maze | e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684

General

Target

e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
Size

473KB
MD5

f83fb9ce6a83da58b20685c1d7e1e546
SHA1

01c459b549c1c2a68208d38d4ba5e36d29212a4f
SHA256

e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
SHA512

934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396
SSDEEP

12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ

Score

10^/10

maze ransomware spyware stealer trojan

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\DECRYPT-FILES.html

Ransom Note

<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000000; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5 px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><b>Maze ransomware</b></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> </div> <div style="text-align: center; font-size: 18px;"> <p><b>What is going on?</b><br>Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system</p> <p>You can read more about this cryptosystem here: <a href=https://en.wikipedia.org/wiki/RSA_(cryptosystem)>https://en.wikipedia.org/wiki/RSA_(cryptosystem)</a></p> <p>The only way to recover (decrypt) your files is to buy decryptor with the unique private key</p> <p><u>Attention! Only we can recover your files! If someone tell you that he can do this, kindly ask him to proof!</u></p> <p>By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.</p> <p>In order to either buy the private key or make test decryption contact us via email: <br> <u><b>Main e-mail: koreadec@tutanota.com<br>Reserve e-mail: yourrealdecrypt@airmail.cc</b></u> <p>Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies <p>If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">f52u171tF8JRpMKoZxROmvy4SzORo/zfNP5UN4MoQtJ4rJ2TXZqX6RIX+K5NsA+gDeQA70eb8QySJFkbMJ2JngdLGCSKUoPNq5B2G8oV/WuSF+o4EX9je4SNilV1ihG+9Z1Hvs0qv9xZITYjONDBJx0uacpMOHLXoLvDtBMofG/kjNA/yCT0AJ01p48/B8TQAWazQiaiQXboDi1Tj0UZIr53Hmk7fGIQRsw9JdgBIwU4H8Co7gWibn+SapihhjF1JLHKyi6PkfD8ArN3AYXH4+iVbVCP8xAMT356HnsngUPl1WCs1vhdx+JTUJMqc+CoQi3KFOhAMigse6XH8rKD2dQL+hgKoqUjHuAHslRaf/vhIDzjr8RJqtda2bsTZlpEy8GB6up3kN/JDPlUvf7Tj4tTStCzTggxUTw4Z7qc+tSiHO0C0fdGB22gaz8DZ2QsK+UzNM7pl0KhZ7Ybls8q9ewRFZCVymwE+V4Y5/LuvAsrCzXikQVsN+CvjnYrgPF+/la6f3xUu46V31uon1yCCQ2eVBmVFieR+rdISAdxOPWIPTw/7oG5WK+zReLUtvvl+HxlK4cvqsC0oe46Fa2nHkfjOA+Y1fKiavBgAtD54rXKkwF+jL/w8g4VIMjVusoAu/B7VJMcAREwUvwyqHByPnRSFZik7Tbk8inmpdOS/xSH8X5zODw4MZkOhDqGEofuOmdOOUyhRVvB/vDcfKpEEyJSUOhAYVLRI6wyKpOUCG1+QKmTXNDtoQ7dvKYZ68s1NYkDFjleoyI+y9uFoujbyGOohkUIKlEagnhtQQBiIta5jF1SNkDQSYsLFHmPIG675y+yXM+EALv/kv08Ov3d7hEq3DhSwgGFKuDoXG7iDLTdaXgwp8NBitIqmvqbGgsMdu1aFxJl2ESvK+8Y5cAjkLxCoQiap56fe98pElBLIbAQcrObYg/wuUzTafp83QzcSXoSqmqAspkG7HN2pswKEwCQdOJ5lEnyLJPLwaGwBPPELiwzax6R430fJN+qmaC+gbvhECV/lO6MmKm9TYIPDteuGw+B6AfnXv1D9epPpMGH3yhOpKbwBBWtGRZhp+j+hFybCoCs30Q2C6DUMxAloxqjRlm5odS61WIV8oFNUOZHQdNmcvSLJrqJJxiEt9b94u5dshLt2bc8ncxLzQ7FzPdYEsQDd1CpiAU10n6mD3HMj7rtW+8KhSRLP0h+fywRsBx+Komlf0v1/UzpIdpjW6nPVw7+XU9ZsdWWUjvCuaJ438d5iKbcE2r0WTP5Ap91ZCXc3rIn+4NKj5zd00ybHD7bI2TwBWmUKoof2B6RJiqx3sC4MDVmSDPAQqGslP+nh4gTqX4H/6HNYP1XWPIh4LaDssDZqZudq3SCBRSh6+DyAfqjM8adZANtJOX5oUSqB2IzmwcFOi4U2BOJ0XQDKiIQI9dT+MTwt2s+XL2NrehQPPUlGADu/FKdPu7UijBh7ryIgVuHaqxd5gaAJV4V0dYUEb8aMkmgHIx90cuTczmivcbbQBldg5LC68GjDBnAcgYbBp01tl17U/u2l83Yar8LZzMMk6PuQwV6/170S1bCcxT/tpcmty259DIiLAQpIVehD2qoGx29JYkiuRGwLd0koOaCxi80QFFNV1iIZ70eGxjI/6VQRifBOAaEhJpYqoSL02aVgPlWowbd1tLK/S9jpSS7InsOGOAAR6x70u0+etG7Fm/Tb7KdOPjgr+/B97Onvyxus86Cdh3ti9rfLzNFWTp8HvPAa6X2/siO7fUA53SSJH5LYw/9OlCBPxtEDQQBp0K/RVLb49rI9mvMZggUBxEasCXGOXKBvgEM3EiekXbxqPgtp7NN44RhlaYhmTIzOafdrrYUPZa8XfqEcw7FBqa3kQJ+OhotwWsuZTHj+nZxMmKk+1u5URePYVZv/FBJG0XoXx4VHZPTJvz6NLzBAbMdHMiWsGhw9HXOh1U0aLw4uiTX+dA+dEU76WnoFke10dDCyoU5y8ghXf3qXJjWizn4WbdxPHd4RatSugSbOXjfhwuPRQMIUZ5NmX2+DUQOj0jl17NedSO0tKCn+UJxYXOSfJvQMDRrfY50UZpltYZUiZkdMOFPrF0le//s9uwu7q3T95aNMczecG9/Y6cvW/p8T8vlthWEE5KoGuSIDRva+m7R/wRrWUQDMmhcx28RSDqEVH9KXSx7KaX5wB/CFw6SyzrJl1Q+jY6q6fYer008PG/EtE32aRk6ns59ssDCNwoiOAA3ADQANgAwADkANwBhAGIAMwA2ADkAMwA1ADUAZQAAABCAYBoMQQBkAG0AaQBuAAAAIhJIAEsAVQBMAEIASQBCAFUAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCVnwAQwBfAEYAXwAyADAANAA4ADYALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAAzADgAOQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHCnx9h7eAOAAQKKAQUxLjAuMg==<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"></tr></table></body></html>

