Analysis
-
max time kernel
165s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
16-02-2022 23:05
General
-
Target
3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe
-
Size
453KB
-
MD5
248c960c1ae54103dea5bfae924f28e2
-
SHA1
504ce8efee0f7f8329c09c6d045a21c795a84b42
-
SHA256
3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363
-
SHA512
5b3dd4be33c48cedda5b9270a6454540e837e9611db4d43b35e7290ff7e25dd3b5c0342de6de38f12e8c7d5f291c62ef026236825134d1181e7ba5bdf8103464
Score
10/10
Malware Config
Extracted
Path
C:\DECRYPT-FILES.html
Ransom Note
<html>
<head>
<script>
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
</script>
<style>
html{ margin:0; padding:0; width:100%; height:100%; }
body { background: #000080; color: #ececec; font-family: Consolas };
.tooltip {
position: relative;
display: inline-block;
border-bottom: 1px dotted black;
}
.tooltip .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.tooltip .tooltiptext::after {
content: "";
position: absolute;
top: 100%;
left: 50%;
margin-left: -5px;
border-width: 5px;
border-style: solid;
border-color: #555 transparent transparent transparent;
}
.tooltip:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
p#base64{
-ms-word-break: break-all;
word-break: break-all;
-webkit-hyphens: auto;
-moz-hyphens: auto;
-ms-hyphens: auto;
hyphens: auto;
}
p#base64:hover{
cursor: hand;
}
</style>
</head>
<body>
<table style="position: absolute;" width="100%">
<tr>
<td style="width: 25%;">
<span class="left" style="font-size: 14px; font-weight: bold">CODE:
<br>------
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
</span>
</td>
<td style="width: 50%;">
<div style="text-align: center; font-size: 20px;">
<p><s>0010 SYSTEM FAILURE 0010</s></p>
<p>*********************************************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>*********************************************************************************************************************</p>
<br>
</div>
<div style="text-align: center; font-size: 18px;">
<p>The only way to decrypt your files, is to buy the private key from us.</p>
<p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p>
<p>In order to receive the private key contact us via email: <br> <b>[email protected]</b> </p>
<p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p>
<p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<br>
<p>Base64: </p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">8RMzltrDlDXecT4LEe2YpG1N/PJRdhtCFXmvYmkbw0VYZjcanYFHgeVy5FcD7qKXLOaRUZehQ6MGsv+H2Q7Aet4lnB323JiiWZgwy7hSidhOMyaFtHpUBRGw0evYwFmYAjkk7nmb8x0r0Rp3Eg6LzUgx/cUWaI3HMtHDvIKeScPjsClzFZd67JiF3b9RyhxnQD4hdWgzRupOBJEoOuCIfj2o1e0Edim+xbSZpAguk/qitWINs3vo8wKB25Izgb5WdKAICJYssJeKYMzUpKp81WM9au0Cb86h+GVbkNq0pMxIzqsGu5C2gHl8CDImtyuOEcwtrqBBNPVRTQOpCRQKUfLTtQr6X18wBBAfneyja2k5v4VllVhPq0hr0ftBrZVcUqCO1b94zKfR/p7TY6J4RrWBDIDJ4lS7l4pDIn+wgCRcYhhpS2ZX9weEXo13wwfsJsJjBmYv3y0GPfHGYtAJInGVIG8uroioMkIV7fTTInoR28fk1eHq5bPqt2NK92LAemExN8dP+Gc/q5EaMAeTptEUOgzpNn3XCXymli4mfhnjD/OOhYE/8fg6ssifrFSDoJuUKbIq7GzWaK/6gEYJN9uXfLVkGOmUI+OOJc3Mx7qOZr7Ivm8+mCUoh9uJDD7W50FgKu7R67G4Lfsj3hZveOOpXeIYsd51zLK9GQAZekmhwTrV8J0Kx+EKwCs+Y5S2eeACYnsprhHy9W8CbMqHA6iKmGMlj6ETfN8c1bFtdkXN4gJe/2k5Y6NWCRV/2v1pRmI3mphl6Kfjn8a+mw3zYuBJZJDnnoZJWMqqrTtNXoXFWnHK8sVVT4hIoh8ymBX2qVkRqixlEyNfHsv7iiRdpsIbPpI6jaUYXd/4s1pvmqxc/QNcfoObm4bQtM05Ec7MUqbgrYtoAxkgqAUNYDZjpVSyMwlmUL7R0sWruTnxLWvHB8fTIWUwD815dRqP4+OXRP09ZbptB3A5EVAHmZSIDyDLjWDzmFNPtjUz3OMaa8qCTKBQqE7U/xfQTKn7sV/i1TmNrPyhfDgAjB0wmVJhEQEt7pBj56aaNd4JTdfhaVphFbqXY2WmprZC8j9CYIZajjvp6wc+57fwBkDlo0Ako5mf20kg5o+r31yVcPylYdOhepwanLFWD+nB80sZR030zIX4aau3VJWISXPNADblsJKmUxVHfDGszbxAzzzzlNOWcQhLgCOw+a8eR8g2DnU18+WVw7U+2WKlEBEc508gfw+el6OME9sgz0PyUtY6E9ae6X2lZRVYHvNWpD23L1Vt+5M3f5lRtyHEz8SXC3TlHKWv2W32BCPORLs1YYdCxqh2mbFL+pGFvF8ym46AsfIXt28h2OUiIub5j/UN5WtVFY1vj7YRynTbceP0Lq/Z0GqUPubJWrL7k68/aHOrzZoCkIHpnUrdyLC3wP+B3yK2ixQN5J71KVYbB1VfDkD5L/jjCXNIe+I2JjrQ5Aw5kdSVs2Tc5E7U6GmTAQcnZ7wibkx7oDmZgaQBlxOOZTXvONXh+bvxzNcLz5TfiM2HCoZEmHX+7nPXxMVPTC1t94QqxDVVJO8oAnXAM/l7F5iIVR54bNzpLWcXOxtSZjOAfH5Rf/Q02e2hX1hR7oMc+kPHFbYQd3Z85DzYKvGZj+k/huEbt4l0Uv/sBeQ1APE8MJvMP3jly7P2285ajgjxBWdtwWMS82OPwzvNVuiwTCjYQOJ9Zlo/Hj4xdgxC0cgmb8wk3fbvpeIfZuDIzDZP0zuVt+bWy7TQ19qIxAI3+jhGFa6loLybXuFGDw2skuI6U4ql3Fa2mUOBsFOKV9vrt90eiqSgdSRcV2hdPV/SkmlFy+78V0xl1h7UdbwyqgeFtOmqzjsPltOwK8pVlxg2KP1PFzwjeRTZcaAj25BZ5X0RKWz9T6l5hT17zm6XS/LJUw/+tyG8m6mCBFSl8a+pwWOZv6gWHkTp+QTSFZJInSxLK9FX3jm+slvxRylfr7sr/Tu1XhROCDaZmQGo7+5hf4iW5DIeqeXZnqug/qCX6inaC9BBU2vPwrgzpqroj4OVfk0EgTnUx+G3Pij2+gvHt1UjD4kDh6mXFrHIQG+6hS5hggYxsj1CUpGTdkMb5PTtAmwINnVos0OIUyo+rL6Mw7RdI4irAoQgS9sAzdU2DFp86S6czbrJFjD8ND6wMHBGQthILSfvzsrYD3XZXMNBSKauTptjVamd6dZIwxqC6a2wwoZ4H/BbIZg07X99q9eXyalTVJagMQoiOAA4ADMAOAAwADkAOQA5ADgAYgAxAGMANQAzAGEAOAAAABCAYBoMQQBkAG0AaQBuAAAAIhJRAFMASwBHAEgATQBZAFEAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCNnwAQwBfAEYAXwAyADAANAA4ADIALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhw8K/Ze3gBgAEBigEIMC45Lm9mZmw=<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>
Emails
<b>[email protected]</b>
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe"C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\boph\..\Windows\igygm\..\system32\xdg\jp\..\..\wbem\vv\uj\i\..\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
356KB
-
Filesize
356KB
-
Filesize
356KB