{
	"id": "d0092324-8d5d-4144-8d25-2f9c5e64145a",
	"created_at": "2026-04-10T03:21:00.468313Z",
	"updated_at": "2026-04-10T03:22:19.047914Z",
	"deleted_at": null,
	"sha1_hash": "2f2955c1c989909f7d34d79872cb3dbffe4ebbfa",
	"title": "Maze ransomware continues to be a threat to the consumers - Home",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1879929,
	"plain_text": "Maze ransomware continues to be a threat to the consumers -\r\nHome\r\nBy Preksha Saxena\r\nPublished: 2020-06-18 · Archived: 2026-04-10 02:40:14 UTC\r\nMaze is a recently highlighted ransomware among the ever-growing list of ransomware families. The ransomware\r\nis active from the past one year, although it came into limelight due to its new approach of publishing sensitive\r\ndata of infected customers publicly.\r\nThe malware uses different techniques to gain entry like the use of exploit kits or email impersonation. These\r\nphishing emails are having a Word document attachment that contains macros to run the malware in the system.\r\nMaze uses CHA-CHA algorithm for encryption and its key is encrypted using the RSA algorithm. Maze can run\r\nwith or without mutex —it uses some Russian IPs for the webserver to sends information from the victim\r\nsystem(s). It uses RSA encryption request for CnC communication and it will not encrypt the system for the\r\nspecific region by checking keyboard type.\r\nStage – I\r\nVBA MACRO\r\nThe attached document file has a form containing an input box in which the number array of encrypted URL and\r\npath is present. The document file contains an ActiveX object. When it is executed, URL and path are decrypted\r\npost which it calls URLDownloadToFileA() that downloads an executable to the specified location.\r\nhttps://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/\r\nPage 1 of 10\n\nFig 1. URLDownloadToFileA() Call with their parameters\r\nThe number array is read from text box then converted into characters and concatenated to form a URL and path\r\nwhere the file is downloaded. Sometimes it also uses PowerShell to download the file. In most of the cases, file is\r\ndownloaded at “C:\\Windows\\temp” location.\r\nFig 2. Characters stored in Number Array\r\nStage – II\r\nA. CRYPTER\r\nThe first stage of Maze ransomware is custom cryptor. This cryptor is a packed one with few imports. It loads\r\nlibraries by calling LoadLibrary() and GetProcAddress() from kernel32.dll. In this cryptor, function names are\r\nhttps://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/\r\nPage 2 of 10\n\nstored with their adler32 checksum.\r\nThe cryptor is for anti-debugging, it passes junk strings to the function OutputDebugStringW().\r\nFig 3. Call to OutputDebugStringW()\r\nIn the below code, it checks whether the file is present or not, if present it will terminate. Similarly, it also checks\r\nspecific command-line arguments if it is present it will change execution flow. Then malware loads the resource\r\nwhere actual DLL is present. The loaded resource is encrypted and XOR operation is used with key 0x41. After\r\ndecryption, we get base64 encoded data.\r\nhttps://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/\r\nPage 3 of 10\n\nFig 4. Xor Loop and API resolution\r\nAfter copying all data onto the stack, API names are formed and then it calls Loadlibrary() Win32 API. Then it\r\ndecodes base64 data by calling CryptStringToBinaryA() API. The decrypted buffer is again decrypted using CHA-CHA 20 algorithm which brings the actual payload of Maze ransomware. Along with payload (which is a DLL of\r\nMaze), it also decrypts shellcode. By using CreateThread() API, it executes the shellcode.\r\nhttps://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/\r\nPage 4 of 10\n\nFig 5. Call to CreateThread()\r\nIn this payload code, it first loads the base address of kernel32 for PEB. The below code shows the loading of the\r\naddress.\r\nFig 6. The address is loaded from PEB\r\nThe shellcode allocates memory using VirtualAlloc() and copies DLL file to newly allocated space. Then it creates\r\na thread and executes code from DLL. This code changes bytes at the original entry point and then jump to OEP.\r\nB. MAZE PAYLOAD\r\nIn decrypted payload, it first loads all the APIs and then does patching of dbgUiRemoteBreakin from ntdl.dll. It is\r\none of the anti-debugging techniques it uses to avoid attachment of debugger.\r\nFirst it calls VirtualProtect() on dbgUiRemoteBreakin with PAGE_EXECUTE_READWRITE as new\r\nflNewProtect. Then it replaces byte 6A with C3 by simple mov instruction. So, if someone tries to attach debugger\r\nit will get failed.\r\nFig 7. Copy 0xC3 at dbgUiRemoteBreakin Entry point\r\nhttps://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/\r\nPage 5 of 10\n\nFig 8. Code before and after patching\r\nThen it enumerates running processes using Process32First() and process32Next(). It calls APIs using ‘je’\r\ninstruction and address is pushed onto the stack which is executed after API call. The call is replaced with ‘push’\r\nand ‘jz’ or ‘je’ instruction.\r\nFig 9. Call to Process32NextW () using jz instruction\r\nAfter process enumeration, it will obfuscate all the names with its algorithm which uses XMM registers. Then it\r\ncalculates the hash of this obfuscated string which is then compared with some hardcoded hashes. Some of them\r\nare:\r\nProcmon64.exe: 0x776E0635\r\nProcexp64.exe: 0x78020640\r\nIda.exe: 0x33840485\r\nDumpcap.exe: 0x5FB805C5\r\nX32dbg.exe: 0x5062053\r\nFig 10: Compare hashes with running process hashes\r\nWhen any of the process hash matches it calls TerminateProcess() and exits the running process.\r\nIt will not encrypt files for specific keyboard type. To get keyboard type it calls the function\r\nGetUserDefaultUILanguage(). For eg:\r\nRusssian : 0x419 // NOT Encrypt For this value\r\nUkrainian : 0x422 // NOT Encrypt For this value\r\nhttps://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/\r\nPage 6 of 10\n\nSerbian : 0x7C1A // NOT Encrypt For this value\r\nen_US : 0x409 // Encrypt For this value\r\nFig 11. Check value return by GetUserDefaultUILanguage()\r\nThen It first communicates with CnC server where the IP list is hardcoded, all below mentioned IP seems to\r\nbelong to Russia.\r\n91.218.114.4\r\n91.218.114.11\r\n91.218.114.25\r\n91.218.114.26\r\n91.218.114.32\r\n91.218.114.37\r\n91.218.114.38\r\nFig 12. Hardcoded Ip list\r\nThen data is sent to CnC on the first request: Data which is sent is Username, Computername, OsVersion.\r\nMalware create mutex with unique ID unique ID is created using SHA(GetComputerName() + VolumeID()) .\r\nFor the ransomware marker, it creates a unique file on root and each folder.\r\nMaze Encryption Process:\r\nMalware selects files for encryption based on the extension. It excludes the following extensions:\r\nhttps://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/\r\nPage 7 of 10\n\n· Exe\r\n· Dll\r\n· Sys\r\n· lnk\r\nIt also excludes the following files:\r\n· Decrypt-Files.txt\r\n· Autorun.inf\r\n· Boot.ini\r\n· Desktop.ini\r\n· Temp/000.bmp\r\nExcluded folders:\r\n%windows%, @gaming%, %programdata%, %tor Brower%, %local Settings%, %appdata% etc\r\nFig 13. Checking folder names and if the same found it will not encrypt the folder.\r\nEncryption process:\r\nIt first creates key and then exports it in the “c:\\programdata\\data1.tmp” folder. Then it drops a ransom note in\r\neach folder before encryption. Later it will just import the key from this file and call “CryptEncrypt()”.\r\nIt retrieves drive letters and then determine type of drive using GetDriveType(). Further it enumerates using API\r\ncalls FindFirstFileA() and FindNextFileA().\r\nIt deletes shadow copy by creating a fake path for wmic and then calls delete recover by calling\r\nCreateProcessW()It encrypts files using CHA-CHA algorithm and the key of chacha is encrypted using RSA. For\r\nthis, it uses crypto APIs. Encrypted files are having a marker at the end which is ‘66116166’.\r\nhttps://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/\r\nPage 8 of 10\n\nFig 14. Encrypted File by Maze ransomware\r\nIt creates a thread for each drive, which then again call create thread function for each folder which does the\r\nencryption. Encryption will start from the root of C: or D: and parallelly it also accesses the shared drive by using\r\nWNetShareEnum() API. The same encryption function is used for encrypting shared drive files. The first folder\r\nwhich is encrypted is “$Recycle Bin”.\r\nCreateThread() with following function for each folder. File is opened as follows. File is encrypted by calling\r\nCryptEncrypt() and it is renamed by calling moveFileEx() with extension.\r\nEncrypted File:\r\nhttps://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/\r\nPage 9 of 10\n\nFig 15. File After encryption\r\nMaze Malware uses many tactics for anti-Analysis:\r\nAPIs are resolved at runtime.\r\nIndirect calling of API \u0026 functions using JE \u0026 JNE instructions.\r\nPatching DbgUiRemoteTracking to avoid attaching of debugger at runtime.\r\nChecking being debugged flag.\r\nChecking for VM.\r\nChecks RAM \u0026 hardware size by using API – GlobalMemoryStatusEx \u0026 GetDiskeSpaceW.\r\nCheck process names by calculating its hashes.\r\nPrevention measures to stay away from ransomware\r\nCommon infection vectors used by Maze Ransomware are phishing emails with MS Office attachments and\r\nfake/phishing websites laced with Exploit Kits. Hence, we advise our end users to exercise caution while handling\r\nemails from unknown sources, downloading MS Office attachments, enabling macros, and clicking on suspicious\r\nlinks.\r\nIndicators of compromise\r\n49B28F16BA496B57518005C813640EEB\r\nBD9838D84FD77205011E8B0C2BD711E0\r\nSubject Matter Expert\r\nPreksha Saxena | Quick Heal Security Labs\r\nSource: https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/\r\nhttps://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/"
	],
	"report_names": [
		"maze-ransomware-continues-threat-consumers"
	],
	"threat_actors": [],
	"ts_created_at": 1775791260,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f2955c1c989909f7d34d79872cb3dbffe4ebbfa.pdf",
		"text": "https://archive.orkl.eu/2f2955c1c989909f7d34d79872cb3dbffe4ebbfa.txt",
		"img": "https://archive.orkl.eu/2f2955c1c989909f7d34d79872cb3dbffe4ebbfa.jpg"
	}
}