Overview

overview

10

Static

static

1

af64b56850...e2.msi

windows7-x64

10

af64b56850...e2.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2023 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af64b568501ce3d7e43ace3dca1183e2.msi

  • Size

    496KB

  • MD5

    af64b568501ce3d7e43ace3dca1183e2

  • SHA1

    88d52d7ebe72415d1ee1ff16ffe8afda0b052df0

  • SHA256

    bff478766c3a3962228a15fcaae1fbf8c31ec337a83496c4670cd3e704ead735

  • SHA512

    b949b3cb7c80c38c38493b20c8e96e40343f79e265a5a1f73ecc9f1f34966e13079dcfc7b554ef67de5ab4e00f45b1dda5802f90084f5a64de8431d2d8f0943d

  • SSDEEP

    12288:2sUSmjkJmRAp8QbNeSAt8wCz7JIXybzHI+c0zVH:nekURQzbNeSug3JIXybzxh

Score
10/10
mazeransomwaretrojan

Malware Config

Extracted

Path

C:\Users\DECRYPT-FILES.txt

Family

maze

Ransom Note
Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6beb0cb347db9a2f e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6beb0cb347db9a2f b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- kkTlyTB1zIaZ3oeJQImACTtSC+DNi1NwcEDqC0N66t3c2F2oHiKUVFklHvHIWnP+Hl3iwL+tCqBhirJW2CUKBd7FB1FUx1wXsXXPI0oK5TxAl8l3uwqqHLFd9wdGuOuxIGDz6fMADwmdqCx9u6yyBlKXNgDZAm09xM6YrlhyN/lfNZwBDBamBaMNmsaAuJRgrhKWB2kcoYIRphTwDHop2SG+ub31v0ZEVYNAVetW+errOvcr/vSZL80BMcL7s/sVisNNiqdWlWUhcjqx5hfiyZ192nW7lwaW1ry2bp7RkkU7cuhn06/REA2GC33+jgr50WqABu19UmTRDwm8sHuZ0rKELPqpnzpdvsrPRj284yXfJLzD9yxapWhbu+vdCGbwI6V7n+9a+gjhLStRpc0NjUQwgmw7LsPj3MBtL6vQm83rwzZoYyy0B/ovnb1nk4fFW/bIY9TMco9YNQOdiW4QgBEzbFNf3yu/D+qJEX1L8v+rT8bNxacUM0VnKkGd8TNDfGexonTZiV7vS8TFFJSLYG2DlGVs5MFF4b/wBvqlaRRc242YOiVSwSc/ax6JWEkUD+uhIntl8MxLmxpQodSYwF6BLMjJZyO/h8nwIg/AZUl3oq/RWHC4yOsHuB7f4GB+AlqEKlGW8FMfpMtLpnS/20L5FgpzCi8NdVAz4cF6RlW07roxceWpQu/FsjLDFkliBZDKwibgrxJviLd4BnaTZmgqRfEoGpU/Ln1oFAGveq1GQQ6tzPIU69F9K2wCG5tFJqBeD6SvvH9d8PPXQhfqkqAR8xxAxh0lO1TpBEjIR9Mbda1IJeDXflYFrPnF/JIc+GWOE0b/jLnN5Pd8eVdcWJuHda94wQ5qiIhRDrMDEK/zY8XJasWd531EoC8OtbzHCrtVYYx9TrZtgzBkYRK/bgP/scJjuVg6bLqcT56ddEKiKU1GL+JetLSFqOpFAAynOVvn7+qMd5hPRjuKw65x9h48a+C0jeM3hR2kPQQutPp+jM+m/rJrLpiWaUViQbSEWMMLA6RoMPq8yGkQzxVNzLqcrBF+s2PkbsHmEtHR728p4hF9/0mvHyRzjteKTvJ9xB/nKBx4epZggM1fZWoatIdq38FDg9//OvlIYNUWmpcUUgh77fika6UjuPi9deXZ1ohnVQHxyqLPewyFnz5CLl8qEAQfJ+JYcKiNY+WOiHpbZwfxTFXg3zX+TQJFADO3S1TJ8C58ngSmJmeK4k81P8tdRf5sLuLlYIo+CUbwRuV84MKfz7B1+y7rOCrETM/GEUL3eFQP9p02C4rhe8HfHkUXVpjVIymTmaFkWrzSH2isc4bEae0r7nMQO4B72bWrUpsgtX/IwEn7AF8D1tKJMtc52zAGj+3wv1ZqnYPCDblrGRULiRfhICllpvSSc01ID9NMoTVIAsauqhrR30ZmSoO7U6l5Dyxbwq5/nks7I351W0DR1j4P8rERFjgIjaQaWVLVWzgTbxAuIoJ6s9+3qHGgFhhMiDSLxHl00Qo8HnlRqd5+Ke8zifJhOJ9i6H6/M3ZG7cQsXdMywQ7LtG52hdK7sP4BznDPHfVZvTypfYbtuFsD+bXE9JSHa9V0M2o2Y4vIBpAzI4si0tm/y2CD5PzPA392BBKEtqMo1Jggz5rJZJj9YINrYqCnq+72JXLpuvcHphua+uAQy20OxLiKMJBKLJOo0LP6ml4l3zRetxBCm2pOWr+/pcJZ9d+q7f+09L+IsOw6fvEdFQqbyd6+55x1l6mFrYH86zEJuE1/Anc/F7TLnr2DexxS71HfF5Fv5iw10q9xQ2ura6VNx99f/faShuFm4soHXNRIx++/c/isiQMydOG8uQyDe7OaykyZwB4ZwKa5mOz8RU/1dhzicC27xr3SP6EGBOnyR8HMwtxrVeFyjr2woMSvlkvmj9OWZHHfIdbu9vZShtd3AtS13u0E0OYGd/2qJf8ztmW7fitATcHlDjDgRDeEsMLK7rwan3b8HNC+1AeQRBJfkPvZW7lH3w6muQqzhxsLmNHeRC4Dl5BlOqKgr/0m9zXa03KcQriC8VH4k7noEZmiX8mDuv49DgAN4akKoZ0h1IdywsVdgrB6Y/9xPnIqN4786hmSWZiEPlzkW/DcssZM6mnHET7JCF0RPkuOOEHRjc8htrKlPrl7/7B5E8fwD/LRp9RmsDzzlJxy3/bSLs8UYGzW0tjbF1aUH+EWKb6aQJj3Vo6ekr1moWOgGmZEYQ53yA97BPh6IgoiNgBiAGUAYgAwAGMAYgAzADQANwBkAGIAOQBhADIAZgAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAEYARQBVAFQAWgBDAEkASQAAACoMbgBvAG4AZQB8AAAAMixXAGkAbgBkAG8AdwBzACAAMQAwACAARQBuAHQAZQByAHAAcgBpAHMAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEJWfABDAF8ARgBfADIAMAAxADgAOQAvADIANAAxADMANgAxAHwARABfAFUAXwAwAC8AMAB8AEYAXwBGAF8AMgAwADQAMgAxAC8AMgAwADQANwA5AHwAAABIAFBAWIkIYIkIaIkIcO3o43J4HIABAYoBBTIuMy4y ---END MAZE KEY---
URLs

http://aoacugmutagkwctu.onion/6beb0cb347db9a2f

https://mazedecrypt.top/6beb0cb347db9a2f

Signatures

  • Maze

    Ransomware family also known as ChaCha.

    trojanransomwaremaze
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops startup file 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 8 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\af64b568501ce3d7e43ace3dca1183e2.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:5036
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4624
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A02C15D667296BF410A557C25210E380
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1344
      • C:\Windows\system32\wbem\wmic.exe
        "C:\p\..\Windows\j\pdoj\ji\..\..\..\system32\tuh\..\wbem\c\hkbt\v\..\..\..\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3920
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4620
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x41c 0x4a8
    1⤵
      PID:4036

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e58eb75.rbs
      Filesize

      770B

      MD5

      ab05d16b471c6eee2d6202ffbc469058

      SHA1

      bff924829a18da8a27014230a8c7eeca514dfa0e

      SHA256

      c109fca02d8d71c6fa0ff04855c32522aaae478ca5b7997b6443f4183459c922

      SHA512

      05728b65a4123ec2486699d0457827b9604d951ef2f1b372779ed86cc1646c44849140b2fda7b0cc4326e4f0b49c5aee31834320c55ec3fdf3e6774f9297274e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_B05958E041E04BBCB35D04BC68F4C579.dat
      Filesize

      940B

      MD5

      c171e02f9bbf52b4614b944705cdde91

      SHA1

      99d01ad9c82c8b7688117c00e7603678635fdd36

      SHA256

      7ca59b1f475f59187fa610ad44ec38406b1d01a837e6b90920ab1097d71e0208

      SHA512

      89a6d930710ac7413d29f1ba14c53901adf8ef055e76bb551a63167ea5b29a032314bf7ca16f5b5337aee45947e62eac18405e595a07cf1699a5063a70c90827

      Download Submit

    • C:\Users\DECRYPT-FILES.txt
      Filesize

      10KB

      MD5

      77c3a614c675f2b5c7cdb563292f608e

      SHA1

      5b98149307ec0cd34985a632295296514ac78781

      SHA256

      c417d48e0c3afa49ed2a5bab55a7f89c95c18f0382b5232e3697ac0b311e2d42

      SHA512

      96cd68e63f7a531cc4caef7b4844f3d038ace8fb587f664342e2539bd0c43da9da206ef7a0282bb612197cff647a2bdff16b67b98d259606e866d6e6a7e616b5

      Download Submit

    • C:\Windows\Installer\MSIEDA8.tmp
      Filesize

      462KB

      MD5

      718d001ca0e953c5f52f8a4ae2697411

      SHA1

      4e5727a404418663b228fedba2007de26f830b07

      SHA256

      53a21f26abc617eda7de86aaad08a2e6df7be31ab529a2f906951baedefe47fd

      SHA512

      3f8b80969e38af1138404f05bcab313f8167acc14dc7c905f9bd25e244e4a4d5bca61c601f5a50a5e8bf57668c4100adb08c4fc31668c88814a12c86f36784fc

      Download Submit

    • C:\Windows\Installer\MSIEDA8.tmp
      Filesize

      462KB

      MD5

      718d001ca0e953c5f52f8a4ae2697411

      SHA1

      4e5727a404418663b228fedba2007de26f830b07

      SHA256

      53a21f26abc617eda7de86aaad08a2e6df7be31ab529a2f906951baedefe47fd

      SHA512

      3f8b80969e38af1138404f05bcab313f8167acc14dc7c905f9bd25e244e4a4d5bca61c601f5a50a5e8bf57668c4100adb08c4fc31668c88814a12c86f36784fc

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.0MB

      MD5

      13fa4befb65ae433cdf5a0ae55696417

      SHA1

      fc9d107572403d0ee3d57c5ce03ab2ed9114018f

      SHA256

      2ce4bdff6731ae8fd3bf0e02187ea9eac73cb354a0d14767d232d57632ca4ceb

      SHA512

      af363dd6479d74c9ea961382d1ef66d176f7b8cd0a63f74fe26980268a4c3c7646b5cf59555b92594639f3fe7ca26873f6454f3dec04ba7508f2a95ed630d139

      Download Submit

    • \??\PIPE\wkssvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit

    • \??\Volume{c2d04a06-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cce326af-4643-4a12-a380-014ce4469c27}_OnDiskSnapshotProp
      Filesize

      5KB

      MD5

      4565da4926d6dc0261b79be07494e636

      SHA1

      c0b269ae72dc4c1753ea73769cffa06b1144060a

      SHA256

      c5cbf78f78b1eab7258562fd59168f5847cfd38c8b90d6324f51c277910a7dc1

      SHA512

      991e828c4bd48cd30e7cce460243b51deae018cc5532a37bc9edf9db291720e594875edeafb45c6a145465d36cdeb4a6278b8355782c0d633e3929ff1b4f53d0

      Download Submit

    • memory/1344-19-0x0000000002820000-0x000000000287D000-memory.dmp

      Filesize

      372KB

      Download

    • memory/1344-30-0x0000000002820000-0x000000000287D000-memory.dmp

      Filesize

      372KB

      Download

    • memory/1344-27-0x0000000002820000-0x000000000287D000-memory.dmp

      Filesize

      372KB

      Download

    • memory/1344-766-0x0000000002820000-0x000000000287D000-memory.dmp

      Filesize

      372KB

      Download

    • memory/1344-24-0x0000000002820000-0x000000000287D000-memory.dmp

      Filesize

      372KB

      Download