analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

f83fb9ce6a83da58b20685c1d7e1e546.zip

Full analysis: https://app.any.run/tasks/f80d5598-f771-405b-aea3-f95389b9a920
Verdict: Malicious activity
Threats:

Maze is ransomware — a malware type that encrypts the victim’s files and restores the data in exchange for a ransom payment. One of the most distinguishable features of Maze is that it is one of the first malware of the kind to publicly release stolen data.

Analysis date: June 27, 2022, 13:07:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
maze
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract
MD5:

A024E1D53D75EAEFC4AA74131FF16FD8

SHA1:

CFD053A7E793EC84EC78679F224B417C760E0A5E

SHA256:

77B2731FF3C7A14B8B962EA387C41293415B3478E73973888851991105777560

SSDEEP:

12288:6Zr2Dvm+2LDF+jgcz5jCDiIuexi3FBUzvASSB7d:6ZCDvmRLDwjPrIuekUz4SS5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 2088)
      • e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 116)
    • Application was dropped or rewritten from another process

      • e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 116)
    • Deletes shadow copies

      • e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 116)
    • MAZE was detected

      • e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 116)
    • Maze ransom note found

      • e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 116)
    • Steals credentials from Web Browsers

      • e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 116)
    • Actions looks like stealing of personal data

      • e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 116)
    • Changes the autorun value in the registry

      • e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 116)
    • Modifies files in Chrome extension folder

      • e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 116)
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 2088)
      • e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 116)
      • wmic.exe (PID: 1848)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2088)
      • e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 116)
    • Checks supported languages

      • WinRAR.exe (PID: 2088)
      • e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 116)
      • wmic.exe (PID: 1848)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2088)
    • Reads Environment values

      • e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 116)
    • Creates files in the program directory

      • e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 116)
  • INFO

    • Manual execution by user

      • e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe (PID: 116)
      • verclsid.exe (PID: 2836)
    • Checks supported languages

      • verclsid.exe (PID: 2836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
ZipUncompressedSize: 484352
ZipCompressedSize: 427125
ZipCRC: 0x3e6fd65f
ZipModifyDate: 2020:12:06 13:31:04
ZipCompression: Unknown (99)
ZipBitFlag: 0x0003
ZipRequiredVersion: 51
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe #MAZE e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe wmic.exe no specs verclsid.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2088"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\f83fb9ce6a83da58b20685c1d7e1e546.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
116"C:\Users\admin\Desktop\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe" C:\Users\admin\Desktop\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
1073807364
1848"C:\ovryp\oehi\xqdl\..\..\..\Windows\opsvb\..\system32\jud\..\wbem\tst\lus\l\..\..\..\wmic.exe" shadowcopy deleteC:\Windows\system32\wbem\wmic.exee8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147749908
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2836"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401C:\Windows\system32\verclsid.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extension CLSID Verification Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 282
Read events
1 259
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1 505
Text files
451
Unknown types
53

Dropped files

PID
Process
Filename
Type
116e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exeC:\Users\admin\AppData\Local\VirtualStore\DECRYPT-FILES.htmlhtml
MD5:ED0F86F0FA3A2843C38D46808215E173
SHA256:FDCD2FD28E29965EBF4EFAC2EBD4F8A18357B6EF99D808A1AF14089A93D1FB0D
116e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\DECRYPT-FILES.htmlhtml
MD5:ED0F86F0FA3A2843C38D46808215E173
SHA256:FDCD2FD28E29965EBF4EFAC2EBD4F8A18357B6EF99D808A1AF14089A93D1FB0D
116e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exeC:\Users\admin\AppData\Local\DECRYPT-FILES.htmlhtml
MD5:ED0F86F0FA3A2843C38D46808215E173
SHA256:FDCD2FD28E29965EBF4EFAC2EBD4F8A18357B6EF99D808A1AF14089A93D1FB0D
116e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exeC:\MSOCache\DECRYPT-FILES.htmlhtml
MD5:ED0F86F0FA3A2843C38D46808215E173
SHA256:FDCD2FD28E29965EBF4EFAC2EBD4F8A18357B6EF99D808A1AF14089A93D1FB0D
116e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exeC:\Users\admin\AppData\Local\Adobe\A0A2C719-B8B1-4DC7-B33B-C50E709F20B0\AFE359D0-96AE-47EE-A531-EA37D7CE517E\62ACE614-BA67-48A6-AD90-7B66F1D91E22binary
MD5:7DB408B72A3F759B8CC85FC30D7AD557
SHA256:7190238B206A1E278528BF0F75CF3EFA8746BE9A95541CDE9586B036F9462298
116e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.HPWbujsbinary
MD5:EA6495A76A9EC80015D000734112E772
SHA256:5F3C4E6D19D9BFD568A29C5181A01E28EC803635E03BBB8C44B53D9F5A5FD592
116e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestampbinary
MD5:EA6495A76A9EC80015D000734112E772
SHA256:5F3C4E6D19D9BFD568A29C5181A01E28EC803635E03BBB8C44B53D9F5A5FD592
116e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exeC:\Users\admin\AppData\Local\Adobe\A0A2C719-B8B1-4DC7-B33B-C50E709F20B0\96458326-0F6E-4F95-88EE-ED9F0B2D5401.YQIhbinary
MD5:4A38C971715543FE038CD1842AA9EA54
SHA256:1787820F7A2DF2E4A6E34FDDFC6DFF59DFCC60DC0A70B046D43B69CC77E6E047
116e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exeC:\Users\admin\.oracle_jre_usage\DECRYPT-FILES.htmlhtml
MD5:ED0F86F0FA3A2843C38D46808215E173
SHA256:FDCD2FD28E29965EBF4EFAC2EBD4F8A18357B6EF99D808A1AF14089A93D1FB0D
116e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exeC:\Users\admin\AppData\DECRYPT-FILES.htmlhtml
MD5:ED0F86F0FA3A2843C38D46808215E173
SHA256:FDCD2FD28E29965EBF4EFAC2EBD4F8A18357B6EF99D808A1AF14089A93D1FB0D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
116
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
POST
92.63.8.47:80
http://92.63.8.47/wire/fnnaytvnty.do
TR
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
92.63.8.47:80
Nethouse Bilgi Islem Merkezi Ltd
TR
malicious

DNS requests

No data

Threats

No threats detected
No debug info