maze | 3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363

General

Target

3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe
Size

453KB
MD5

248c960c1ae54103dea5bfae924f28e2
SHA1

504ce8efee0f7f8329c09c6d045a21c795a84b42
SHA256

3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363
SHA512

5b3dd4be33c48cedda5b9270a6454540e837e9611db4d43b35e7290ff7e25dd3b5c0342de6de38f12e8c7d5f291c62ef026236825134d1181e7ba5bdf8103464
SSDEEP

6144:/P2vVfY9RbTrI5Tm6oUAcEtKY/e8lmceEoAE77OvaHhdRwc9/P2wdAn7gJRKKRqX:aVw9prIVpb3F8ltQlBwc9/P2l7gT6

Score

10^/10

maze ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\odt\DECRYPT-FILES.html

Ransom Note

<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000080; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <span class="left" style="font-size: 14px; font-weight: bold">CODE: <br>------ <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 <br>00000 00000 </span> </td> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><s>0010 SYSTEM FAILURE 0010</s></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> <br> </div> <div style="text-align: center; font-size: 18px;"> <p>The only way to decrypt your files, is to buy the private key from us.</p> <p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p> <p>In order to receive the private key contact us via email: <br> <b>[email protected]</b> </p> <p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <br> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">x79wzuuDYFmxPDfNtH+5DpgMKJZfwpNz0TLV0gMvRFUGrO44OThXI0P9p/VV6f36cjBgwzy5eRUQkpysh1tZstk6F1zZgEnjjZcVWIW/EcLu+XALWuA9hgMFN/Zvk7dVTVBKLQe3CNgoMwRqY5ojDEpEH5F3QSBpXtfPZiOH2PcsxUi+XBGsBYjMawW2lhG1csLTrnRsWY3WEWEUtykcFdI5dSbyf4shOKs4ZMaufw7V4utktO0fWLEcnf/ciEPLGuPrsm2y2UcVnIE8ZkAGi1LDK74jfyo3/qS7KSVcS4lg0D+WydGpxpdCbtd5BzNwAQBdeH5KiapwxUbK0I8fNbCorGpcEzYKhY8gBRF63PmogEbaSLxxSa9Er8iWvIbBg4MtQHIw3grJkf5UJPVPPEBXwOZU+YyWz9iMopnLrfYtLJsOTVJl8pzeTqzsJ8x3MiclsDHSPCWSihjRmtBH5V9iS3+HwBdab+jj3ZcnHXbX7Gt30Xj1FckESW51QLv7MuIoZQ9BM6lNYHe+EuZC+JoHUjW3Trp0hL0iUGKObshaQSNbVgQRpB9yPL2t52mtgW0cnfXYmbgS0LHMVlY8IgqOR5tRlfEVP7XeMZQPWcwXCdB5NV1UmFWUHCBu6ToyQOAOsmj3nlWES4Hsmmukf7uSqoM19qOI1Tl/e1QpRBr6we5Hs4+yE5BmJU1vd0sBraMzvlGdVKoNzCIzP46ZiMZY9A8UvtzH0qKd0StQuuYzxQ1HwB5YzdvbLY/ZVOvgPmemERgs3Y+k6aorFtE0hDRj+Hlppg6FLALbsvDsAuCD6x/nxh7QOcvTqlHZBaR9tpO5SOJdh2a7UjQpqJcL+E4HXAGVuH5chlF0dbn4cXNcsdmnadHGNpFTZqcBp5wSKqPKp4qQ9UZIpOFJB5Z8S9DPQKLC24s7240cZL29cj9n6NHKklzpVr28Y/tlq1BEFTq/AykipRahcBFCS0/3nYXNWqWpamBzO6VYWBhIsyWDwjBymKtFaG6MKGDeSpjf+3c1Najs59GxOqCUEklhbc4XNGwrRyPIdWym75/KjKevTPckOuFYiUnihTTku5MaNn4X/5RZohsJwP8KzcXb1ZTJLm5bmvO2WtVu9xoulIqQKxZ5LrRZ388c5Yb5S/osIQB6jIcfxxNDEmwqUs71IYCwIhG2y1aupFXgS7bLJqBfQL+PwtATOO83V5UWofGY3iCpw+vQc5E4bS2FC2NVYjAOiCd9LzhaEoOMVJ97sKzmpl6StUM2lXwifVLCnWlOFJozpCFMXgFUth+jtQVr8ofIvdfsSOnEV+xWsGz5acVTHztyyYRGAgKlndl0v5VVwgdPuFgvaZMaMYslHmbyjydcH+dVV3sYr1SYCy39xlbID3IKtiWfo+DSrdgJsLR0rsMTqWMAOV58QJiR3Jl+4oUPVJVvm2UpW3houpk0fcPM1dBHKpx1wjANF7LTgP4a4/DHCPUmoS+pNNRvsINE0ycjSmWY5sp9fr5bqblQlMwd6q7JypVUXoMbv3OfdRt9LHwDczK15YGU9EtrumJb6q6PeQFOL6xLSHwiRmRPVEV0ErhAp5svl3fE/3PqGgRR7WEVchWdK4ARU7OKGxJlDnk2OIezuz/L80B70hn3timq0VX0mLE5Mu1vbL0LKFJEOMPwMHDFaagVvuB3dBGHggnD8d2WXxSDbX7x9/rV0g1ITHv9d7PyV1FoE7DBCFKJ2kY/Xrx9/nHnsg2YAmZnG9UOW4d7O6fBmsy49/gDtK5ur28NbZJhSoxVMUh0yh4XrqEwGELNuboDZfZCRWhtQp5saV/qN9vsZf1di+pc5MKrCO7ujprQmoq69AEUD5JU36VDwtUSv8C6Kig+NybrwpDcmTU66wGRjXUX/1K8QyhA48RxMuW5uh3H0TiPpCrjrxSQmIcMWzhC5YVKBJDbVjowAYGgq12NLUDzMvQp4SkTuce2PomRXT4daQHISTgd3nS4xSmq49CsJM4jWfFZ/2+K5WWYh6nR5sSrhzrR8E1XJ3pfueRHpEF6qi9WN84XWHlPjA+Ijf8FCyk3fn7PvaIB2t+MwMEjNSSiRBg5W1r6Zx38coj6kO5lWIx5tCOOZXFn4Z/hbptasEGE83g8uVjmC1jnyBOKxk0JJ6veCHeWFrKm+8TVWbB7+3RN/mVhgMooeEwsu59/p7FYbFYaaNM5Z3nlurK2dst/gXX2wtNDw1j1pyT3A/1PYB9VWiY5C/P1EAoiOAA2ADgAMAAwADkANgA3ADQAMgA2ADcAYgA2ADkAOQAAABCAYBoMQQBkAG0AaQBuAAAAIhJBAEQASgBWAEsARgBHAEYAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCVnwAQwBfAEYAXwAyADAANAA3ADkALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAA0ADIAMQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHCh6d9yeAGAAQGKAQgwLjkub2ZmbA==<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>

Emails

<b>[email protected]</b>

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe

pid	process
1360	3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe
1360	3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

wmic.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3112	wmic.exe
Token: SeSecurityPrivilege	3112	wmic.exe
Token: SeTakeOwnershipPrivilege	3112	wmic.exe
Token: SeLoadDriverPrivilege	3112	wmic.exe
Token: SeSystemProfilePrivilege	3112	wmic.exe
Token: SeSystemtimePrivilege	3112	wmic.exe
Token: SeProfSingleProcessPrivilege	3112	wmic.exe
Token: SeIncBasePriorityPrivilege	3112	wmic.exe
Token: SeCreatePagefilePrivilege	3112	wmic.exe
Token: SeBackupPrivilege	3112	wmic.exe
Token: SeRestorePrivilege	3112	wmic.exe
Token: SeShutdownPrivilege	3112	wmic.exe
Token: SeDebugPrivilege	3112	wmic.exe
Token: SeSystemEnvironmentPrivilege	3112	wmic.exe
Token: SeRemoteShutdownPrivilege	3112	wmic.exe
Token: SeUndockPrivilege	3112	wmic.exe
Token: SeManageVolumePrivilege	3112	wmic.exe
Token: 33	3112	wmic.exe
Token: 34	3112	wmic.exe
Token: 35	3112	wmic.exe
Token: 36	3112	wmic.exe
Token: SeIncreaseQuotaPrivilege	3112	wmic.exe
Token: SeSecurityPrivilege	3112	wmic.exe
Token: SeTakeOwnershipPrivilege	3112	wmic.exe
Token: SeLoadDriverPrivilege	3112	wmic.exe
Token: SeSystemProfilePrivilege	3112	wmic.exe
Token: SeSystemtimePrivilege	3112	wmic.exe
Token: SeProfSingleProcessPrivilege	3112	wmic.exe
Token: SeIncBasePriorityPrivilege	3112	wmic.exe
Token: SeCreatePagefilePrivilege	3112	wmic.exe
Token: SeBackupPrivilege	3112	wmic.exe
Token: SeRestorePrivilege	3112	wmic.exe
Token: SeShutdownPrivilege	3112	wmic.exe
Token: SeDebugPrivilege	3112	wmic.exe
Token: SeSystemEnvironmentPrivilege	3112	wmic.exe
Token: SeRemoteShutdownPrivilege	3112	wmic.exe
Token: SeUndockPrivilege	3112	wmic.exe
Token: SeManageVolumePrivilege	3112	wmic.exe
Token: 33	3112	wmic.exe
Token: 34	3112	wmic.exe
Token: 35	3112	wmic.exe
Token: 36	3112	wmic.exe
Token: SeBackupPrivilege	3028	vssvc.exe
Token: SeRestorePrivilege	3028	vssvc.exe
Token: SeAuditPrivilege	3028	vssvc.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe

description	pid	process	target process
PID 1360 wrote to memory of 3112	1360	3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe	wmic.exe
PID 1360 wrote to memory of 3112	1360	3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe	wmic.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe
"C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Windows\system32\wbem\wmic.exe
  "C:\o\y\oyjsx\..\..\..\Windows\e\r\..\..\system32\smmv\ddryd\mfl\..\..\..\wbem\qk\dsa\rakyp\..\..\..\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3112

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\odt\DECRYPT-FILES.html

Filesize
6KB

MD5
0ba3fdc9ee2bf0a8ae3676d3cb8d96aa

SHA1
7448fe4d4e450a90820f4805d817bbc231cb612e

SHA256
3cc092c189045288c7a1fc68e73caa4fbda2b9d2133f0c6549e108e000b7956a

SHA512
3d33d072c62c83a698c78d0bede6335a9aaa0cdeaf90cf8ed31c183abe84097453d0a8603a294861c744f303bb51e2d4be0f654de28e4dbc11579f6ecde9c8d8

Download Submit
memory/1360-0-0x0000000002940000-0x0000000002999000-memory.dmp

Filesize
356KB

Download
memory/1360-4-0x0000000002940000-0x0000000002999000-memory.dmp

Filesize
356KB

Download
memory/1360-6-0x0000000002940000-0x0000000002999000-memory.dmp

Filesize
356KB

Download
memory/1360-9-0x0000000002940000-0x0000000002999000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads