0U3QK44Bq1ksRayhZM0XUZ9SUsOesR8LjmUqsAzovVdhXpY5YmZmkLsOKyI3ICpv2E9yuOjvrwSpjcb1wXc0QuiB0G0EiGMeNdrEtw1r3Pw/zeIKfVUc8Z/yPFdiXnJfx/koyqTImmqpAWWKzqYx+Y4pUexB4acjx4tOx4IhyhkeoGzLgCJAN3LWGZgFpUEo0y4HqpqR7kDdiUXuhXCR/dsr2hTka7/t8pD6uXurJni4JPyo2hYhOI6gHxTq0zaWLu60/JZc3O7ljILdOj4JDMmXpZA1B7GluTyF+3JEH6YCpL3trVpakKa6A6f0jeO5d9yT7aBQd1AbpJwS/hUB/3TN3FgA0NLSM5oPaiviJOnvJfeoWYO7aQfBz8VMVVIwUduDXhnw2zmcJOTEUDHviE9U+/TwtFnvptm27yzEL3kL5UJV4XLo3yM1KNX3pajEITzqgPOhu52rQB2pJv+q1yfCTSVbQLBtMXbjpQ2ylaToH87sl+nipgnpMP99ixAjocrlW8WGQ/Rw+b3v1N5os9Rmt5BggV9X9AVrFSiaCz8YoKal/OZj/Uz6G/006r2TbWFDtT2gIVJItz7bg/ANqxBUvZmJq0jHnOB9mynlD94Y5kbcmj2VFs6shhksqaAFMq7Sm15bGkU6uWhYiQ1Up3Z7ZSVU22GHbt/ylJS8vILawsjCN+p5/1x8vO9vxv3mIPexTSgPLZsPwANSOcNUCBkFsnbJjpphvv8hDjw3HYtVQaDMFfmFIHXN6NhcaPlVYbQYXAofIsqFbSu+1LcACZVQ3UVptETvir/j4dG6TpQC8FV/rForltSWft4KPr7kxPyvejwHxw4MrzGOnugcNcM0WmiXxeZG66ATw3ffrox/frzX0QYcE1IRgvDqDwEJeCKeTAhdgX6OO0TBdA2hFaNVzjWOALjBPHXdmf0z2A0NBG4z/Aecn+Xh5xY9eADm7bE9jZMkEZ9OxsPlu57f8yWoKaPIICqzPTgNBeOPGlVWwnHzmNOngULR/uKmKyO90YdQO4IO3u754EQU7g0x7S00P9xoKYEiSlTEHpYq1XIEwiOz82rSNK6SkFge+i1ZdcGCOYmkGJ99eQweO4qMcnW5q+TQsTZql80UU4RH3CPskeR+WSibko8LPK6KvXYirgVU6P5GBpj8YUA1fZpKCxHAT3MbQRaRn0tR5N6ki/8xYR61E8r7TVfjp4AVW55XY9vAZmua87U8puXp3RtDxPNLo4BSabrjGqC0NaZhkwwnJk49QXhFv33ntp47NS/Ih4YeWqixScT9zxJNY5rW6K04yZYeb4LO/RfvIBOC0KMDt0pG4VXPLMLwx1gm1BI9Qw3q2B0ereJtoS3gYR3xh32MnGK6PjEEsIza/bmis8OTO933qaubiv7C1gEp0yDAY/iRHc9S+XjXTtTvNEppue06klafOwDMIumYzQ/s12804cW0GlQfdAznV1q+4hOLMxrqenI4zId6daoS7OcoOjcwt4hiTIQykcBIjSFX90YepAAmFvFT2XYykrxSgitkFQpaV/b8Uqb26C00r6+bIcKNU8UT9F/UWQCkiEuG6VJRoWFMWUcq0CT9ii3vpGOjgGwhzmyeczf8JoMCyBmOriJ6F3jmi6CQf6kWezOmdOYx0MqBr5F1rr2/f6bu2A25f0Y34iX/dBAAsHDZPMTEr91CRNGWyDZjFIUwUFKpy8hmj3FLUWwlOPlzxh2IIqFG9eRxUUSPDR4nPtxPy73BkIzZtDfgQ9tga0va9+h4L3cTHmCs9Zy5Sq7d3n9gIChdu6xmsgRR06tkj7klarNGyrTwBhGbMF64c79oA5Z+xdjps2O7VU0mbcxZSScWH8SEny7uxhsXyD48mzmwGEVjuR9wIhlCg8Ck4nydvByrfcdj/3to4iWbS0fFdGpHlkMYxnGF33JWhXQoiNgBkAGMAOQAwAGMAZAA5ADQAMQBhADgAMQA3ADYAOQAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAFUAUgBVAE8AWgBXAEcARgAAACoMbgBvAG4AZQB8AAAAMiZXAGkAbgBkAG8AdwBzACAANwAgAFUAbAB0AGkAbQBhAHQAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEJWfABDAF8ARgBfADIAMAAzADMAMwAvADIANAAxADMANgAxAHwARABfAFUAXwAwAC8AMAB8AEYAXwBGAF8AMgAwADMAOAA5AC8AMgAwADQANwA5AHwAAABIAFBAWIkIYIkIaIkIcLOQ2nt4HIABAYoBBTIuMy4y ---END MAZE KEY---
URLs

http://aoacugmutagkwctu.onion/6dc90cd941a81769

https://mazedecrypt.top/6dc90cd941a81769

Signatures

  • Maze

    Ransomware family also known as ChaCha.

