analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

5252753136844800.zip

Full analysis: https://app.any.run/tasks/36cfdc1d-805b-4c3a-a758-f3e36c530425
Verdict: Malicious activity
Threats:

Maze is ransomware — a malware type that encrypts the victim’s files and restores the data in exchange for a ransom payment. One of the most distinguishable features of Maze is that it is one of the first malware of the kind to publicly release stolen data.

Malware Trends Tracker     >>>
Analysis date: March 30, 2020, 15:35:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
maze
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

2A3C7610D1F141A9430B794CD23F49BC

SHA1:

CB7CF3D6D79F53760FDA7E71505D4ED310E0C2E1

SHA256:

84A7FCD0268600F7678C4A346796E2762B59F144B7A00A18349DF465A0B0597E

SSDEEP:

12288:KLznYk2edCwwBCV67fITH8gTz/mPDnX5ZfUe53Qp:2nEeV6kTH8+TuDnXT7p6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)

    • Deletes shadow copies

      • fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)

    • MAZE was detected

      • fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)

    • Actions looks like stealing of personal data

      • fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)

    • Renames files like Ransomware

      • fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)

    • Writes to a start menu file

      • fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)

    • Writes file to Word startup folder

      • fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2876)

    • Changes tracing settings of the file or console

      • fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)

    • Executed via COM

      • DllHost.exe (PID: 3484)
      • DllHost.exe (PID: 1732)

    • Executed as Windows Service

      • vssvc.exe (PID: 1720)

    • Creates files in the program directory

      • fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)

    • Connects to server without host name

      • fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)

    • Creates files like Ransomware instruction

      • fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)

    • Reads the cookies of Mozilla Firefox

      • fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 3392)

    • Creates files in the user directory

      • fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)

  • INFO

    • Manual execution by user

      • explorer.exe (PID: 2948)
      • fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)
      • chrome.exe (PID: 3392)
      • NOTEPAD.EXE (PID: 3984)

    • Reads the hosts file

      • chrome.exe (PID: 3392)
      • chrome.exe (PID: 2816)

    • Dropped object may contain TOR URL's

      • fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe (PID: 3192)

    • Application launched itself

      • chrome.exe (PID: 3392)

    • Reads settings of System Certificates

      • chrome.exe (PID: 2816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f
ZipUncompressedSize: 518656
ZipCompressedSize: 444578
ZipCRC: 0xd385327b
ZipModifyDate: 1980:00:00 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
90
Monitored processes
42
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe explorer.exe no specs #MAZE fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe WinInetBrokerServer no specs wmic.exe vssvc.exe no specs wmic.exe notepad.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs WinInetBrokerServer no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2876"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\5252753136844800.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2948"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3192"C:\Users\admin\fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe" C:\Users\admin\fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
3484C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3000"C:\lca\qnp\ovskq\..\..\..\Windows\xxlmy\hb\ogy\..\..\..\system32\lqa\cjo\t\..\..\..\wbem\ip\xe\..\..\wmic.exe" shadowcopy deleteC:\Windows\system32\wbem\wmic.exe
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1720C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3188"C:\g\svh\..\..\Windows\io\erbwe\ltdel\..\..\..\system32\o\..\wbem\jire\hdek\qojaf\..\..\..\wmic.exe" shadowcopy deleteC:\Windows\system32\wbem\wmic.exe
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3984"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\DECRYPT-FILES.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3392"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3608"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6d36a9d0,0x6d36a9e0,0x6d36a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
Total events
2 188
Read events
1 807
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
441
Text files
495
Unknown types
26

Dropped files

PID
Process
Filename
Type
3192fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exeC:\autoexec.bat
MD5:
SHA256:
3192fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi
MD5:
SHA256:
3192fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim
MD5:
SHA256:
3192fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.MxcYC7W
MD5:
SHA256:
3192fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exeC:\System Volume Information\SPP\OnlineMetadataCache\{02b4b32f-3d9a-4f0c-90b3-b3f695ffdbdb}_OnDiskSnapshotProp
MD5:
SHA256:
3192fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exeC:\System Volume Information\SPP\OnlineMetadataCache\{05ed3515-06b3-48f6-8cf2-bf24b1bf0727}_OnDiskSnapshotProp
MD5:
SHA256:
2876WinRAR.exeC:\Users\admin\fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971fexecutable
MD5:E69A8EB94F65480980DEAF1FF5A431A6
SHA256:FC611F9D09F645F31C4A77A27B6E6B1AEC74DB916D0712BEF5BCE052D12C971F
3192fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exeC:\System Volume Information\SPP\OnlineMetadataCache\{0e2a6214-ab14-4acd-9944-51dcd3caf902}_OnDiskSnapshotProp
MD5:
SHA256:
3192fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exeC:\autoexec.bat.MYM0binary
MD5:A27E52C81C14FEB3F51D0AABC2AE2242
SHA256:1F78EB0725D2320241CEC655A4816F88CFBF2BE497F409F52C2E25C29EAA48D5
3192fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\DECRYPT-FILES.txttext
MD5:AF69CFD1A76560B57B322BC74FB81272
SHA256:61CC895386FC7EE26D864446399C429146734B5397B774ADD70A7F4730050034
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
59
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3192
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
POST
404
91.218.114.4:80
http://91.218.114.4/rcrb.cgi?ehmt=k7&pxi=k2xpi2&b=p0q0cgj0y1
RU
html
206 b
malicious
3192
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
POST
91.218.114.26:80
http://91.218.114.26/edit/pckt.shtml?hu=2
RU
malicious
3192
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
POST
91.218.114.11:80
http://91.218.114.11/signout/mmrcjggx.jspx?ci=7jfo15&rtk=03&is=o164db7
RU
malicious
3192
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
POST
91.218.114.4:80
http://91.218.114.4/post/signin/wafsrexgtf.shtml?yah=ns3nm0xi1&mekv=e3&a=21ql85a2nw
RU
malicious
2816
chrome.exe
GET
200
74.125.99.91:80
http://r5---sn-hpa7kn7s.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mh=bs&mip=185.128.27.151&mm=28&mn=sn-hpa7kn7s&ms=nvh&mt=1585582576&mv=m&mvi=4&pl=24&shardbypass=yes
US
crx
862 Kb
whitelisted
2816
chrome.exe
GET
302
172.217.23.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
525 b
whitelisted
2816
chrome.exe
GET
302
172.217.23.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
520 b
whitelisted
3192
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
POST
404
91.218.114.4:80
http://91.218.114.4/post/signin/wafsrexgtf.shtml?yah=ns3nm0xi1&mekv=e3&a=21ql85a2nw
RU
html
226 b
malicious
3192
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
POST
91.218.114.31:80
http://91.218.114.31/update/withdrawal/ccwmnlt.jsp
RU
malicious
3192
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
POST
91.218.114.25:80
http://91.218.114.25/bwbyiqwvu.phtml?fi=8la80c&rpoo=r58&mw=558
RU
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3192
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
91.218.114.4:80
Mir Telematiki Ltd
RU
malicious
3192
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
91.218.114.26:80
Mir Telematiki Ltd
RU
malicious
3192
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
91.218.114.31:80
Mir Telematiki Ltd
RU
malicious
3192
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
91.218.114.25:80
Mir Telematiki Ltd
RU
malicious
3192
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
91.218.114.11:80
Mir Telematiki Ltd
RU
malicious
2816
chrome.exe
216.58.206.3:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2816
chrome.exe
172.217.21.238:443
apis.google.com
Google Inc.
US
whitelisted
2816
chrome.exe
172.217.22.35:443
www.google.com.ua
Google Inc.
US
whitelisted
2816
chrome.exe
172.217.22.3:443
www.gstatic.com
Google Inc.
US
whitelisted
2816
chrome.exe
172.217.16.141:443
accounts.google.com
Google Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 216.58.206.3
whitelisted
accounts.google.com
  • 172.217.16.141
shared
www.google.com.ua
  • 172.217.22.35
whitelisted
fonts.googleapis.com
  • 172.217.23.106
whitelisted
www.gstatic.com
  • 172.217.22.3
whitelisted
apis.google.com
  • 172.217.21.238
whitelisted
ogs.google.com.ua
  • 172.217.21.206
whitelisted
fonts.gstatic.com
  • 216.58.206.3
whitelisted
mazedecrypt.top
  • 146.0.72.85
whitelisted
www.google.com
  • 172.217.22.36
whitelisted

Threats

PID
Process
Class
Message
3192
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
A Network Trojan was detected
RANSOMWARE [PTsecurity] Maze
3192
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
A Network Trojan was detected
RANSOMWARE [PTsecurity] Maze
3192
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
A Network Trojan was detected
RANSOMWARE [PTsecurity] Maze
3192
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
A Network Trojan was detected
RANSOMWARE [PTsecurity] Maze
3192
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
A Network Trojan was detected
RANSOMWARE [PTsecurity] Maze
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
3192
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
A Network Trojan was detected
RANSOMWARE [PTsecurity] Maze
3192
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f.exe
A Network Trojan was detected
RANSOMWARE [PTsecurity] Maze
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
5252753136844800.zip