Analysis

  • max time kernel
    152s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2023 02:49

General

  • Target

    af64b568501ce3d7e43ace3dca1183e2.msi

  • Size

    496KB

  • MD5

    af64b568501ce3d7e43ace3dca1183e2

  • SHA1

    88d52d7ebe72415d1ee1ff16ffe8afda0b052df0

  • SHA256

    bff478766c3a3962228a15fcaae1fbf8c31ec337a83496c4670cd3e704ead735

  • SHA512

    b949b3cb7c80c38c38493b20c8e96e40343f79e265a5a1f73ecc9f1f34966e13079dcfc7b554ef67de5ab4e00f45b1dda5802f90084f5a64de8431d2d8f0943d

  • SSDEEP

    12288:2sUSmjkJmRAp8QbNeSAt8wCz7JIXybzHI+c0zVH:nekURQzbNeSug3JIXybzxh

Score
10/10

Malware Config

Extracted

Path

C:\Users\DECRYPT-FILES.txt

Family

maze

Ransom Note
Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6beb0cb347db9a2f e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6beb0cb347db9a2f b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- kkTlyTB1zIaZ3oeJQImACTtSC+DNi1NwcEDqC0N66t3c2F2oHiKUVFklHvHIWnP+Hl3iwL+tCqBhirJW2CUKBd7FB1FUx1wXsXXPI0oK5TxAl8l3uwqqHLFd9wdGuOuxIGDz6fMADwmdqCx9u6yyBlKXNgDZAm09xM6YrlhyN/lfNZwBDBamBaMNmsaAuJRgrhKWB2kcoYIRphTwDHop2SG+ub31v0ZEVYNAVetW+errOvcr/vSZL80BMcL7s/sVisNNiqdWlWUhcjqx5hfiyZ192nW7lwaW1ry2bp7RkkU7cuhn06/REA2GC33+jgr50WqABu19UmTRDwm8sHuZ0rKELPqpnzpdvsrPRj284yXfJLzD9yxapWhbu+vdCGbwI6V7n+9a+gjhLStRpc0NjUQwgmw7LsPj3MBtL6vQm83rwzZoYyy0B/ovnb1nk4fFW/bIY9TMco9YNQOdiW4QgBEzbFNf3yu/D+qJEX1L8v+rT8bNxacUM0VnKkGd8TNDfGexonTZiV7vS8TFFJSLYG2DlGVs5MFF4b/wBvqlaRRc242YOiVSwSc/ax6JWEkUD+uhIntl8MxLmxpQodSYwF6BLMjJZyO/h8nwIg/AZUl3oq/RWHC4yOsHuB7f4GB+AlqEKlGW8FMfpMtLpnS/20L5FgpzCi8NdVAz4cF6RlW07roxceWpQu/FsjLDFkliBZDKwibgrxJviLd4BnaTZmgqRfEoGpU/Ln1oFAGveq1GQQ6tzPIU69F9K2wCG5tFJqBeD6SvvH9d8PPXQhfqkqAR8xxAxh0lO1TpBEjIR9Mbda1IJeDXflYFrPnF/JIc+GWOE0b/jLnN5Pd8eVdcWJuHda94wQ5qiIhRDrMDEK/zY8XJasWd531EoC8OtbzHCrtVYYx9TrZtgzBkYRK/bgP/scJjuVg6bLqcT56ddEKiKU1GL+JetLSFqOpFAAynOVvn7+qMd5hPRjuKw65x9h48a+C0jeM3hR2kPQQutPp+jM+m/rJrLpiWaUViQbSEWMMLA6RoMPq8yGkQzxVNzLqcrBF+s2PkbsHmEtHR728p4hF9/0mvHyRzjteKTvJ9xB/nKBx4epZggM1fZWoatIdq38FDg9//OvlIYNUWmpcUUgh77fika6UjuPi9deXZ1ohnVQHxyqLPewyFnz5CLl8qEAQfJ+JYcKiNY+WOiHpbZwfxTFXg3zX+TQJFADO3S1TJ8C58ngSmJmeK4k81P8tdRf5sLuLlYIo+CUbwRuV84MKfz7B1+y7rOCrETM/GEUL3eFQP9p02C4rhe8HfHkUXVpjVIymTmaFkWrzSH2isc4bEae0r7nMQO4B72bWrUpsgtX/IwEn7AF8D1tKJMtc52zAGj+3wv1ZqnYPCDblrGRULiRfhICllpvSSc01ID9NMoTVIAsauqhrR30ZmSoO7U6l5Dyxbwq5/nks7I351W0DR1j4P8rERFjgIjaQaWVLVWzgTbxAuIoJ6s9+3qHGgFhhMiDSLxHl00Qo8HnlRqd5+Ke8zifJhOJ9i6H6/M3ZG7cQsXdMywQ7LtG52hdK7sP4BznDPHfVZvTypfYbtuFsD+bXE9JSHa9V0M2o2Y4vIBpAzI4si0tm/y2CD5PzPA392BBKEtqMo1Jggz5rJZJj9YINrYqCnq+72JXLpuvcHphua+uAQy20OxLiKMJBKLJOo0LP6ml4l3zRetxBCm2pOWr+/pcJZ9d+q7f+09L+IsOw6fvEdFQqbyd6+55x1l6mFrYH86zEJuE1/Anc/F7TLnr2DexxS71HfF5Fv5iw10q9xQ2ura6VNx99f/faShuFm4soHXNRIx++/c/isiQMydOG8uQyDe7OaykyZwB4ZwKa5mOz8RU/1dhzicC27xr3SP6EGBOnyR8HMwtxrVeFyjr2woMSvlkvmj9OWZHHfIdbu9vZShtd3AtS13u0E0OYGd/2qJf8ztmW7fitATcHlDjDgRDeEsMLK7rwan3b8HNC+1AeQRBJfkPvZW7lH3w6muQqzhxsLmNHeRC4Dl5BlOqKgr/0m9zXa03KcQriC8VH4k7noEZmiX8mDuv49DgAN4akKoZ0h1IdywsVdgrB6Y/9xPnIqN4786hmSWZiEPlzkW/DcssZM6mnHET7JCF0RPkuOOEHRjc8htrKlPrl7/7B5E8fwD/LRp9RmsDzzlJxy3/bSLs8UYGzW0tjbF1aUH+EWKb6aQJj3Vo6ekr1moWOgGmZEYQ53yA97BPh6IgoiNgBiAGUAYgAwAGMAYgAzADQANwBkAGIAOQBhADIAZgAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAEYARQBVAFQAWgBDAEkASQAAACoMbgBvAG4AZQB8AAAAMixXAGkAbgBkAG8AdwBzACAAMQAwACAARQBuAHQAZQByAHAAcgBpAHMAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEJWfABDAF8ARgBfADIAMAAxADgAOQAvADIANAAxADMANgAxAHwARABfAFUAXwAwAC8AMAB8AEYAXwBGAF8AMgAwADQAMgAxAC8AMgAwADQANwA5AHwAAABIAFBAWIkIYIkIaIkIcO3o43J4HIABAYoBBTIuMy4y ---END MAZE KEY---
URLs

http://aoacugmutagkwctu.onion/6beb0cb347db9a2f

https://mazedecrypt.top/6beb0cb347db9a2f

Signatures

  • Maze

    Ransomware family also known as ChaCha.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops startup file 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 8 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\af64b568501ce3d7e43ace3dca1183e2.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:5036
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4624
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A02C15D667296BF410A557C25210E380
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1344
      • C:\Windows\system32\wbem\wmic.exe
        "C:\p\..\Windows\j\pdoj\ji\..\..\..\system32\tuh\..\wbem\c\hkbt\v\..\..\..\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3920
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4620
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x41c 0x4a8
    1⤵
      PID:4036

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e58eb75.rbs

      Filesize

      770B

      MD5

      ab05d16b471c6eee2d6202ffbc469058

      SHA1

      bff924829a18da8a27014230a8c7eeca514dfa0e

      SHA256

      c109fca02d8d71c6fa0ff04855c32522aaae478ca5b7997b6443f4183459c922

      SHA512

      05728b65a4123ec2486699d0457827b9604d951ef2f1b372779ed86cc1646c44849140b2fda7b0cc4326e4f0b49c5aee31834320c55ec3fdf3e6774f9297274e

    • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_B05958E041E04BBCB35D04BC68F4C579.dat

      Filesize

      940B

      MD5

      c171e02f9bbf52b4614b944705cdde91

      SHA1

      99d01ad9c82c8b7688117c00e7603678635fdd36

      SHA256

      7ca59b1f475f59187fa610ad44ec38406b1d01a837e6b90920ab1097d71e0208

      SHA512

      89a6d930710ac7413d29f1ba14c53901adf8ef055e76bb551a63167ea5b29a032314bf7ca16f5b5337aee45947e62eac18405e595a07cf1699a5063a70c90827

    • C:\Users\DECRYPT-FILES.txt

      Filesize

      10KB

      MD5

      77c3a614c675f2b5c7cdb563292f608e

      SHA1

      5b98149307ec0cd34985a632295296514ac78781

      SHA256

      c417d48e0c3afa49ed2a5bab55a7f89c95c18f0382b5232e3697ac0b311e2d42

      SHA512

      96cd68e63f7a531cc4caef7b4844f3d038ace8fb587f664342e2539bd0c43da9da206ef7a0282bb612197cff647a2bdff16b67b98d259606e866d6e6a7e616b5

    • C:\Windows\Installer\MSIEDA8.tmp

      Filesize

      462KB

      MD5

      718d001ca0e953c5f52f8a4ae2697411

      SHA1

      4e5727a404418663b228fedba2007de26f830b07

      SHA256

      53a21f26abc617eda7de86aaad08a2e6df7be31ab529a2f906951baedefe47fd

      SHA512

      3f8b80969e38af1138404f05bcab313f8167acc14dc7c905f9bd25e244e4a4d5bca61c601f5a50a5e8bf57668c4100adb08c4fc31668c88814a12c86f36784fc

    • C:\Windows\Installer\MSIEDA8.tmp

      Filesize

      462KB

      MD5

      718d001ca0e953c5f52f8a4ae2697411

      SHA1

      4e5727a404418663b228fedba2007de26f830b07

      SHA256

      53a21f26abc617eda7de86aaad08a2e6df7be31ab529a2f906951baedefe47fd

      SHA512

      3f8b80969e38af1138404f05bcab313f8167acc14dc7c905f9bd25e244e4a4d5bca61c601f5a50a5e8bf57668c4100adb08c4fc31668c88814a12c86f36784fc

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      23.0MB

      MD5

      13fa4befb65ae433cdf5a0ae55696417

      SHA1

      fc9d107572403d0ee3d57c5ce03ab2ed9114018f

      SHA256

      2ce4bdff6731ae8fd3bf0e02187ea9eac73cb354a0d14767d232d57632ca4ceb

      SHA512

      af363dd6479d74c9ea961382d1ef66d176f7b8cd0a63f74fe26980268a4c3c7646b5cf59555b92594639f3fe7ca26873f6454f3dec04ba7508f2a95ed630d139

    • \??\Volume{c2d04a06-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cce326af-4643-4a12-a380-014ce4469c27}_OnDiskSnapshotProp

      Filesize

      5KB

      MD5

      4565da4926d6dc0261b79be07494e636

      SHA1

      c0b269ae72dc4c1753ea73769cffa06b1144060a

      SHA256

      c5cbf78f78b1eab7258562fd59168f5847cfd38c8b90d6324f51c277910a7dc1

      SHA512

      991e828c4bd48cd30e7cce460243b51deae018cc5532a37bc9edf9db291720e594875edeafb45c6a145465d36cdeb4a6278b8355782c0d633e3929ff1b4f53d0

    • memory/1344-19-0x0000000002820000-0x000000000287D000-memory.dmp

      Filesize

      372KB

    • memory/1344-30-0x0000000002820000-0x000000000287D000-memory.dmp

      Filesize

      372KB

    • memory/1344-27-0x0000000002820000-0x000000000287D000-memory.dmp

      Filesize

      372KB

    • memory/1344-766-0x0000000002820000-0x000000000287D000-memory.dmp

      Filesize

      372KB

    • memory/1344-24-0x0000000002820000-0x000000000287D000-memory.dmp

      Filesize

      372KB