    trojanransomwaremaze
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 36 IoCs
  • Drops file in Windows directory 9 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\af64b568501ce3d7e43ace3dca1183e2.msi
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2160
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A58EC127D954BA3C811C961BB65C90F5
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\system32\wbem\wmic.exe
        "C:\nrxv\a\..\..\Windows\c\opw\ynl\..\..\..\system32\snk\a\..\..\wbem\lxsei\ecdjh\..\..\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1956
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2464
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A8" "00000000000005AC"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2820
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
    1⤵
      PID:1188

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\DECRYPT-FILES.txt
      Filesize

      10KB

      MD5

      fb782ce8aaf2eee1839a6ccd42cc1d37

      SHA1

      179d3fb8a1690314a520129a0704399cfe355d6f

      SHA256

      1300f288f0f36f534ccc2897a0653a5e7f2655487f6d66aae7c93895e1892388

      SHA512

      d3083e6901d9845d14472db33d4e53d0db7adce42d48b50941678a08b84014327ec9902a019615ca6aef90d06d147cfa53be5152ccebe280671ba4fa96b313c8

      Download Submit

    • C:\Config.Msi\f7683a3.rbs
      Filesize

      770B

      MD5

      ad73565c3a021e7afc57b2be3df8ef01

      SHA1

      d13bf86e286520c30eaf5fd21a57564903924d68

      SHA256

      0eafc10378df64d9ca5223f10e482a23b534b5de8890f95d9d96205115dab224

      SHA512

      645b62cf20b09d40535a59805f781fadbe252234c4b5be5bddca88c8b6ae52e9ed84446394997e20643cbc8d009de80b3f5c8ade1c67c47253e381957329ed58

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_2BFC39EC52024679BD3781D4359B334F.dat
      Filesize

      940B

      MD5

      663fdb249d342d3f0fffec117cdfa382

      SHA1

      6dd43fceb2908949bf1d2a4538ffe7a550862c0c

      SHA256

      a08023d0a806a85aa75b507297db1fc5c363410d98b8c4fc2145c7889552c9e8

      SHA512

      1f99aac77e8d39e444214ce379957bbc4b8acb3a56f6fbb47c2c67520f4f0c493a896b8ca06888cf41bdff7e9bced117a09a331c233c1e623dbf8210c86024fc

      Download Submit

    • C:\Windows\Installer\MSI8603.tmp
      Filesize

      462KB

      MD5

      718d001ca0e953c5f52f8a4ae2697411

      SHA1

      4e5727a404418663b228fedba2007de26f830b07

      SHA256

      53a21f26abc617eda7de86aaad08a2e6df7be31ab529a2f906951baedefe47fd

      SHA512

      3f8b80969e38af1138404f05bcab313f8167acc14dc7c905f9bd25e244e4a4d5bca61c601f5a50a5e8bf57668c4100adb08c4fc31668c88814a12c86f36784fc

      Download Submit

    • \Windows\Installer\MSI8603.tmp
      Filesize

      462KB

      MD5

      718d001ca0e953c5f52f8a4ae2697411

      SHA1

      4e5727a404418663b228fedba2007de26f830b07

      SHA256

      53a21f26abc617eda7de86aaad08a2e6df7be31ab529a2f906951baedefe47fd

      SHA512

      3f8b80969e38af1138404f05bcab313f8167acc14dc7c905f9bd25e244e4a4d5bca61c601f5a50a5e8bf57668c4100adb08c4fc31668c88814a12c86f36784fc

      Download Submit

    • memory/2592-13-0x00000000023B0000-0x000000000240D000-memory.dmp

      Filesize

      372KB

      Download

    • memory/2592-18-0x00000000023B0000-0x000000000240D000-memory.dmp

      Filesize

      372KB

      Download

    • memory/2592-20-0x00000000023B0000-0x000000000240D000-memory.dmp

      Filesize

      372KB

      Download

    • memory/2592-23-0x00000000023B0000-0x000000000240D000-memory.dmp

      Filesize

      372KB

      Download

    • memory/2592-801-0x00000000023B0000-0x000000000240D000-memory.dmp

      Filesize

      372KB

      Download