Emails

koreadec@tutanota.com<br>Reserve

yourrealdecrypt@airmail.cc</b></u>

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 2 IoCs

Processes:

e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6ustda7.dat	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp"	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

pid process

1740 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

pid	process
1740	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exevssvc.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2636	wmic.exe
Token: SeSecurityPrivilege	2636	wmic.exe
Token: SeTakeOwnershipPrivilege	2636	wmic.exe
Token: SeLoadDriverPrivilege	2636	wmic.exe
Token: SeSystemProfilePrivilege	2636	wmic.exe
Token: SeSystemtimePrivilege	2636	wmic.exe
Token: SeProfSingleProcessPrivilege	2636	wmic.exe
Token: SeIncBasePriorityPrivilege	2636	wmic.exe
Token: SeCreatePagefilePrivilege	2636	wmic.exe
Token: SeBackupPrivilege	2636	wmic.exe
Token: SeRestorePrivilege	2636	wmic.exe
Token: SeShutdownPrivilege	2636	wmic.exe
Token: SeDebugPrivilege	2636	wmic.exe
Token: SeSystemEnvironmentPrivilege	2636	wmic.exe
Token: SeRemoteShutdownPrivilege	2636	wmic.exe
Token: SeUndockPrivilege	2636	wmic.exe
Token: SeManageVolumePrivilege	2636	wmic.exe
Token: 33	2636	wmic.exe
Token: 34	2636	wmic.exe
Token: 35	2636	wmic.exe
Token: SeIncreaseQuotaPrivilege	2636	wmic.exe
Token: SeSecurityPrivilege	2636	wmic.exe
Token: SeTakeOwnershipPrivilege	2636	wmic.exe
Token: SeLoadDriverPrivilege	2636	wmic.exe
Token: SeSystemProfilePrivilege	2636	wmic.exe
Token: SeSystemtimePrivilege	2636	wmic.exe
Token: SeProfSingleProcessPrivilege	2636	wmic.exe
Token: SeIncBasePriorityPrivilege	2636	wmic.exe
Token: SeCreatePagefilePrivilege	2636	wmic.exe
Token: SeBackupPrivilege	2636	wmic.exe
Token: SeRestorePrivilege	2636	wmic.exe
Token: SeShutdownPrivilege	2636	wmic.exe
Token: SeDebugPrivilege	2636	wmic.exe
Token: SeSystemEnvironmentPrivilege	2636	wmic.exe
Token: SeRemoteShutdownPrivilege	2636	wmic.exe
Token: SeUndockPrivilege	2636	wmic.exe
Token: SeManageVolumePrivilege	2636	wmic.exe
Token: 33	2636	wmic.exe
Token: 34	2636	wmic.exe
Token: 35	2636	wmic.exe
Token: SeBackupPrivilege	3068	vssvc.exe
Token: SeRestorePrivilege	3068	vssvc.exe
Token: SeAuditPrivilege	3068	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2364	wmic.exe
Token: SeSecurityPrivilege	2364	wmic.exe
Token: SeTakeOwnershipPrivilege	2364	wmic.exe
Token: SeLoadDriverPrivilege	2364	wmic.exe
Token: SeSystemProfilePrivilege	2364	wmic.exe
Token: SeSystemtimePrivilege	2364	wmic.exe
Token: SeProfSingleProcessPrivilege	2364	wmic.exe
Token: SeIncBasePriorityPrivilege	2364	wmic.exe
Token: SeCreatePagefilePrivilege	2364	wmic.exe
Token: SeBackupPrivilege	2364	wmic.exe
Token: SeRestorePrivilege	2364	wmic.exe
Token: SeShutdownPrivilege	2364	wmic.exe
Token: SeDebugPrivilege	2364	wmic.exe
Token: SeSystemEnvironmentPrivilege	2364	wmic.exe
Token: SeRemoteShutdownPrivilege	2364	wmic.exe
Token: SeUndockPrivilege	2364	wmic.exe
Token: SeManageVolumePrivilege	2364	wmic.exe
Token: 33	2364	wmic.exe
Token: 34	2364	wmic.exe
Token: 35	2364	wmic.exe
Token: SeIncreaseQuotaPrivilege	2364	wmic.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

