Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 19:22
Static task
static1
Behavioral task
behavioral1
Sample
Maze.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Maze.exe
Resource
win10v2004-20241007-en
General
-
Target
Maze.exe
-
Size
898KB
-
MD5
61b32a82577a7ea823ff7303ab6b4283
-
SHA1
9107c719795fa5768498abb4fed11d907e44d55e
-
SHA256
4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
-
SHA512
86ac9d3d0804f5dd3ebe08ab59058363bceeaa3f42d2d482f97ce688837b3b81693fde2b973250b93ee3223318b0f8e4f2faf6b0f91017807feacabce979d700
-
SSDEEP
12288:20lnPLRBrenjExzDKNg6dNoQl+vtMyOo/mSVTWa5QLeuXwuxbvRr/LpiRPMBp:201PLX0GferoQOMyySVa/VFbvhtiRPo
Malware Config
Extracted
C:\Users\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/6b310c9f747d5737
https://mazedecrypt.top/6b310c9f747d5737
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Maze family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt Maze.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b310c9f747d5737.tmp Maze.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt Maze.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6b310c9f747d5737.tmp Maze.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" Maze.exe -
Drops file in Program Files directory 29 IoCs
description ioc Process File opened for modification C:\Program Files\SubmitGet.xlsx Maze.exe File opened for modification C:\Program Files\MountSearch.php Maze.exe File opened for modification C:\Program Files\NewExit.wpl Maze.exe File opened for modification C:\Program Files\RepairStart.mpg Maze.exe File opened for modification C:\Program Files\UnpublishApprove.ttf Maze.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt Maze.exe File created C:\Program Files\DECRYPT-FILES.txt Maze.exe File opened for modification C:\Program Files\DenyRegister.wmf Maze.exe File opened for modification C:\Program Files\PublishMount.ex_ Maze.exe File opened for modification C:\Program Files\ResetSend.rle Maze.exe File opened for modification C:\Program Files\TraceSkip.edrwx Maze.exe File created C:\Program Files (x86)\DECRYPT-FILES.txt Maze.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt Maze.exe File opened for modification C:\Program Files\AssertUndo.pps Maze.exe File opened for modification C:\Program Files\InstallRemove.aiff Maze.exe File opened for modification C:\Program Files\OpenUse.rle Maze.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6b310c9f747d5737.tmp Maze.exe File opened for modification C:\Program Files\MountCompare.txt Maze.exe File opened for modification C:\Program Files\ReceiveSend.pcx Maze.exe File opened for modification C:\Program Files\StopConnect.jpeg Maze.exe File opened for modification C:\Program Files (x86)\6b310c9f747d5737.tmp Maze.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt Maze.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6b310c9f747d5737.tmp Maze.exe File opened for modification C:\Program Files\FindSkip.zip Maze.exe File opened for modification C:\Program Files\MountBlock.ram Maze.exe File opened for modification C:\Program Files\UninstallMount.hta Maze.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6b310c9f747d5737.tmp Maze.exe File opened for modification C:\Program Files\6b310c9f747d5737.tmp Maze.exe File opened for modification C:\Program Files\AssertEnter.ocx Maze.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2496 Maze.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeBackupPrivilege 2792 vssvc.exe Token: SeRestorePrivilege 2792 vssvc.exe Token: SeAuditPrivilege 2792 vssvc.exe Token: SeIncreaseQuotaPrivilege 2348 wmic.exe Token: SeSecurityPrivilege 2348 wmic.exe Token: SeTakeOwnershipPrivilege 2348 wmic.exe Token: SeLoadDriverPrivilege 2348 wmic.exe Token: SeSystemProfilePrivilege 2348 wmic.exe Token: SeSystemtimePrivilege 2348 wmic.exe Token: SeProfSingleProcessPrivilege 2348 wmic.exe Token: SeIncBasePriorityPrivilege 2348 wmic.exe Token: SeCreatePagefilePrivilege 2348 wmic.exe Token: SeBackupPrivilege 2348 wmic.exe Token: SeRestorePrivilege 2348 wmic.exe Token: SeShutdownPrivilege 2348 wmic.exe Token: SeDebugPrivilege 2348 wmic.exe Token: SeSystemEnvironmentPrivilege 2348 wmic.exe Token: SeRemoteShutdownPrivilege 2348 wmic.exe Token: SeUndockPrivilege 2348 wmic.exe Token: SeManageVolumePrivilege 2348 wmic.exe Token: 33 2348 wmic.exe Token: 34 2348 wmic.exe Token: 35 2348 wmic.exe Token: SeIncreaseQuotaPrivilege 2348 wmic.exe Token: SeSecurityPrivilege 2348 wmic.exe Token: SeTakeOwnershipPrivilege 2348 wmic.exe Token: SeLoadDriverPrivilege 2348 wmic.exe Token: SeSystemProfilePrivilege 2348 wmic.exe Token: SeSystemtimePrivilege 2348 wmic.exe Token: SeProfSingleProcessPrivilege 2348 wmic.exe Token: SeIncBasePriorityPrivilege 2348 wmic.exe Token: SeCreatePagefilePrivilege 2348 wmic.exe Token: SeBackupPrivilege 2348 wmic.exe Token: SeRestorePrivilege 2348 wmic.exe Token: SeShutdownPrivilege 2348 wmic.exe Token: SeDebugPrivilege 2348 wmic.exe Token: SeSystemEnvironmentPrivilege 2348 wmic.exe Token: SeRemoteShutdownPrivilege 2348 wmic.exe Token: SeUndockPrivilege 2348 wmic.exe Token: SeManageVolumePrivilege 2348 wmic.exe Token: 33 2348 wmic.exe Token: 34 2348 wmic.exe Token: 35 2348 wmic.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2348 2496 Maze.exe 35 PID 2496 wrote to memory of 2348 2496 Maze.exe 35 PID 2496 wrote to memory of 2348 2496 Maze.exe 35 PID 2496 wrote to memory of 2348 2496 Maze.exe 35 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Maze.exe"C:\Users\Admin\AppData\Local\Temp\Maze.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\system32\wbem\wmic.exe"C:\e\ndpb\..\..\Windows\txcnm\fhj\blas\..\..\..\system32\lyr\o\lbq\..\..\..\wbem\oonm\yrgl\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
PID:2076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_7D0B4BB1FC0D40E0A4C93968E91C0D42.dat
Filesize940B
MD5dc18244696e9f1d8e399812708364933
SHA1f1f43a7d41510beb4eaa76ee7e2373e25a87cf1e
SHA25669c22a4e92d08411c791d22dd2528d2a744043e17f22092537796e0925c84c77
SHA5122e8f3035c961a56b3d902d0b0eb418b6a670676f595adbc6a81acd1de64b377fc3f753032383049d7249c6e62c936522175d21d6ce54ae795f817af21c8394dd
-
Filesize
10KB
MD56b92ce2a9600f3c120d1a1c643b536b4
SHA160f913eaa4c066e3472f1e821d3425006d508899
SHA2563dcd01756857b047b665fb518d13b21c3fc1178d27b4711ded0a99a319147d4b
SHA512eb366058ffdcfaf7fb6d0afca0915c66a8f810e0b5666c83190e658f3039538866fedeca64a5a7a1f6ceb9e1507f16a373900eba8d81b0614e36891883c1ee6d