Overview

overview

10

Static

static

3885589a3c...63.exe

windows7_x64

10

3885589a3c...63.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    169s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    16-02-2022 23:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe

  • Size

    453KB

  • MD5

    248c960c1ae54103dea5bfae924f28e2

  • SHA1

    504ce8efee0f7f8329c09c6d045a21c795a84b42

  • SHA256

    3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363

  • SHA512

    5b3dd4be33c48cedda5b9270a6454540e837e9611db4d43b35e7290ff7e25dd3b5c0342de6de38f12e8c7d5f291c62ef026236825134d1181e7ba5bdf8103464

Score
10/10
mazeransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\DECRYPT-FILES.html

Ransom Note
<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000080; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <span class="left" style="font-size: 14px; font-weight: bold">CODE: <br>------ <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 </span> </td> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><s>0010 SYSTEM FAILURE 0010</s></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> <br> </div> <div style="text-align: center; font-size: 18px;"> <p>The only way to decrypt your files, is to buy the private key from us.</p> <p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p> <p>In order to receive the private key contact us via email: <br> <b>getmyfilesback@airmail.cc</b> </p> <p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <br> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">dkX7aGsNWJsnH+4ou6gvXOUOdEwlGUx+fMNgD3FJqXKE6zDk/qrwhPZNVh9y9MFOThveSMfN5o7luw3yKsewrIqHItBG1fv1FHDQHejA1je2P6czy3ZvOBHFkAjUMBh6N9c5zStmDi/ySJZPBrldopSmGBWzC7sRI5nf3P4doeINsZxLk0c/qxWT/WwtV2JA1Fcyla1l8fQu0dLrARfbLJ1EE8xn8A5Z0dm9aY0bHYv8K55qAPw5h196d7FfsjnwtBDPSgnvQ6NlzFLnrvfDBTjpcUlCeu9oqUrLGGVCexkzBEsoO6Q0LqBWi6eIWn2Y4QmzD3PeI4CRct9YMoBQZSIPg0X6isHgTRPA42daUGADISqqAOL1c5wAhLdx+SJwbEPVIVKItezdgcZhlQC02DLYWCpxuwYktr6crWRkwQvC6FukqxTrBQYCsGla+M6tpSV2MeQZD1/B57UFDfKE84CpkS91dgUC12OVpBmCzwbnqr9U8EAG0lb8szom/WIM84LKOApCWJuCfbnn0ewXQiOCvUvaXOIxTClL3Ornfn84eke5qgBc+JM+F1H43A/nH4xO3zf3NkkT+2T8YzVtaXrIHqKAhfOaDZ3FQT939dBZv+3p/s2yyBJzj5G07HPR+C47b+770GBeQjoEprhhY07RAgE1OLSZPIC2A3aF+BXLP7f31iRuO9KFIE7mUHakUNswmJV4W8j+hUpN7Dx6eOyOQnaVLr2coR4wC8FCjr0w3l9III+wLTJ7DXnoRA41ihcwRwil59vsUnTotsj/QIXtASknQB4VQatV4Wq2h7GlqnuZmG7aJNB+wwl1qZ1BEINcwz3iHbOMl2GJl+FuNXJwaPXWZxAg9ELswkPPE1HzPax/axNaFX9Hy2jnz4lx+IDLhespjFyUKa3bD3mzTVyP2VnIyL2bsO/Un4hWhEtbVk3YbpV6xTzPjpQk52W3hUp7jHmfJ/+PbY1uNgM0G8a9QVK8lpSnnSvtzpMtdCbEc2SrIvj+wNxlXxIVrSeBv5b/im4I+7XZfPednvTDwtRwpLWY6Or8uDjs5x2oS0h41cHFunHeYcJh8p1BclwBrE+3wbmhmMMEnBmHAjihoduAMWJLCB6yrQtfYRk5Ve4lDb9l51U4Y7MqXdE1YhQ0N2r7wEad1nirEOAw6avwirKH6DhCaufGf3BUJrNydhH2fUqcvzBw/WT7wmeauYZ5ojOZ8XfJfHN4aZjvolTJcBDSeZQmM2aia20NihnWOr1Z12CrQxSjobYlHo9OHMveyj9FEszbEQeeDJsWtldDF6LPZkQhb2jV8N222nE9esUskJA0kSov13DHi/kd50WSOj45hk/f3g7TdZYS7K9fRDcDpyr1bKeXyVhJyB31KSmRHXZ5BzqcFwYLVGFiWtYXGLT8iSDXZSa75KD5rBwPkO3m0an1e5zLBwSp2xpJcqUJjB2erw2GG+t6dTRHaHkxVslt8kmJSZhzPcy3jRjSE7ZbAgzBNXVUgfqulSj3pmybcejTPDyPOkzYDJTq0SB0FI9R+vjlqhzCfJj9zBpUID2bkjnbDDSGZfDKrvZwGw1lHWsfgNFBcsLEpvGB68oELEuCjEwSmcPe20SAC9layUkhkVu5TxGwxqfVF8+efpXXnvswEOlchAqJUv5BrMuQgeC2uleFQA3j2tteZKcIczNxoQogty1Of+rYlOmh7EK2LQ4WU5mgjVi6e984kJcrNizxgmnQNi4Ee25lNfhjIvHVokXLq8PNfNGGu6HjrOdue9eSQjJm875e1MUuSl36mliex7NIpeT4MJvrDU7LAQcKc2GIRoCWausm2xyrEQfkLt82NHOF/sfnGRckSTh3NizwGczmDQtwQNAMHzOuoNGcV/okhA+/sm1tUs9NiLHEIU8qQSSGAhXY0Mcer9vZcjPPDAUw4pGGh0pMjZppq3R8IfI9o/m87dfUTqfLBBJ8wwOCypsGQjiimdSMaWF5FLOK8FofNYP2LTCXffn+Gw6KXQ13OmchsgeL4bgkjq3ZgtaLCk/cNmqmUNtlieopBoLo88JFs2fl5oHBLX4aZl4JVr+ZnvkUXIn1dAn4NItyWsw0AlJOESEbuoA+d1lQaT+KFByy5LX8GhvG8YpCFxMr0BVZSs74sRyfDaz9+yfU5n8tHnoxhqLBZZzt//B/wAOhdeYNG2x3Exu3ncSneWzVD6FiHCbpMFEk5PWDRI++fgrqHF1GnyCjKqV2fwLYR17UMQoiOAA4ADAAMgAwADkAOQBjADIANABkADgAOAAyADQAMwAAABCAYBoMQQBkAG0AaQBuAAAAIhJKAEQAUQBQAFgATwBQAFIAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADcALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhw2ZS4DngBgAEBigEIMC45Lm9mZmw=<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00</span></td></tr></table></body></html>
Emails

<b>getmyfilesback@airmail.cc</b>

Signatures

  • Maze

    Ransomware family also known as ChaCha.

    trojanransomwaremaze
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe
    "C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\system32\wbem\wmic.exe
      "C:\njj\..\Windows\sma\vyrxm\ajyis\..\..\..\system32\e\gfi\..\..\wbem\vaqe\rxx\gokwn\..\..\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3208
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:224
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

1
T1107

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1792-130-0x0000000002E20000-0x0000000002E79000-memory.dmp
    Filesize

    356KB

    Download
  • memory/1792-133-0x0000000002E20000-0x0000000002E79000-memory.dmp
    Filesize

    356KB

    Download
  • memory/1792-134-0x0000000002E20000-0x0000000002E79000-memory.dmp
    Filesize

    356KB

    Download
  • memory/4264-135-0x000001A014D90000-0x000001A014DA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4264-136-0x000001A015420000-0x000001A015430000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4264-137-0x000001A017B10000-0x000001A017B14000-memory.dmp
    Filesize

    16KB

    Download