Analysis
-
max time kernel
174s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
16-02-2022 23:07
General
-
Target
2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe
-
Size
348KB
-
MD5
d444509ad9103c7b53886c25f7a0db7d
-
SHA1
5815f849de39537e54d080d6875dd886191afaf6
-
SHA256
2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6
-
SHA512
7a36df9119a2157bf5c74e73bc160e46e0add8d178cea26d5395ec3e5677ceeb887bc1de1957c54520e04af47b499b98256649d4b7d5bba427f3b8ceb508a259
Score
10/10
Malware Config
Extracted
Path
C:\DECRYPT-FILES.html
Ransom Note
<html>
<head>
<script>
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
</script>
<style>
html{ margin:0; padding:0; width:100%; height:100%; }
body { background: #000080; color: #ececec; font-family: Consolas };
.tooltip {
position: relative;
display: inline-block;
border-bottom: 1px dotted black;
}
.tooltip .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.tooltip .tooltiptext::after {
content: "";
position: absolute;
top: 100%;
left: 50%;
margin-left: -5px;
border-width: 5px;
border-style: solid;
border-color: #555 transparent transparent transparent;
}
.tooltip:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
p#base64{
-ms-word-break: break-all;
word-break: break-all;
-webkit-hyphens: auto;
-moz-hyphens: auto;
-ms-hyphens: auto;
hyphens: auto;
}
p#base64:hover{
cursor: hand;
}
</style>
</head>
<body>
<table style="position: absolute;" width="100%">
<tr>
<td style="width: 25%;">
<span class="left" style="font-size: 14px; font-weight: bold">CODE:
<br>------
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
</span>
</td>
<td style="width: 50%;">
<div style="text-align: center; font-size: 20px;">
<p><s>0010 SYSTEM FAILURE 0010</s></p>
<p>*********************************************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>*********************************************************************************************************************</p>
<br>
</div>
<div style="text-align: center; font-size: 18px;">
<p>The only way to decrypt your files, is to buy the private key from us.</p>
<p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p>
<p>In order to receive the private key contact us via email: <br> <b>yourrealdecrypt@airmail.cc</b> </p>
<p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p>
<p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<br>
<p>Base64: </p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">kDi3AFZSRwTSW41bbtcMvwA4Njhad2fIpi4WOTuO+uvlgtqq/oT3PA+DCNDZOAZkQ0xhtdHFyy4bwDYBVgJWw73Vbt1TNttFSkIlkFDccfrmdg5o3jicWJhn//bY/wse73QXp3N9q706SSNWWITS+6lo+GDRq2DCNzpQ8fHH8kyPLNH8LCiMI6FOD+kEzqY67xKg2PMDmQ/1i1eW7+R9Yvwcv9o8S0ntABt2sltd6BaY5LxjbnBWBvW0Flkt9kqeO7oP1caclvaEJCaSxulA4V+xhb0KrD39qOjS6y+gwWvxF2LmVu8GsKaRPSTkbp56WXDsUWYazuYdlDOXX464jxZvUA57hBXlvOTuN8C9glr+CJtvuKUXK9HoALaf3QhdfaDFHVJ2LB22lO2uy+VceXaM4U6NzLP5J+PVOCl96D4znofY5kJcSzRhs+ic8x26Mcxaw0Lrrn2MtvwAyS7BsLZ7XVxlmsG6j5btMsqhA0X9oqtakYLGGXqzhy4C22X6DWjyNuSMRjIjaNtAEaNbj5h7KEynPcHK4AJnagRQU2WoPO0/LPtOBDamF32mTWeMicPfHiysE7TsUcyl5/oHY384LFj49TR01KY6V9+bLu3/DER0umncWEXD11dOFRISD36SjCuq0t+KWTSCxc62al5IAul6Y6fUu91Lju1oVf+SWeeUp6eHh6Ez4gbezhhiuqB4Jt/15RKw65G4N/oDYD9+lScYVWMdcttfEYN3Nls6Z2d5jkqtNxNyX30o9K64g85xaeeILzXjSQ6LXcqGZHNrZHkIlv0DfXxWc2/sjQ9pX3CBWCOh+XUylYpDM3gsShjaaqDHsM/zjdQWLcdCgRpvtLHJ9ymSXOD8DytyXJx8WrHatMrxYzneVf4tpTeboOI2+i1xU0scRkzUjqBAb7RiQRx6TpO+tY+SvATs8JhSIwCRuexCo7U+guFmhQvOz+bbWQVbyK8mYxko3cCgcseFg4VXgjvXneYok6MIsNp3P83erI79MijPj75tSJO9o6H24p7GluDQYEV9sgByZ9bXim/i1rly7NL6e4rc11dwXx1D/OrbjAZ0hP4uIr4+7m2Y0m5H1XQZk+Gp9IV8Actar7QmiWiWhini2fnfbQDr1jNrSkIZO9F7W3E6nWs1yEb/q/hZ7JT6ub2X0vNV2qfRmDNY9R5JfBQq2EglYYwcBck8jutZehIOJXvgPLFdLfcSV67Q2GbJKXwkzmQkGqFWuYp4aegHD7gYrl7JX2VubHyrANmeo4T6596tAT768B9nVOdZzdmgEOKS5KvXmt7bfkGfQBaD1IkcCFVxuehYBfypYwtat0OIYesvqzhICYgi7X8dwTfKzXmHNSctxovsimbIaTeBkrOUkQJHyC5vZ0pS4SgwBh5VO58spnsMj74lseZYvI65/DCd8wmFJc4AdJ8b9m5Sn0swO+jmb9x8HEIsUlpE2MUkXY8j1Wh1ufFQiBgcLJOH5tG3lLJ7iFhiNFdfwV+z6jqi7UTW9AmQAOGiz/A431k+r7G1hzljiqa0k6mlkb3NmmAI87kfLjbi44in5mwT0oABhbJP+zgfbN6vSGpNO47qf4EIwx5+mVOwTDGg6rTe+D2vWXeX2XTzIThqmbkptc77MpR18kHrtfGTBqgTrnLsaoyfvj7IdZRnbOTKdjDo9KsD5QERBhO07mP0OAzh61JWF4yFygoW72haTgNyWEpKKp0c1HAXsCeXKOibQ8Q9BD+YjN3e3VxrekRlVwwmAoSDlzaO/c1hlqC6jGw38nhvyEIMWh9gl3UCui9gzuuheg+OfofcBuegefxXF0Xedd15wT5U4BNHOwkXxRGaHLUsD9g1C80BQAc3Ni0/Kh4OebEaM0Bk8lfgd6RW8C4mw8YUkNF+0PbKW35FBzfFx04/vtUmMoQ6oNaWiRpAfnw4NuvUf0+gaM+TrhjwgcS01RvBUnCjpJHQtQ8N/IjoYBtcBZdRE5usF9dqWMPo8DobLXnlt29GECFHtgZwIUCdWFz79gqdw9LVopTGL+/o3a92NOuGtlgKLQW55OMvsqj1geFkoqcOHt68xNyv3mAn2NNPx0egIJyCCO7SPkOBQGYKd1JmF5ho8bEdy+3c3Q1wg4LsVaKuNuxMRfy8h45Xnh3rXY51M9GQzACuV+0Emu/UojLUoQhNtXn5J6r1b9PIf6H2P4Q7fvq0OZhqYsWPER3dw2CVVq71RvAR/eHxPbHdeRrRcUkwDpPw3gogOAA4ADAAMgAwADkAOQBjAGMAMAA1AGQAOQAzADYAAAAQgGAaDEEAZABtAGkAbgAAACISSgBEAFEAUABYAE8AUABSAAAAKgxuAG8AbgBlAHwAAAAyLFcAaQBuAGQAbwB3AHMAIAAxADAAIABFAG4AdABlAHIAcAByAGkAcwBlAAAAQjZ8AEMAXwBGAF8AMgAwADQANwA3AC8AMgA2ADEAOAA0ADEAfABEAF8AVQBfADAALwAwAHwAAABIAFBAWIkIYIkIaIkIcPObuA54A4ABAooBAzEuMA==<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>
Emails
<b>yourrealdecrypt@airmail.cc</b>
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 51 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe"C:\Users\Admin\AppData\Local\Temp\2d2eebc4d408c5f261c8cd130246bca1736376a5b434f422033ff02566354da6.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\hleqe\ryt\..\..\Windows\ts\hm\nw\..\..\..\system32\gbhwo\ag\lrv\..\..\..\wbem\ou\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3368-130-0x000001B93C570000-0x000001B93C580000-memory.dmpFilesize
64KB
-
memory/3368-131-0x000001B93CC20000-0x000001B93CC30000-memory.dmpFilesize
64KB
-
memory/3368-132-0x000001B93F2F0000-0x000001B93F2F4000-memory.dmpFilesize
16KB