description	pid	process	target process
PID 1740 wrote to memory of 2636	1740	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	wmic.exe
PID 1740 wrote to memory of 2636	1740	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	wmic.exe
PID 1740 wrote to memory of 2636	1740	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	wmic.exe
PID 1740 wrote to memory of 2636	1740	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	wmic.exe
PID 1740 wrote to memory of 2364	1740	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	wmic.exe
PID 1740 wrote to memory of 2364	1740	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	wmic.exe
PID 1740 wrote to memory of 2364	1740	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	wmic.exe
PID 1740 wrote to memory of 2364	1740	e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe	wmic.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\system32\wbem\wmic.exe
"C:\a\axfh\ndpp\..\..\..\Windows\xrvlq\..\system32\wl\..\wbem\j\..\wmic.exe" shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\system32\wbem\wmic.exe
"C:\dh\..\Windows\xm\..\system32\obwa\rihw\..\..\wbem\rydx\vxoqw\xv\..\..\..\wmic.exe" shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2816

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_3ACD915573D34D1C82FC1A631F3F9F19.dat
Filesize
940B

MD5
bbe63aac4cb6107ec1ed411b050ca208

SHA1
0f570eb0b1d0c1e494d1115ce787d4b557cc2a85

SHA256
f5085de326c669f81da52fa2312e03a3f4af53a6adb0b33a0e61366f3565bbc0

SHA512
0e3799cd18c4125848df4eaf3f2c16bb45400f00721adeea1e755f0eca8debfb67369f754a129ec5750a5a2e90d4f9232b06193eea1457a01af6175b36733398

Download Submit
F:\$RECYCLE.BIN\DECRYPT-FILES.html
Filesize
6KB

MD5
805df89ee619b4a3c5a38b7b235716e6

SHA1
88e06ffe446cd9a1f6efa8c3662755e6ace11e99

SHA256
5dd31f69361290348bc93dc45c2fcc72b0610d3c04d12126eec501e6139eae73

SHA512
c911576ff7f869ce1b76aac59666c276f0d8e685586e1980b351b28d4259891419e8c17d14ab5dd9ac357888b053b4254fa3d5c7df2268d381f81fca359608e2

Download Submit
memory/1740-0-0x00000000001F0000-0x0000000000249000-memory.dmp

Filesize
356KB

Download
memory/1740-1-0x0000000000670000-0x00000000006CB000-memory.dmp

Filesize
364KB

Download
memory/1740-5-0x0000000000670000-0x00000000006CB000-memory.dmp

Filesize
364KB

Download
memory/1740-9-0x0000000000670000-0x00000000006CB000-memory.dmp

Filesize
364KB

Download
memory/1740-13-0x0000000000670000-0x00000000006CB000-memory.dmp

Filesize
364KB

Download
memory/1740-1873-0x0000000000670000-0x00000000006CB000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads