Overview

overview

10

Static

static

3

e8a091a84d...84.exe

windows7-x64

10

e8a091a84d...84.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/01/2025, 15:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

  • Size

    473KB

  • MD5

    f83fb9ce6a83da58b20685c1d7e1e546

  • SHA1

    01c459b549c1c2a68208d38d4ba5e36d29212a4f

  • SHA256

    e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684

  • SHA512

    934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396

  • SSDEEP

    12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ

Score
10/10
mazecredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\DECRYPT-FILES.html

Ransom Note
<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000000; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5 px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><b>Maze ransomware</b></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> </div> <div style="text-align: center; font-size: 18px;"> <p><b>What is going on?</b><br>Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system</p> <p>You can read more about this cryptosystem here: <a href=https://en.wikipedia.org/wiki/RSA_(cryptosystem)>https://en.wikipedia.org/wiki/RSA_(cryptosystem)</a></p> <p>The only way to recover (decrypt) your files is to buy decryptor with the unique private key</p> <p><u>Attention! Only we can recover your files! If someone tell you that he can do this, kindly ask him to proof!</u></p> <p>By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.</p> <p>In order to either buy the private key or make test decryption contact us via email: <br> <u><b>Main e-mail: [email protected]<br>Reserve e-mail: [email protected]</b></u> <p>Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies <p>If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">caW4ezAHRm62FIZCmVTPqeY5nk8j3pSY3DnTfb90bj7igZfPXnMwAggTBZwCbnvozVNXsc2KZCLHPAVxew2oCe9Cz0VfsmNGNa8gQX+RoE2cKZH7o5WS57jGJO+Fg8mUNHDKxv9NUtgBm8pmPqnDuCbdl1QfntbPO2ZpnzNfPpEf7YtopQ8pUrNgDZABD2HroelnlunKqKqyWBjb5wMBaBb0ejBOB8TQzj0RYxTj90xccPLfz+O8dy4srlIcaKJwK25rqxTnEE8NY8aARrar38j1ze9U6esYgUysc8+ql/jcm9I/BgmFt5z/cYmJzDlFJvTLb8LxLD3I2OJoeDS/mQzOGuRWnKexqK4796sGKk+orfjpxcdPAarR2hyJTmnqDO9dS4MwIKSTXrgJhplClySBZAVUHjG9jgWlF6Tj/h5KGtzCNz2cCZaEYv7clVuIDub127f5DZlYY3onOUc3RkvRGWXeE60JU70EOAyjyZwkvn1NhJKch/RwC3MJmRnrJUhALu8aOkAlOKTC0zQPHptfypdOEXTmMgZ3SfcJQgrG0n/BZuGhMbvsEuddyQeHGrMi4FICyRMKS4KzFmZiGQlT6tDhx3qf0b3ZuR/FKmkRSHxzq5p6IfaJ1LvbpVasO5xtm8+7459G17jRcRyUFujeY1/hg0F1lGeRO2Suf7CYxk/+E5fdFWig7nfTWkIfVrpBlgJcGc0uNMyHj+BJGK4tgccxKcwWpsNFDGtEa0Gs7X5Cg6PWqqd6TEa9w43ZsiyqijOWeMOx2WL4OXHgdg9cKBQ8YoPorjPPab+hCE8cXUx6Ly/8VYbiZyFdukeOmIG8JVknUzFVoasxd+CRXY0yx8Cv1lswkyviz/TaaC1ZECOAPM1d82wJJMC0pGy1C6V8o9uR90HHDzDBLaO5Y6C+qxJzRu1rMpf7NnLj98Pf2eL6SVqUE0x63b5EFH5Jm8IjUb7z5yUWzCU7xMNAabZHLsaB+oCjawhnns9Xl6xnsB0fYVlCcGplCStJDtdetd+vslKx2HQMM7kkql0Bfej4OpocxogNSficwmCojRNIYMrml3xPlRnVpWPo3gxwXu2Mqy5K6zgjdUM7JvgoAE0WQaEaF1fi1QwRWiv42vh9HeQ/W/+WoZzC9Ry7tfNmGG7FSWmhpkDOzmlfcNBbyq7myqLy0Ol0kM3l4dWHU+Wi5CPNDJ5Bdj89GFGSX5QKkMT546//zef+1ENr0xxxSVCunhhqJPPJfOqOlBY9to8RY4dV6QTgYHiT4Zx0sRC7pURUQDfNPGEXUgjaO0/RUD/MaUiQW1TfQz7mcbymC2GyaOJh5EEz4oMlGXgaUw4CioeXdI0OJZgYXftVMq8T40lQhvvmPqP/1lfDMREvLUMFfFKYWyW5ZKgHQ/sZ4qlx/L5+tQAGvMRFBktplEd0iPql8bwvfrOE07zhGbXw3j7M+VPL88p7m6ZG8TOa7OL0uagmR3JEwzMuz13B6LaYYcm51regjNS7oJ2iZKMiploH+hR4G3XMIl9NK25KMC2owZsHXp06pEZBtGMyUgtHCr3QAhB/c5ncNJzB6B2pD8vxGqTqAzL/P+odIBrUiSDGFTu0iF/qM8nuSlNzrGme7CwCXdb6cem0e1HT4hdldvtSHZy5jxQOLvyJkR0a/AG5qi0GMQtKewDQ9NnKVb//WvhK+8xaKOao8PkiuyJ4MqPJOGwntGfk8rgy2WLvs3eVAsczIA4CjEMj1tPxROEte90GQyTstOYqWV7mfFscitJEkqSyxf3xBqxyF2wfBtILtXPnebIRcT4nLGlMm+W79ldhPx9SCO2yS+0brExVCrx4NYMf8mpBlZmNjbLIHZ1rKlE4Xz2mhjgEjE6hFVMN9S6jmVhKdXOw5pbWQKBkLxyh/hFz3ybgFFILtNQz2n9peXxHc3otekBAFakhIScPut7IYR7FBCOf8FPmkpW2q2MCoXIIXuz2OxbEF0b+vLfp3srdf4TGdmFARjhFZZ1UY5M0w0+ukVT6ztxHzwbsXzahQDcOQ0a1Wbv4A5nUIa+cBWdzb2O1FDIi6gscdTjbJnve9gP4hj18bS4Kds9bHgjj/ymqK7tKmkkvU6Om2jmdDqdwp7FIMcmH8S9gC1JLuxqNAZftQzCWAeCCpB6e83aftU1zUvl7iU2d3sOkbPoJO5mCiMOUcZ6T3Qw7FeZ3kTLhI73qzIPwKlsJi5XnuSMBxFdNysfB0YFq+cGEb3NffyASwQoiOAA3ADYAOAAwADkANwA5ADUANABjAGIAYgA2AGUAMgAAABCAYBoMQQBkAG0AaQBuAAAAIhJRAFQAQgBBAE0ARgBPAEsAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCVnwAQwBfAEYAXwAyADAANAA3ADkALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAA0ADIAMQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHCO7d5yeAOAAQKKAQUxLjAuMg==<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"></tr></table></body></html>
Emails

[email protected]<br>Reserve

[email protected]</b></u>

Signatures

  • Maze

    Ransomware family also known as ChaCha.

    trojanransomwaremaze
  • Maze family
    maze
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
    "C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"
    1⤵
    • Drops startup file
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3584
    • C:\Windows\system32\wbem\wmic.exe
      "C:\ofsm\gipe\eikq\..\..\..\Windows\pxat\tay\..\..\system32\y\hhn\amjwj\..\..\..\wbem\tb\xvrm\iysb\..\..\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4520
    • C:\Windows\system32\wbem\wmic.exe
      "C:\fn\i\iobxa\..\..\..\Windows\k\weqij\..\..\system32\frma\..\wbem\u\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2388
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3604
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4bc 0x304
    1⤵
      PID:1196

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_9910FF882EF644719F121F10AD8A97AA.dat
      Filesize

      940B

      MD5

      39b862c51edeb85c61ce731bee470b7f

      SHA1

      0f8fdfecab91f8646248dd7adeb227247073acc7

      SHA256

      841e9aaa6b8ab41f33d178822304b81e88729962bcae6c3cf3fdf1b12e92086d

      SHA512

      e17e764c1b449936b35a7e9b959e80f15ab3938deed6760bc7987007c2da4d85ef079b198d90b6b57416354e3301dfe7b601315032c258212a41a15e0b663c8b

      Download Submit

    • C:\Users\DECRYPT-FILES.html
      Filesize

      6KB

      MD5

      2acfbaf1838dbdfa1f7ea1017fdb4f6e

      SHA1

      25564dcff111c47971adbfae6fa6c581ab294c33

      SHA256

      7c0849f426c2b55bb7c61b7e2fa66ce761d6e068c5b9ad302a5fb50932f731d7

      SHA512

      e16fb7a427b3a2459df04ecd91e1bf56c7d606e02cca007a3a1f66b314a3379aa548af3f810696878c4a701b55ad58054f54e29a03b96ab1037aa0b14c4b7704

      Download Submit

    • memory/3584-0-0x00000000028E0000-0x0000000002939000-memory.dmp

      Filesize

      356KB

      Download

    • memory/3584-1-0x0000000002A80000-0x0000000002ADB000-memory.dmp

      Filesize

      364KB

      Download

    • memory/3584-5-0x0000000002A80000-0x0000000002ADB000-memory.dmp

      Filesize

      364KB

      Download

    • memory/3584-9-0x0000000002A80000-0x0000000002ADB000-memory.dmp

      Filesize

      364KB

      Download

    • memory/3584-10-0x0000000002A80000-0x0000000002ADB000-memory.dmp

      Filesize

      364KB

      Download

    • memory/3584-14-0x0000000002A80000-0x0000000002ADB000-memory.dmp

      Filesize

      364KB

      Download

    • memory/3584-5440-0x0000000002A80000-0x0000000002ADB000-memory.dmp

      Filesize

      364KB

      Download