File name: | f83fb9ce6a83da58b20685c1d7e1e546.zip |
Full analysis: | https://app.any.run/tasks/f80d5598-f771-405b-aea3-f95389b9a920 |
Verdict: | Malicious activity |
Threats: | Maze is ransomware — a malware type that encrypts the victim’s files and restores the data in exchange for a ransom payment. One of the most distinguishable features of Maze is that it is one of the first malware of the kind to publicly release stolen data. |
Analysis date: | June 27, 2022, 13:07:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v5.1 to extract |
MD5: | A024E1D53D75EAEFC4AA74131FF16FD8 |
SHA1: | CFD053A7E793EC84EC78679F224B417C760E0A5E |
SHA256: | 77B2731FF3C7A14B8B962EA387C41293415B3478E73973888851991105777560 |
SSDEEP: | 12288:6Zr2Dvm+2LDF+jgcz5jCDiIuexi3FBUzvASSB7d:6ZCDvmRLDwjPrIuekUz4SS5 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe |
---|---|
ZipUncompressedSize: | 484352 |
ZipCompressedSize: | 427125 |
ZipCRC: | 0x3e6fd65f |
ZipModifyDate: | 2020:12:06 13:31:04 |
ZipCompression: | Unknown (99) |
ZipBitFlag: | 0x0003 |
ZipRequiredVersion: | 51 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2088 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\f83fb9ce6a83da58b20685c1d7e1e546.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 | ||||
116 | "C:\Users\admin\Desktop\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe" | C:\Users\admin\Desktop\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | Explorer.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 1073807364 | ||||
1848 | "C:\ovryp\oehi\xqdl\..\..\..\Windows\opsvb\..\system32\jud\..\wbem\tst\lus\l\..\..\..\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | — | e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147749908 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2836 | "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401 | C:\Windows\system32\verclsid.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extension CLSID Verification Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
116 | e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | C:\Users\admin\AppData\Local\VirtualStore\DECRYPT-FILES.html | html | |
MD5:ED0F86F0FA3A2843C38D46808215E173 | SHA256:FDCD2FD28E29965EBF4EFAC2EBD4F8A18357B6EF99D808A1AF14089A93D1FB0D | |||
116 | e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\DECRYPT-FILES.html | html | |
MD5:ED0F86F0FA3A2843C38D46808215E173 | SHA256:FDCD2FD28E29965EBF4EFAC2EBD4F8A18357B6EF99D808A1AF14089A93D1FB0D | |||
116 | e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | C:\Users\admin\AppData\Local\DECRYPT-FILES.html | html | |
MD5:ED0F86F0FA3A2843C38D46808215E173 | SHA256:FDCD2FD28E29965EBF4EFAC2EBD4F8A18357B6EF99D808A1AF14089A93D1FB0D | |||
116 | e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | C:\MSOCache\DECRYPT-FILES.html | html | |
MD5:ED0F86F0FA3A2843C38D46808215E173 | SHA256:FDCD2FD28E29965EBF4EFAC2EBD4F8A18357B6EF99D808A1AF14089A93D1FB0D | |||
116 | e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | C:\Users\admin\AppData\Local\Adobe\A0A2C719-B8B1-4DC7-B33B-C50E709F20B0\AFE359D0-96AE-47EE-A531-EA37D7CE517E\62ACE614-BA67-48A6-AD90-7B66F1D91E22 | binary | |
MD5:7DB408B72A3F759B8CC85FC30D7AD557 | SHA256:7190238B206A1E278528BF0F75CF3EFA8746BE9A95541CDE9586B036F9462298 | |||
116 | e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.HPWbujs | binary | |
MD5:EA6495A76A9EC80015D000734112E772 | SHA256:5F3C4E6D19D9BFD568A29C5181A01E28EC803635E03BBB8C44B53D9F5A5FD592 | |||
116 | e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | binary | |
MD5:EA6495A76A9EC80015D000734112E772 | SHA256:5F3C4E6D19D9BFD568A29C5181A01E28EC803635E03BBB8C44B53D9F5A5FD592 | |||
116 | e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | C:\Users\admin\AppData\Local\Adobe\A0A2C719-B8B1-4DC7-B33B-C50E709F20B0\96458326-0F6E-4F95-88EE-ED9F0B2D5401.YQIh | binary | |
MD5:4A38C971715543FE038CD1842AA9EA54 | SHA256:1787820F7A2DF2E4A6E34FDDFC6DFF59DFCC60DC0A70B046D43B69CC77E6E047 | |||
116 | e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | C:\Users\admin\.oracle_jre_usage\DECRYPT-FILES.html | html | |
MD5:ED0F86F0FA3A2843C38D46808215E173 | SHA256:FDCD2FD28E29965EBF4EFAC2EBD4F8A18357B6EF99D808A1AF14089A93D1FB0D | |||
116 | e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | C:\Users\admin\AppData\DECRYPT-FILES.html | html | |
MD5:ED0F86F0FA3A2843C38D46808215E173 | SHA256:FDCD2FD28E29965EBF4EFAC2EBD4F8A18357B6EF99D808A1AF14089A93D1FB0D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
116 | e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | POST | — | 92.63.8.47:80 | http://92.63.8.47/wire/fnnaytvnty.do | TR | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 92.63.8.47:80 | — | Nethouse Bilgi Islem Merkezi Ltd | TR | malicious |