Analysis
-
max time kernel
174s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
16/02/2022, 23:03
General
-
Target
4674a5f259bdca4233d6e20c7797dd66db2a841be82dc9b73b71e04c51b546c9.exe
-
Size
350KB
-
MD5
e57ba11045a4b7bc30bd2d33498ef194
-
SHA1
63c349d542422e1e6068b897fb9340342414f4b3
-
SHA256
4674a5f259bdca4233d6e20c7797dd66db2a841be82dc9b73b71e04c51b546c9
-
SHA512
5ef5c8c5924e091dcc75b0a8f6cd0a7b77349656a57b801370d8cdd5fca1fbb364cbb28cf3c7d588c6382d686ee672f9564e98275b7ce9049f1f0c2d730536bb
Score
10/10
Malware Config
Extracted
Path
C:\DECRYPT-FILES.html
Ransom Note
<html>
<head>
<script>
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
</script>
<style>
html{ margin:0; padding:0; width:100%; height:100%; }
body { background: #000080; color: #ececec; font-family: Consolas };
.tooltip {
position: relative;
display: inline-block;
border-bottom: 1px dotted black;
}
.tooltip .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.tooltip .tooltiptext::after {
content: "";
position: absolute;
top: 100%;
left: 50%;
margin-left: -5px;
border-width: 5px;
border-style: solid;
border-color: #555 transparent transparent transparent;
}
.tooltip:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
p#base64{
-ms-word-break: break-all;
word-break: break-all;
-webkit-hyphens: auto;
-moz-hyphens: auto;
-ms-hyphens: auto;
hyphens: auto;
}
p#base64:hover{
cursor: hand;
}
</style>
</head>
<body>
<table style="position: absolute;" width="100%">
<tr>
<td style="width: 25%;">
<span class="left" style="font-size: 14px; font-weight: bold">CODE:
<br>------
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
</span>
</td>
<td style="width: 50%;">
<div style="text-align: center; font-size: 20px;">
<p><s>0010 SYSTEM FAILURE 0010</s></p>
<p>*********************************************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>*********************************************************************************************************************</p>
<br>
</div>
<div style="text-align: center; font-size: 18px;">
<p>The only way to decrypt your files, is to buy the private key from us.</p>
<p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p>
<p>In order to receive the private key contact us via email: <br> <b>[email protected]</b> </p>
<p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p>
<p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<br>
<p>Base64: </p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">47EGSj+NgaMojLf8jfINoPn9C7A5r8th4r3B7BbgRADClREjbCyu7ss5OalqdnQlDX1vzLPA1l5zozy3wY8IifazNHKksvZk0rdBRpq2M4fwacLMNgZLWU+9iTCz8r8XL6VD9td6AcIbjMwmFlYkItP+Bgtg8sDDvQZMquNs6iUtoNSCAYEMwCQs6kX9NNuYVu8/uE19nQ8ExZ6lwmCOU2rg1LSTEEzLCv/BhYza2n5uMB8KCiKdkaocJDxDejgOVBAfzttueOcZICOcFRvYYJhSfwN4Z4iOuUbgSgSrgOX1TzcVXXaPpiH+s4Nsc/ovh5wjeYr5nSOdmZF6SKwne7SHulrvMYiN4R9XQuNC83kRbMAPMZYByYlHm8YAAFjZjbg+e8FN1drpSJIfd/yumowT3ppXCeDoRCQoJTX/vk2zYL97s0dtVfIFDC/RzJ7sEq5KSBuXdMDLaOSPGIcsUC4+oo8kTyuUh1Zb2OAbyRz5Ec6BIEbyrNg4M2f30b57G5r6rA+0/puCyB94FkRTKCk8Y4UDkaIow/WnPwYKwID2tj/vtsrp9F0SPiOtm21PUCz0Y8tYjgqiZ9nhNTpBxqiEUYRZ7fCmWAYCMX01f6w18cZ/d2v8KqcQY9rPqmomMmPYyV8DhG9XVq4ZrPnxNhdD7NYQgjmIJXE1iFhtagiQJXSbpNmP+uMjg0iAM9/vUiaDfHh6ht4e1FL71+IK15uKRv+yajFK62sUsY8/m8Kf0j+CeLucKUSMe1paulyJLrmVwdCU7acZUjzphVh4mrz1XNBqOw5Wd76y7PvrFaITrzQnNmtYPY+p3m7Q8/NFGXFwCsq+GGwXBnM6CoWtntEU+7MQi3iYq7Vb6hJGu1Ts7Eah4WxciSqgMUpgb6TF/z44jfHVJvKD08Ccmejbf68lK/poZk1ai3wMsDbzCIM0pRvgtOGX3I6NEPcr+9XevfM+i++LRZXvTqYAGK4B+5nJ+YSQrSeXLxmnHalMwTkaO3gvVXhr+5UM5M3DmlakJibSDY1UpgwVIXhhm6SB9T48vZoSnjP7MlZHIvdVJaA415X1YGZRHdjYKN4Z9+Aup+6y3gR883XgmsvM9oUVSewEyrhjiShVTxkVGmBjZsEFKdywZXdGPWmFwGUg72OZlrpGjptlekRU4/Q7n/WM3mQBfhYaAxcDkttCvTioecC25DylCu+UU/0X2fjxbJ+bluHWsXj1JQWEBHRk+42WtcWRVuA56T2kAKHHdujwQ+YOYZbmyxVS4D+Hu8HFG+RZFWIotCfxIGn94RFYhLWZvH6C5bH19+QS8hHmbBTpE/DrtrkLDJOE1YsLGX25iManqw3Aandsmq+G/ak2BQnWPO1O1qZdkZFelu3K2dSVchFh8RV0nFGYT4ffZoadR2Akz230yWySPMve4Z4Wvsy9BTwbaDyL5Fd5pg9TEBHyqb5TuWADrHTtVhDSVkm5WS8noHNlMS9fUYWjGYBfRfoeImviKbyE8jwMQ5YKZZxF1LiHsnhhm/Ot6yYAbuEAmvCxHY76ucv+aNAJDhVihdLyRMDgR031VFOJ0jeJ5slr3oHRn/Wclo481FRLH9ZG0UQRiH6pffNnkwP1CLEBqelQRXJlFn+7JQwAHQL1rDSbgANcEGVMLgIBNRjzMjAN1j8xACd2hSKDSG6G9pPr4zQh8G7Zsq95KRTlp+vE7U4yrbufcA/J1K4f1s5Ql6e/j1mPgxWH0IBTiKNlgPWFkcu8LNZ5VYrZ1Ui76dAr87m9qWlOw25Z6/tmrapmRFblkoFzJtgD/s6Yr2Pn8cT72hRSmiz2S++XcVpP+rg6HDoH/aXvoJ0GrBvZt7I//QBWOXR6xaFbqfZtLgtJasf3HMnbCSNAKxnQElO/iztCZUI12bQVvCI37uoxYKPTgBYAUQmd43RZh3VVucZbbLBh3Q/lEOrNfsA3LLXLT693I6sxlJwR593mgCye/zrHZgkx6xdWC/ScuZewv5+nv8Zppsuv16sO5A+kpFyfyMGiHOvpELUhWN2zNrwWwF2NR95T7qdFOht/nZuFG/aqYgkDu8j7s+OIF4ziJPJ63MK1IuVTnN7PxyzkodUIm9EbHg7jrJMcI7zDMIbDgrv8TgtuM1TZ51XpaPwA7qslXUbjX66EkK/V57lovZML9ii6PMqnHNwoV3xwfp0vTsRnXikcQNefqjZK6IF0tipZooJuLfSQXp/23s3FR1ARAJjhnQ5w8QY+4VRiSAoiOAA4ADAAMgAwADkAOQBjAGMAYQA0AGYAMgBhAGUAZgAAABCAYBoMQQBkAG0AaQBuAAAAIhJKAEQAUQBQAFgATwBQAFIAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADkALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwh8K3DngDgAECigEDMS4w<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>
Emails
<b>[email protected]</b>
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 51 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4674a5f259bdca4233d6e20c7797dd66db2a841be82dc9b73b71e04c51b546c9.exe"C:\Users\Admin\AppData\Local\Temp\4674a5f259bdca4233d6e20c7797dd66db2a841be82dc9b73b71e04c51b546c9.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\jui\akgxc\f\..\..\..\Windows\ijkl\t\re\..\..\..\system32\caupr\jggti\wgf\..\..\..\wbem\dm\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
16KB