Analysis
-
max time kernel
819s -
max time network
794s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
30/01/2025, 15:39
General
-
Target
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
-
Size
473KB
-
MD5
f83fb9ce6a83da58b20685c1d7e1e546
-
SHA1
01c459b549c1c2a68208d38d4ba5e36d29212a4f
-
SHA256
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
-
SHA512
934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396
-
SSDEEP
12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ
Score
10/10
Malware Config
Extracted
Path
F:\DECRYPT-FILES.html
Ransom Note
<html>
<head>
<script>
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
</script>
<style>
html{ margin:0; padding:0; width:100%; height:100%; }
body { background: #000000; color: #ececec; font-family: Consolas };
.tooltip {
position: relative;
display: inline-block;
border-bottom: 1px dotted black;
}
.tooltip .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5 px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.tooltip .tooltiptext::after {
content: "";
position: absolute;
top: 100%;
left: 50%;
margin-left: -5px;
border-width: 5px;
border-style: solid;
border-color: #555 transparent transparent transparent;
}
.tooltip:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
p#base64{
-ms-word-break: break-all;
word-break: break-all;
-webkit-hyphens: auto;
-moz-hyphens: auto;
-ms-hyphens: auto;
hyphens: auto;
}
p#base64:hover{
cursor: hand;
}
</style>
</head>
<body>
<table style="position: absolute;" width="100%">
<tr>
<td style="width: 25%;">
<td style="width: 50%;">
<div style="text-align: center; font-size: 20px;">
<p><b>Maze ransomware</b></p>
<p>*********************************************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>*********************************************************************************************************************</p>
</div>
<div style="text-align: center; font-size: 18px;">
<p><b>What is going on?</b><br>Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system</p>
<p>You can read more about this cryptosystem here: <a href=https://en.wikipedia.org/wiki/RSA_(cryptosystem)>https://en.wikipedia.org/wiki/RSA_(cryptosystem)</a></p>
<p>The only way to recover (decrypt) your files is to buy decryptor with the unique private key</p>
<p><u>Attention! Only we can recover your files! If someone tell you that he can do this, kindly ask him to proof!</u></p>
<p>By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.</p>
<p>In order to either buy the private key or make test decryption contact us via email: <br> <u><b>Main e-mail: [email protected]<br>Reserve e-mail: [email protected]</b></u>
<p>Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies
<p>If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one</p>
<p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<p>Base64: </p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">fcdnqrSqzYbpzijOJzKVqJd25SZCcqK3T/Q8Vb2Wr88AMf+E85Oe4ujknPdQPX56I6MpPtDQBJRXCfbFlq8tODbH2X+CXZnYCFUjYMjazZAKG03UU/jZzwEwJ37HjUymF/7UzmmtCapkeyghllYKnK5OIo7x7kALFi86h6bhxDr1uco14I4mrwtj9HyFh2s+nPs9soAuG8YQd+7FR9eq/rC8/8fzG1vPylF+dwHO9lM3WNVbJi5BTFTlbYPwAJ88jZ0PH3/Ymk8gGBG4V4hL5+nQu0O0FxNRsICEOhhxm+uRzbxyfHS/7SMtllNO3nhUYMYBMbsEzYyBnlrfRcLlhXz/bsQNLFuUprv9DA1/f0lqnJuC75qVC1RLE4BleHf6Fqn9HrdjxaIF4WB0N/UxCWGVOPiDo/ye8jU/JGDH1NwDONH66QXv7KmWy5jHRIlOfYnr2YG3opBNe8hifbYYCaPbbOjnJ7J19mO2G1sqIMgp4IDi9/5c6ymIk7I89VaF56Qww9MQ5MKrxDFzLHfsOop1aJbbdOm77seSeJyq2r+a8OMc9EoaU2Sg1BbsCv1qjh3A8JZtjvXNnxtnNm21ggnnNnZdqzctcVqYkDHQEHk8Ihmwj5Lax6pd/cUmUBqse+nyhUgJT36RnJ+W94d5Drx9MWLNCAmOk4/BSW3stIBd90+JHdWJKnzA9yDTHmk8W5v1ttfabl77SaGonZCdlnaWI/UjQZciQ5IUdSUfmyvWVpO7q+8jQIsz7G36TkKSa/PA975agCqZ0YkLofREChZxQhFsPPRE8MIWnHnhxd7XZ44KByXhq0AQjmbTNj3iBG1kejBag41aM5LKFabF4025W/80QtrmkswSvJsBxEowQhIqAAkk5WFnknpON2qeXOEBfKak6x55hTwOoADZDPm820wpRmll0udqD76iKDhHDrly+RKwSCNMSlLLUDwO+MB4jg7ipC9gbQrWBBK5Ogqa6ki42xyWYnJ5wei3qk9aPerbwMFUGYom44O4vheD0DFAtNEwfqyIP96+AqTrS7067xs734F3SGcNHDyfjglhON1p2fSM8NGrQmI6kata4yEjzqPFjAKVwwS0leIq18ccjQxfv9ZlMiO8RRejeyO/G/r02ziitWA3Nynmxyv/d2q16iv3m6c/CPg5wR2lsdLnZTU5R4v05LnEWiEQx4ey3E1toRGvRfVe5QQczy0sLYTAxslUTbaMASMMjxHpXNQ9425TuP+FoARIOPSce4tfv+krnljmGPxvt3mMv8JTLZ0sY5K6lObbk70xpEzbbO3J+xWbTk+ZFbxuxdbSOGq5tJcCh1tVwZYhFxAdW2iBE9ZUOg8FL/bA5BGNuzK2NM8p1wdnwhEeZD5bRgPJOX58fCAzXyvcofiHzNVo80VMjdvEMJ6Gw+BPp3UI9BuIQNUJmvGhwxpyHbqZgne5rPa1ABEbrYHSp/oywtEe6XIsQm5qiELavQKPdopixB1Hqm+SY+S5/ZkvwB6aru/nw/HmnqT37jLj+pahQXM4cOjPl3iuBm7ZEPUPtLQkzu5lVc4JJIX6W3t/cMtJUoZJtvyRpkYwjT32KZQQiS4vsVyOPVJEpBuFLh8D0ba7C6YZYHQMc7CI3aOOg4/5aTr2NXFhRGC1WKAZIUb+wCrUwNTotmDlLT1KNi72Q3/HzpvUal4BaX9rxfCxq7+pKDJJ0gd2Fk7UsHRtYyJ8WTn0fZhuCSZJklSVivU+tN77UyiMWEGWvK1b0n5xzAn3MQpiJrcq4vGkYWSw1NYMqRb0vc3WBYkCrNOnuEYSEJnTAdR3dRepg4/7rO44oiYTRjOu0BtLivH/oKOJwkgTM7qAr/y8NyiaVnSi+/bdxwZpnkwPcb8NxIJS6gc7202CU8Cv32PEd8rQKVTMNsPqRTMvqS5mYgSc6FVoCE6gHEOgEtSryoQCT3fsiRfop3cyMhgRo6LZLDl0PutjqeIMZ6hWdj884SUDuBQWziWAEf7nOVnBUhPKakeQJ6C0+cJdG/YXm+DlJUNSvN1xz1wghbAObvh0O8htwDcfstvwiOPoDXc6RlYwosIYQL3XrtzIg3oRLDPKZCK/Aj7CK1KxDjARQ9WAxeQbNY1NP4p4uXa4IErhA3fvv3nWr5MnsMu4EvLpCcJH5XNGuZq6+OHclTiM+TgmUDynK+Se2LzZcI2vdmCbdrO9QinBA/pI2zCHd1zTpSy4nA1RGWYQQ3qo8gaYUOO10wbyhAoiOAA3ADgANAAwADkANwAyADEANwA2ADEAOQA2ADEAYgAAABCAYBoMQQBkAG0AaQBuAAAAIhJYAEUAQwBVAEQATgBDAEQAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCVnwAQwBfAEYAXwAyADAANAA4ADYALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAAzADgAOQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHCUnOB7eAOAAQKKAQUxLjAuMg==<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"></tr></table></body></html>
Emails
[email protected]<br>Reserve
[email protected]</b></u>
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Maze family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 4 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\w\hkuf\gh\..\..\..\Windows\gwuq\..\system32\yk\b\..\..\wbem\es\hqkkj\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wbem\wmic.exe"C:\aqdch\..\Windows\w\eu\..\..\system32\yrrb\..\wbem\phh\yqm\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4a41⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5141⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5d01⤵
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
940B
MD5d339afc8bc0c101ca7001f354d0285ab
SHA1f60fd959e4702b9bdbcfad7b9b1c124b6d03c71c
SHA256c1d46d922f6f027abef18b5ae9bca6dca34c9c2e27fc978f5ba9529ccb52d19a
SHA5129942d4d29bfa1d6d15f8715a10c83a628d3e454278932eb65730831bea5c43faf606cd74acfa9f46b290d16f9b508fad77d61837c1be6874e00f852376e39637
-
Filesize
6KB
MD59928989ecc9090db49d29109e8139b3f
SHA19dfb064af17492f9b5743aee4f48dd642ff80628
SHA2564dd77cef34a3558756940b97681d238afe3cb95461cab56f96cf61eae4977107
SHA512dc798263153154eea62ce8589ea5c0ec209d0855bd0ae61a4dbdc83dbfe0ad19f62c89fa3a0f6e2464930137b7219d92e38428d73e48c15da6b1060deaa46412
-
Filesize
356KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB