General

  • Target

    RNSM00419.7z

  • Size

    33.1MB

  • Sample

    241028-ts2a9s1mcy

  • MD5

    9bf438de70013d4804f61a9b9dd6ad8f

  • SHA1

    2ce54f24cae92678bd99a158ceb6430a316de443

  • SHA256

    6e1b7053e06a8f95dd355f6191cfdf6af835485f94d5b8e2180e9927a2da0dd2

  • SHA512

    86f0aae8098779eb545ddcc49313941882512a438d9934e5d73323e2a466ebacb945f1cd2f862ca6390f10305cdd7f4a12002535a90a8e31d7622fa95e9df4b8

  • SSDEEP

    786432:6AGOp6uRN1MS3UBfnmdb5t+PFT261B/p0be3Q/qEvWI:/pHtVsnoaFqEhceEvWI

Malware Config

Extracted

Family

azorult

C2

http://mrpeash.zzz.com.ua/1208ve671098xeu281nt2vg129xy12hv0e812/index.php

Extracted

Path

C:\PerfLogs\DECRYPT-FILES.txt

Family

maze

Ransom Note
Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6bed0caaee9109ca e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6bed0caaee9109ca b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- JthXCYXD4iYlwtxNIt1zWmTjKieYmnZXpx1qw/2P4qZO9EQqh0DPcxDXvfr8b51MYomcJfwLHAJO/XlJ7AbIlk6DHdvQlBBdrR0hUJ2Tp0s20c5mbMafMagD/jNZVxKIByGDeGWPfPPU/ou49HpxaQarHBon0f4K72s3/10+bOTRI0LDi21s9dfSxRTk4xdxVSRBKe+NI9B222KtemhRqEYXTrxOYenGx1A0Jv2PKWSH0Y+wihYKnkO7yqnxK2mjTzq7Hzi0BN6jfcCdG5YtmawClDYvR9roy7OZoDOUZ7EYQ2I3lOBC2cVjYGv+QYFbRW2/WW1o3NQ/roeUMt58PIvU5O/1Id1Xlf4BFcQzaLSFUJ9rEwDKuDipH4KU+JOmfoEqpnYvxtlCBDMmCVQPsNra9jb9l3O5pSRo0HQl3dWPyIe316NmwvoJXkHZStcfxkPuOLRHMa8aE9YVjqxD4nRVuiDANxrR49Dq6p4erBxFzaWlzLpAIDgWHXE193jwVEA3xYsiIrvFZbS55obeNyiOdgszdiO5MQmy95iEd++j9XIlopHri45zibLdjo8By/nuZnqCRlGvF2gZxUTah0l0EiPLIX2v0G1sQoUqrAp7tAZe1Uo1FPsOsmSxpuJdVemWCI6HgVhAojn5uzfv95xuJgy7fb70MDCPcm0fAMjDO5ctONyP/94DDLVHDqexYUCIvODJVb8qaA7Y+z9avyG3WGW0bx/lNxJWKcjHvrcrJjrWghTIDO9QWSwVQUzbqjBGPdhd+9DEfzihjQIzJajJIoxWqKakpiAsnQ0heNvhG/AhZZMz3FbU7FReCGwWRgwXidCPRStxg89BKpZyfBB/GxaVwnq+77YjF2EugPDe5FUaOABjybL+HfIAciPa7AKH4TilSwJ431dqJN+GRyRy3cKLdA2Cmrg2htzSE7RNa8I1qs5LvvXHzGzHLI461sIehyKIITAwHIkmUtlAZFl+8dpo3F8iXBzswXdNnFbTrD+JtiL95OTLQnrGHZ9Tr45TY56HzMX/e4aU2XYacp5MEd1jaxTR/veTuCHegokpgLIXvOvYEy2sJ+T+QL6KVTNg62XFhd2aerSVX3Za7gIweMDaYk8/Ot4GrGLm1geK9N6JMNVUzhpkopTztyOtcyez7frVt7Ur9UaENbFCfyFcyrji2rd19qqNnlDliIgPmDgn+4r3NyDzsT1tyQw5k+Sfks5O97yAVSBu5xtXZxm3Il3spuZGG2fCj2cbVNewdtGBpO2TVyWzJdvVy2g0v3PhKbbBPlUmbIuB/MPmAzsNcdWDcSVX1TnqIgNmxwxazkQmOM3a+MSIhkNrX40nbz5ES2LsLdBD0tYdvz7b+q4Vn4GzYAzokurQ4QWf0IzVAVm7G9B8m0uCkDXeEPM6w3V6PpA7Ij4ZguGN8HasybJ3fSvtpca/fR78RKSlmExQLbo2AN51v4EWBddkMP7hWn2lzvdrvP26wtoPobpgWTpKPNQLr1T1r2vQTCVe7++Yzk1G0cz60+U7G8blqrBbv87N61ybh1XyvqVFS7mZ9fSoASkWmUFsuyqpSiQrHwVVZvTIAm/icuxp9HKT75wz9CpERxI6ugn5qVc3X05X13Nox9klwFPmir8TSrYHcBkCrQuECLbYoGy0K//B5N44tuQES/2K2xqOMssNkA91Pzhn34nU24f9E3szLCFtVP4Jm4p1Rc+kfkd31RiUcr/5OJ/fWK+oniLByPAilMuAdSQmFMj+bmP/X9qCW56L/TbK1pryS6GdCylj/5k9ZH3SKoArJgosttjb7ugaoVENlsgVkRZurADw9k2WRWBEVpK0QvGYxv9TcVJ3BCGfgxg8dJDJlC5ktHh26jKSVXv8Vi3NmXt4cM+Q+TtyCpuEGSdCozYjFpU1r6xanMpSdp6OcLe2qG4pfHoTLsZBVxoQ2K9y9yr7mMuJOY5HKZfVTQDxDdN0CzwoFL39BbqaaCcN/QjtYadb1sLdsdVY9+h8q9kPvwse3fMCcUGWtOkLxOVVQoGlt0bLkZ5xOYeCYm7OKLfeYsPmvQI5gE7nLJ1Qt7338JabERu51Ah2Ey0YT3QkUsKvAG0r0nKu3MtSguEadZtuz9UhkDOAv+3K96DeaC61UHyCjh+XTsm/04GFYJDWwhLpMPFI20GbOrlCAsbrix6Hv8egwkFZXjWfhIOczT82XPfk/NV+nxm2ktDEb+luCmm6MZ+HuW0u7K834NoflCnWYAoiNgBiAGUAZAAwAGMAYQBhAGUAZQA5ADEAMAA5AGMAYQAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAEcAVQBNAEwATgBMAEYARQAAACoMbgBvAG4AZQB8AAAAMixXAGkAbgBkAG8AdwBzACAAMQAwACAARQBuAHQAZQByAHAAcgBpAHMAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEJWfABDAF8ARgBfADIAMAAzADEAMgAvADIANAAxADMANgAxAHwARABfAFUAXwAwAC8AMAB8AEYAXwBGAF8AMgAwADQAMgAxAC8AMgAwADQANwA5AHwAAABIAFBAWIkIYIkIaIkIcPa04nJ4CoABAYoBBTIuMy4x ---END MAZE KEY---
URLs

http://aoacugmutagkwctu.onion/6bed0caaee9109ca

https://mazedecrypt.top/6bed0caaee9109ca

Targets

    • Target

      RNSM00419.7z

    • Size

      33.1MB

    • MD5

      9bf438de70013d4804f61a9b9dd6ad8f

    • SHA1

      2ce54f24cae92678bd99a158ceb6430a316de443

    • SHA256

      6e1b7053e06a8f95dd355f6191cfdf6af835485f94d5b8e2180e9927a2da0dd2

    • SHA512

      86f0aae8098779eb545ddcc49313941882512a438d9934e5d73323e2a466ebacb945f1cd2f862ca6390f10305cdd7f4a12002535a90a8e31d7622fa95e9df4b8

    • SSDEEP

      786432:6AGOp6uRN1MS3UBfnmdb5t+PFT261B/p0be3Q/qEvWI:/pHtVsnoaFqEhceEvWI

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Azorult family

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Emotet family

    • Maze

      Ransomware family also known as ChaCha.

    • Maze family

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Modifies WinLogon for persistence

    • Modiloader family

    • VanillaRat

      VanillaRat is an advanced remote administration tool coded in C#.

    • Vanillarat family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • ModiLoader Second Stage

    • Renames multiple (270) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Vanilla Rat payload

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Modifies WinLogon

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks