maze | e84c050d38730a0bf098476cc6a167f9944521a0e4e1beedb2dab331a166fc52

Analysis

max time kernel
141s
max time network
146s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
17-02-2024 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Week 5 Malware.exe
Size

1.1MB
MD5

ce65b4b61c076642a5f98fa780d43899
SHA1

0a60240eb6e96836d6ca4b82f531ecc98ddbb4bb
SHA256

e84c050d38730a0bf098476cc6a167f9944521a0e4e1beedb2dab331a166fc52
SHA512

3f74a006ea16c182a3eaa896886fb7ed70ebf4fb74641dca77bcff300e89fe1ce230ac1fb29b168f7b0d4033954917439add8e31ea027c9041ffc3363220323f
SSDEEP

12288:BB4ONL1Oa+iJBPWhbvULrJ6Bti3ERXxlcWdMhaex:j9hEYsbvULrwC+Xxlc+Pex

Score

10^/10

maze ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps. ---------------------------- | How to get my files back? ---------------------------- The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/86d409715e283987 e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/86d409715e283987 b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer! If you have any problems our friendly support team is always here to assist you in a live chat! ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- Y2D3ytSoqR2bIFmRCnNI/d7/CxncFOtCI+fSvZu4hKx49YgT24j1PKB8y2N5mJnAf3VVKphzYUOXhjEscB3SbL90EV/wlflXWbd6FloPOjr/Z/EW9Qsc2xwQ7w6TmiBrEiPKIImNNilWbxn3Jx1SHwuXP4fydIptze+p1O8scdbA9IRVoME4ISWuDn65EG6N93P84mbmZlbcZO9muiXm0ni1iZnRpXNpfLfk3o1u4FS7zmibm7FnJUJ4XX8CTexdQ4ExxoH8c1DzRA9LmXbxB3g9yTuy6Ixgqx+2nLGMTFqdrUsJTa1hkIjSWl3oFldcOxMR08hTbadDxpMopjKBGjCWNIL2abZVAnrFiWYMZfF6d0c5YvLWmsASJ5Jeytl4CjnFonuRQW8X8x0yxlV1j7kri/4ZVtCLUiSD0zGq58DLt0Ap2osmyiXFqN1GT4MPb6PTk0Dws8kPNIz2wE8xOjLNNmS2DP1KEwzvibQiELX4rjc2BCgsCbvfc1Aru2jrvj7KfKI/V+NKqzSuroPCZ87Y93tUAHqqogT4+zambhPJcB2CkK2pRz/c7MFer+RXpZV+wPqaWpqYvUb8scn5j+cXI5gKTcD3p376G3pLTBwwggnm2qnoLqhvT90IjgBkp9JMM5tXu/qlDc9JVL+8C2o7//C7UUGrcnfy89gDAdUSm9IqA7Rxh4CJyNP7oKWo+SFDzAlGYgpqlbLxCRcry5TiQJ5UKDNn5/5pbm39fW+uiLtiFVm4IinX3nfpL92I6yALqFSR8XssA5tdzMzmNgYC7T2GLV/YJxroLqh37o5P3uOJi7hV9z1w2uuXSQMC3ranKi8qG1V5ciRHAuFQDcWDkMSMOb7eEOJ5VGlN/nGwdzMh0ydqYmnSJSmYorfIjYUTXoGhgroI2hUmNHdw54Aik/I2R6l8mlJgDUkPsfUlsHMTTQaxDdI6c3GdJ9pTFt64uUFdpyZeumIS+63CCafCqicB514nKxw15h0x4eNlR/vZLhXizsNpk20Ylyg6wBvfVW6kBfpMkVZ0YgufNjoHagzMToOzCzRh7fW3FCohiBI1RqEwzVmGJaR2L86o0iSWBzpM2unVmAFzyNGSMiOP5TYa1N5UVwN6wOHi1RKfO2l06CkH2qTgt0oRYyr2D+pWURBR61pyyCgkQ0LlOgO3wE5DsfEhqa7mTmOgxLcM2ER0jz4Rw0+HyaWZRxgjLLcbVK8BLy2MleNLhSDTNYpxDijBYYzvyl3T3NKoUwZCTDez64waEL/J/LdufU8koNz2hP+G78nd3s+cipL8hgiI0EEsbAmRzJOlIsrkOZQ04caSGfx25gZwHOZ29rsRTxiaocE1KdOifJra19PEuCxA5fefVzfRSu+GoMAJ9KYFVzFAkgNmH5QXpe+x1yKcn+Af9UmiELlkWhpG9pso/QwZc5GOJmytW7lzIlvyERxH7uhPfQ92ggEa3c9YO3D2aXQeoT/bvlqbp5LGN4yQFr+92RmkIksL5LXYN2q9jAAycXzTpOXmzuJQ7GhZwfVIsB80oQZF3xfk1pgqv2Ge95TMM6yBctiaEeOFUEtjVezJrnwh68/r7p9pftzGnawhoUBl5lKEmo5KisygdWZwdc2hnagyIFfRgKK6F2nW92UbnuDhCL9cVUAXtfJgkjNV7URl2OcyUyFW09dMvdaYkNqfuC2PUPknoieQDsoMIf1yVsyK8G84K3O32VLQo5YEZ+efiCNQvrMsBK/goLTE7ydVnrSHjDjtP0a6wF+PRRELdbWge78oJWQSjKRLK+hXJcatymxO4vIlN2Xso0SG/ynuoF7X/9weN9S7/3dZ8y/g6qcRR2qKUsoElKQ0sj8mfeGEelSw6uD1p+GYPkZkSN9Uav6fr4mALM2crZI7sWh8AUAgSWmrjBG4/0nVNR24j3etU+QKANj3h261gwyQ7SagvYUB9yTZsY2mCUJoWh914yf1WnRYW2IheU2TUuU4xlwZmPIf2lIi1lYnx7XASSK8FERIY642nB8WoTYMPG/k78iQ+yiSKtuScUHsQaVj7U/vP9fbyq3qar22uxymaWRgqdmzSdu34xlsnvavrqkHFJvkNMmMmS5qqKwRxGVKN3AmiZELkzqTx5ucKPBeZl7Kl69yr2oTKm7bUw9vzGfNotWOjRMbYvWqvkQ3o4HboP+/w4ZjXlQSA8ULB+l82szx960nSvpWZp0S3I2pTDDLDfACbRBKoNQUxIxWG3hSApyGeQoiOAA2AGQANAAwADkANwAxADUAZQAyADgAMwA5ADgANwAAABCAYBoMQQBkAG0AaQBuAAAAIhJTAEMARgBHAEIAUgBCAFQAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCVnwAQwBfAEYAXwAyADAANAA4ADQALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAAzADgAOQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHDerNh7eA2AAQKKAQUyLjEuMQ== ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/86d409715e283987

https://mazedecrypt.top/86d409715e283987

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	Week 5 Malware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\86d409715e283987.tmp	Week 5 Malware.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp"	Week 5 Malware.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DECRYPT-FILES.txt	Week 5 Malware.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt	Week 5 Malware.exe
File opened for modification	C:\Program Files\86d409715e283987.tmp	Week 5 Malware.exe
File opened for modification	C:\Program Files\ConnectJoin.mov	Week 5 Malware.exe
File opened for modification	C:\Program Files\ExportRestore.wps	Week 5 Malware.exe
File opened for modification	C:\Program Files\LockOpen.TTS	Week 5 Malware.exe
File opened for modification	C:\Program Files\MeasureSplit.mhtml	Week 5 Malware.exe
File opened for modification	C:\Program Files\UnpublishFormat.wdp	Week 5 Malware.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\86d409715e283987.tmp	Week 5 Malware.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\86d409715e283987.tmp	Week 5 Malware.exe
File opened for modification	C:\Program Files\ConnectExit.mpg	Week 5 Malware.exe
File opened for modification	C:\Program Files\ExitLimit.pptx	Week 5 Malware.exe
File opened for modification	C:\Program Files\ReceiveConfirm.M2T	Week 5 Malware.exe
File opened for modification	C:\Program Files\SwitchDisconnect.mp2v	Week 5 Malware.exe
File opened for modification	C:\Program Files (x86)\86d409715e283987.tmp	Week 5 Malware.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt	Week 5 Malware.exe
File opened for modification	C:\Program Files\SetEnable.tif	Week 5 Malware.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\86d409715e283987.tmp	Week 5 Malware.exe
File created	C:\Program Files\DECRYPT-FILES.txt	Week 5 Malware.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt	Week 5 Malware.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2344	Week 5 Malware.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeBackupPrivilege	2304	vssvc.exe
Token: SeRestorePrivilege	2304	vssvc.exe
Token: SeAuditPrivilege	2304	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2760	wmic.exe
Token: SeSecurityPrivilege	2760	wmic.exe
Token: SeTakeOwnershipPrivilege	2760	wmic.exe
Token: SeLoadDriverPrivilege	2760	wmic.exe
Token: SeSystemProfilePrivilege	2760	wmic.exe
Token: SeSystemtimePrivilege	2760	wmic.exe
Token: SeProfSingleProcessPrivilege	2760	wmic.exe
Token: SeIncBasePriorityPrivilege	2760	wmic.exe
Token: SeCreatePagefilePrivilege	2760	wmic.exe
Token: SeBackupPrivilege	2760	wmic.exe
Token: SeRestorePrivilege	2760	wmic.exe
Token: SeShutdownPrivilege	2760	wmic.exe
Token: SeDebugPrivilege	2760	wmic.exe
Token: SeSystemEnvironmentPrivilege	2760	wmic.exe
Token: SeRemoteShutdownPrivilege	2760	wmic.exe
Token: SeUndockPrivilege	2760	wmic.exe
Token: SeManageVolumePrivilege	2760	wmic.exe
Token: 33	2760	wmic.exe
Token: 34	2760	wmic.exe
Token: 35	2760	wmic.exe
Token: SeIncreaseQuotaPrivilege	2760	wmic.exe
Token: SeSecurityPrivilege	2760	wmic.exe
Token: SeTakeOwnershipPrivilege	2760	wmic.exe
Token: SeLoadDriverPrivilege	2760	wmic.exe
Token: SeSystemProfilePrivilege	2760	wmic.exe
Token: SeSystemtimePrivilege	2760	wmic.exe
Token: SeProfSingleProcessPrivilege	2760	wmic.exe
Token: SeIncBasePriorityPrivilege	2760	wmic.exe
Token: SeCreatePagefilePrivilege	2760	wmic.exe
Token: SeBackupPrivilege	2760	wmic.exe
Token: SeRestorePrivilege	2760	wmic.exe
Token: SeShutdownPrivilege	2760	wmic.exe
Token: SeDebugPrivilege	2760	wmic.exe
Token: SeSystemEnvironmentPrivilege	2760	wmic.exe
Token: SeRemoteShutdownPrivilege	2760	wmic.exe
Token: SeUndockPrivilege	2760	wmic.exe
Token: SeManageVolumePrivilege	2760	wmic.exe
Token: 33	2760	wmic.exe
Token: 34	2760	wmic.exe
Token: 35	2760	wmic.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2760	2344	Week 5 Malware.exe	32
PID 2344 wrote to memory of 2760	2344	Week 5 Malware.exe	32
PID 2344 wrote to memory of 2760	2344	Week 5 Malware.exe	32
PID 2344 wrote to memory of 2760	2344	Week 5 Malware.exe	32

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Week 5 Malware.exe
"C:\Users\Admin\AppData\Local\Temp\Week 5 Malware.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\system32\wbem\wmic.exe
  "C:\v\..\Windows\lw\dolxj\nhvp\..\..\..\system32\r\..\wbem\eo\pasb\..\..\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2760

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_FCB3BEAC6DA74414B47FD82CB499B6F7.dat

Filesize
940B

MD5
53710f18878d8df3b9d1a6ed69395804

SHA1
80df5f5e2f52ff11117e3cd2cbc6f6d735d2ad11

SHA256
88030d906da72135116c0e8997459ba9806fa48af061519635a0b28ac3ccd784

SHA512
b7e6fe641bcc8a9a1c9d69b478be2db31da5513bc016da6b889e31227d9f726b5191c657550217e9249cbb11516a6cd268c06769bb63561dfc1d261bce346bd7

Download Submit
C:\Users\DECRYPT-FILES.txt

Filesize
9KB

MD5
2af8091bc87f3e11151b4233ddeef2fb

SHA1
1210a7186c5e11a76a8ca8946425271fee20e37a

SHA256
dad3df72420b35ecde888c80b6dbaaa31e09ce41c3d30f698d1748ccfd386a9d

SHA512
2fad6f25e4340e004c21440756cefe9c2cf4bc37c37ab5d97e4d73afff31c4203d6c51e6125856d29736fb693182c21270e06ee2f8724d4740476b9228a857fb

Download Submit
memory/2344-0-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2344-1-0x0000000000290000-0x000000000031E000-memory.dmp

Filesize
568KB

Download
memory/2344-2-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2344-786-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2344-787-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download