maze | a0c4b8e5e7f294f98917f0e59dc4800cd8d0d3bffac01bdf5d7558341010a972

Resubmissions

28/03/2025, 15:32

250328-sytmyaxzbv 10

26/03/2025, 22:22

250326-2aba5awm17 10

Analysis

max time kernel
299s
max time network
299s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Maze.exe
Size

364KB
MD5

b93616a1ea4f4a131cc0507e6c789f94
SHA1

0b97455143e682e818fc4a9b615f57349dc84894
SHA256

2a6c602769ac15bd837f9ff390acc443d023ee62f76e1be8236dd2dd957eef3d
SHA512

e6b8e4009ee946514c0a177838b1094b70fe84d8e4511e8ab9bca4180b0bf4cc5bf2ef563fb7efabd6cc91d758ed2e910f501081a72aaa9581d17ece780b70ad
SSDEEP

6144:jx0s5c9jrLrLrLZMEQ9V6wZqEZw0eNsd19pV50DEreNg/ydlb4fQ6wFMvM:9MAwmMD/Ng6dNoQl+v

Score

10^/10

maze credential_access defense_evasion discovery execution impact ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6ccd0cd3319cfefa e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6ccd0cd3319cfefa b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- gQVrc48taOahMCrN1ct9i1uV7IvT0OHIZXFc8TitYqkIKL2B/Cm9gumfOfs5v6dXUgb4Yz9tnJ1CyI65C02iwwpZrjw1MMkY/q2Q+3vothEBuPKUs387CTVuWPH6iYq+3LW9wiYxKkD4OYFnNKCioGZXT6gr36mBBwNGYVD3sN22kVKnWlGzR7r5PHt2l7+Tvdb9DEjlLhqlHcaRj4LzIvrQIkgXpQ9iPU5/HJmgGvcFUat3RyHf+CK2Fl7L1DHM+/jyb82umHz0dgJtgowp1U0acOwZRr3HWh/Q1M8Ak9kxhLSOdZzMNncAIc1++Wwm12cWt6R6HcL0iBO8qE1dz1IwRI0ikf7axT/oNIHuxpmFWsTN/Z6iroLiLASxFtn8Dlz16ZadOzS232bOZttTIfH7UBslLIoLxzZQSbEi5h1llmi9CPPDViQC6nDcA7mugkZxuUGKJl0hWxJKs3UA3ffuBQHsTXzmwHkMVQY5gLyLvrk3W9xgZtckPg+kpJCJxCWvR2TU3sHpYa5rRaxOPekGvAm+I5DacVgFEZzQlH2rqvlJzr5WWwwzfkz6VES2ndnuYM3C0GqlHovxsCvVgx11dqV7aOVPOAqOtJiPUUYAGtEcRKXVBGBvijEbt8xQVFL8Rax8YFuzvv1EVfE0xPxnngP9dwkh+Ea/0AAyEyS79iQKCPAmKnnN9OfjM6Og31DqZxJyLrFDxEPv/6M0X9OS6EIvOfygHgSa5mNC/clFtfu5QqiD5snlz6QSSe2ABBnJi9/kKTt/8M1/flhwx2oLHDe9gCypPgBnjSyAqfwgV+1gn12+wZ1aszFZSUR9Cx/Mc7MshVegxjMHZZiMOiDpNCypT087UATjzCgReXwiHWJXEBVOgytimFVpEus216habPTJaTvn/NOSQFdNl/+OK06tAMl0LetNOXyP8PXKTJFtnIzEoMly7gCATJfdG7sPj4qfxloJLdBpxVhdiHMWVstIuOk2UG1uoloR37TwSTRhV8fQi0r/yZM4tCbEp9Df95M8yOisS/zTpQM/MoVT6DGFJJh4qpCTtryia22HKt3r2cRQVTxOuD3OvAWj1ucpQBSOjIQPfufBgZWfVBQzsAsZjBxVeXsEmhTbSqLdQxhkqWNh6KeHtHMDUbls/vcF/NlxY8UEJjP3EBAgcMtP0zSj/0QnO/9iOmnMyhnZPhDJHEXumfuBEambXvUWA93fC360Hwyxnhyh3V8iRNesSvLKIshMqhIWyH1A0CyCLb/ltmVp+KqlxCO8F+YN/dBEF+0GYmB/ZeIk5rQIYw5BZwBl/btRnKSKosSHH3R2NwbnnBj4kfGSnOKwZGhdJgf0D7W+ptJwJnwclo4Iuc6IZhZVW70j5axUE+m+ObjnrWfptNELY0B+VmnE+VciyC2WxgSwmxSRoZlWfFR/9FFw2v24wTvq+qvuBrMPGyXMvftf75iWr9T5rhbbjf1/XqlT9COB4Vk4xaFOd5UG7S7mZchAeqxSRUbHoCr9wjT4nRVpwMkt778xKUMHqN3j9LHO6V/qOGwZ1uvI5rrStfMCAz2P3aU0XW2QeGrF1PYsjlfA2aL0sdBO1/wEMcbyfvhYWR9qpj0mJWw9j9rvwJUoo10hH/wXMA8SmF5KWuCox5mu7eVYLPwevf1690oqLNw69ZqoyYOqM06z78LrYathVyyJVBDP8p3kpFwrajzGwOBXzV6l2XUvB752rKDsP5OjMTCh8n9VKGvTRS3PoVelLa0iY3rvyJKQx/a0q5Db2IyQqvk5m5OAXVHrxNbkrTm++wH0cVk94wV6ViT3XZO2ps34jV7YthonDG801QrINZX7PbOrnPkR7R1VH66ZCC5Un/1l+m20ImJEDdEAxQoRq2kfCYabBODsLZSxs7AHdvq00x84ciKI1+4QcJDRK172zIDIhFMqiRP9x+R3J7haL8OXNVBw/zKjXJsM1iQywW+0DY/2utbqKlK9lU2Mx62KSbs63G7qOw7pjMtTxjLKZLFN9B9TqQTYA0iCgiI4h6sir4OEiNn8Wk2oe2AshyUu8SmttnMcUdHKkw484q6wWC8CznBU8lFo8q62+wwjCi9UMQkfMGM7z9QvjHnnR2rcy7Nhit9Yh6763MN9DQoFRUhBF2dmMcqRcQGf1zzZ8Hi7YdoI0M14IO1GI/xxGrlCrgPF5R7lB2t1+7vptnEE+Zxxge5xqYMn//a3VDDl2QXdO4dFGfzjTku5Kw2jnYBqpAoiNgBjAGMAZAAwAGMAZAAzADMAMQA5AGMAZgBlAGYAYQAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAEoAUwBNAFUAUgBOAFAAVAAAACoMbgBvAG4AZQB8AAAAMiZXAGkAbgBkAG8AdwBzACAANwAgAFUAbAB0AGkAbQBhAHQAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEJWfABDAF8ARgBfADIAMAA0ADgAMAAvADIANAAxADMANgAxAHwARABfAFUAXwAwAC8AMAB8AEYAXwBGAF8AMgAwADMAOAA5AC8AMgAwADQANwA5AHwAAABIAFBAWIkIYIkIaIkIcLvv2nt4DIABAYoBBTIuMy4x ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/6ccd0cd3319cfefa

https://mazedecrypt.top/6ccd0cd3319cfefa

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Maze family
maze
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	Maze.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6ccd0cd3319cfefa.tmp	Maze.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt	Maze.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6ccd0cd3319cfefa.tmp	Maze.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp"	Maze.exe

Drops file in Program Files directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ExitRequest.doc	Maze.exe
File opened for modification	C:\Program Files\GrantWrite.wps	Maze.exe
File opened for modification	C:\Program Files\HideUninstall.rle	Maze.exe
File opened for modification	C:\Program Files\LockSync.mp2	Maze.exe
File opened for modification	C:\Program Files\SplitGet.mid	Maze.exe
File opened for modification	C:\Program Files\SubmitImport.mpg	Maze.exe
File opened for modification	C:\Program Files\SuspendEnable.ps1	Maze.exe
File opened for modification	C:\Program Files\DisablePing.vst	Maze.exe
File opened for modification	C:\Program Files\InvokeLock.m4a	Maze.exe
File opened for modification	C:\Program Files\RevokeEnter.ps1	Maze.exe
File opened for modification	C:\Program Files (x86)\6ccd0cd3319cfefa.tmp	Maze.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt	Maze.exe
File opened for modification	C:\Program Files\ClearProtect.docx	Maze.exe
File opened for modification	C:\Program Files\ConfirmUse.reg	Maze.exe
File opened for modification	C:\Program Files\EnterExpand.mid	Maze.exe
File opened for modification	C:\Program Files\UninstallLimit.mpeg	Maze.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt	Maze.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt	Maze.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6ccd0cd3319cfefa.tmp	Maze.exe
File opened for modification	C:\Program Files\6ccd0cd3319cfefa.tmp	Maze.exe
File opened for modification	C:\Program Files\OutProtect.DVR-MS	Maze.exe
File opened for modification	C:\Program Files\RegisterHide.avi	Maze.exe
File opened for modification	C:\Program Files\TraceSwitch.pot	Maze.exe
File opened for modification	C:\Program Files\CompressApprove.wdp	Maze.exe
File opened for modification	C:\Program Files\ConvertSave.pot	Maze.exe
File opened for modification	C:\Program Files\GetSubmit.aiff	Maze.exe
File opened for modification	C:\Program Files\PushMount.xlsm	Maze.exe
File opened for modification	C:\Program Files\RepairSend.bmp	Maze.exe
File created	C:\Program Files (x86)\DECRYPT-FILES.txt	Maze.exe
File opened for modification	C:\Program Files\ResolveBlock.nfo	Maze.exe
File opened for modification	C:\Program Files\SelectDeny.TTS	Maze.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6ccd0cd3319cfefa.tmp	Maze.exe
File created	C:\Program Files\DECRYPT-FILES.txt	Maze.exe
File opened for modification	C:\Program Files\CompareHide.doc	Maze.exe
File opened for modification	C:\Program Files\ExportPop.ogg	Maze.exe
File opened for modification	C:\Program Files\LimitReceive.xlsx	Maze.exe
File opened for modification	C:\Program Files\PublishConvert.potm	Maze.exe
File opened for modification	C:\Program Files\RequestMount.zip	Maze.exe
File opened for modification	C:\Program Files\CloseCopy.pot	Maze.exe
File opened for modification	C:\Program Files\OutExpand.xhtml	Maze.exe
File opened for modification	C:\Program Files\RegisterSearch.vssx	Maze.exe
File opened for modification	C:\Program Files\RemoveOpen.docx	Maze.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6ccd0cd3319cfefa.tmp	Maze.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3052	Maze.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeBackupPrivilege	264	vssvc.exe
Token: SeRestorePrivilege	264	vssvc.exe
Token: SeAuditPrivilege	264	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2904	wmic.exe
Token: SeSecurityPrivilege	2904	wmic.exe
Token: SeTakeOwnershipPrivilege	2904	wmic.exe
Token: SeLoadDriverPrivilege	2904	wmic.exe
Token: SeSystemProfilePrivilege	2904	wmic.exe
Token: SeSystemtimePrivilege	2904	wmic.exe
Token: SeProfSingleProcessPrivilege	2904	wmic.exe
Token: SeIncBasePriorityPrivilege	2904	wmic.exe
Token: SeCreatePagefilePrivilege	2904	wmic.exe
Token: SeBackupPrivilege	2904	wmic.exe
Token: SeRestorePrivilege	2904	wmic.exe
Token: SeShutdownPrivilege	2904	wmic.exe
Token: SeDebugPrivilege	2904	wmic.exe
Token: SeSystemEnvironmentPrivilege	2904	wmic.exe
Token: SeRemoteShutdownPrivilege	2904	wmic.exe
Token: SeUndockPrivilege	2904	wmic.exe
Token: SeManageVolumePrivilege	2904	wmic.exe
Token: 33	2904	wmic.exe
Token: 34	2904	wmic.exe
Token: 35	2904	wmic.exe
Token: SeIncreaseQuotaPrivilege	2904	wmic.exe
Token: SeSecurityPrivilege	2904	wmic.exe
Token: SeTakeOwnershipPrivilege	2904	wmic.exe
Token: SeLoadDriverPrivilege	2904	wmic.exe
Token: SeSystemProfilePrivilege	2904	wmic.exe
Token: SeSystemtimePrivilege	2904	wmic.exe
Token: SeProfSingleProcessPrivilege	2904	wmic.exe
Token: SeIncBasePriorityPrivilege	2904	wmic.exe
Token: SeCreatePagefilePrivilege	2904	wmic.exe
Token: SeBackupPrivilege	2904	wmic.exe
Token: SeRestorePrivilege	2904	wmic.exe
Token: SeShutdownPrivilege	2904	wmic.exe
Token: SeDebugPrivilege	2904	wmic.exe
Token: SeSystemEnvironmentPrivilege	2904	wmic.exe
Token: SeRemoteShutdownPrivilege	2904	wmic.exe
Token: SeUndockPrivilege	2904	wmic.exe
Token: SeManageVolumePrivilege	2904	wmic.exe
Token: 33	2904	wmic.exe
Token: 34	2904	wmic.exe
Token: 35	2904	wmic.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2904	3052	Maze.exe	34
PID 3052 wrote to memory of 2904	3052	Maze.exe	34
PID 3052 wrote to memory of 2904	3052	Maze.exe	34
PID 3052 wrote to memory of 2904	3052	Maze.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Maze.exe
"C:\Users\Admin\AppData\Local\Temp\Maze.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\system32\wbem\wmic.exe
  "C:\rvvlc\at\idgc\..\..\..\Windows\ge\..\system32\uqgv\s\nnxkw\..\..\..\wbem\hu\jgauo\hm\..\..\..\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:264

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\DECRYPT-FILES.txt

Filesize
10KB

MD5
142b142563fa3e7f7e6593bae4534698

SHA1
04ac5f62e4baa7f33ff77701585bdc37e007d46b

SHA256
487d7a42a6926012d643111f7f02b3a9f3ce5dc9c69cdd52f6d30ba2ed652bd2

SHA512
6ebda76daa8400245a7d8cc77f70c0601f7861f6dd494b416cb2ae250bcd424e1586710c2f5815ef0ff51e90dff23a8c3d67dfdc16f39c73cf59cfa07828918b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_B59C5E495DE5476595B0E8F303A9D5F1.dat

Filesize
940B

MD5
f157b74fe373b5f9700a9cd9aa992b31

SHA1
b144b0e6486f49e8ecef5ad86d6610ec16689272

SHA256
7f0f889775821ed76b930bc0b1833e86540ce4aab0f7c44ba9f5a4a7e78b31b0

SHA512
a4b7e7bc519d2c1a71846ab5ced1606ff9d85a1a8792c508eb926d494ce92de7be578e888dfe623f3f1e584e0c54b6beea9cb388d533216e640a0e1fac356925

Download Submit
memory/3052-0-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download