Overview

overview

10

Static

static

138e4c4e33...0e.exe

windows7_x64

10

138e4c4e33...0e.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    16-02-2022 23:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    138e4c4e33a36e147d296a4d9695e3adf1a33611d97e0365dd3884be1c26c60e.exe

  • Size

    449KB

  • MD5

    8107f019d9d6fe62a49ce7ad40fa1f7b

  • SHA1

    8bf319aa49589558f0ff482bff805676a7fed109

  • SHA256

    138e4c4e33a36e147d296a4d9695e3adf1a33611d97e0365dd3884be1c26c60e

  • SHA512

    7991048cbc053d71e2d92980e516426d04ef55617e04bd00b568c2e7ebd155211dfd8af8f492614cbe056ade6fb81365dd8a1f5cc94e3dbecbd10edb60a67a61

Score
10/10
mazeransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\DECRYPT-FILES.html

Ransom Note
<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000080; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <span class="left" style="font-size: 14px; font-weight: bold">CODE: <br>------ <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 </span> </td> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><s>0010 SYSTEM FAILURE 0010</s></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> <br> </div> <div style="text-align: center; font-size: 18px;"> <p>The only way to decrypt your files, is to buy the private key from us.</p> <p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p> <p>In order to receive the private key contact us via email: <br> <b>getmyfilesback@airmail.cc</b> </p> <p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <br> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">sNHfVguSoqtnuxQRBotDG8UfFMYiuquywo6LIKWNpWg0+Ol7S75xyjHFMBC2ZM2cu6IIETv9tFuXlz9PPHoOwPp2sytPdXV/VP2rww0N2lYzWCO0Bi+8kEYhHAlja5zKvu0BADP/T9y1p72aqFwHtjDv2hJY667U5NcnN88cPNBe/Euty1i7TwKCDJ3vNbF3ZYdzrO6HCoyeU/pGyRTWmc3hAyxjdG/klcxzCQlnhNJ+dd9Ctf9TRz4pLLkZeHutUZasAc+Psd95IHC7KvN2U7407rtzbasjUp0JEcF1Ggc9gdP0sBu2M9PYdSabuu8LAbyb/mMaZjGFF/qFn1Ihd93egNXXRhjxfbyFcVxN2bUlcdpFIYQmzdDgScTKKtRjcRSMiLkDmk/FHhRHIJpG6SIjafSbJtk2Qd37qU1OG2srA8i2DyS8thE1x24zmZx0uLCRQsnHJepPFPqCkLVuvIb4NlZudr6P8ojsE1jd0pNt8mjfmfTW8I7FVvoUzLBFJTWrTgmxVIZAJa09J3A4pOVfMjEUW2tyJDBbEj8/EFMo+T83p3QZPsb74yXqu+dUWksmi772bXnIiwbyrD7DsMQxNfvfvrKtO1UDZ5v6nJlPQ+JpwJ1iiXYgWS5aqNPD7YvSmAlPl50lefPYCJdKNn8l5aD9ZCqOijN4dYQgR100+UySvhg9nc7kr8UgC/7sL1pRaGBOqk7ZgCmcqhTUUJMahpGP6TU6Vl34S2G/KOf7dKUthYnrtO3hwBGTc2g0qhpGiQjaydpjJIJCS01etabRKIF0Msn3Z8XVYCAvIp7G7CUE7SjgzRZs0P7EFwfL6GWMVG0mfwjYgwJNlIMd3aTf0yBcISTh5iODyJlhtdw7XpcdPAZvJ+JElDBu+atNFsEiJOkR+VRWZhcBasIr9RZ9alsesUb0QIRH3UpZzm1c6l1jjMGdsFiZwPChzK1UC1ndLCs5V3gbGXSaLWtfEYoNaBmBQaycAuWvj3FUsOdxjyTV+x2p6r3NPmBUPhhjzyILZ9/OjAyOAxdIS5rQ7qVJVx0fXJrsGFmLsVLEKDwTPzHJmtr1B9Epu82qvJWAaseUqNvX7WCgTrDuiUF3AVBfoV+ZnVmlEt8OwBLqDxVed1cN05/3shg4DwkgGM0J2krc99BFP9N5BSLJm5nJbGEBAR+Z1Ema2aZh9VLjvXnB5BF2tsbUiu5E0AOqCcF6jAyLXzWSKmdsP7cENrra17gJanvBWC7n6o24nJFUXxDiu6cEDHEwrgpAKmUQBG1xZYKOAI1jBNSFRptdkAMSSO85n6YvPhJZJvoZD9uqsMv9EiStIbWv42bA6AA0UDiMycv/jk+BQZiDEnVVIGRgucmFXHWCNf6ZI7lDYmuXxhB2op8SsWF8XmO5z02I475ATdFRtfqajUJGLsf78F8Ri2CkpOgWbHRny9QC5oBUtIBwPV+1gG8ZbRS8ZXBTsixGsA7COgjqN8fi80160QWIa4cZhAvUZI79RU3aDzqi4DRP2Ko/qV+R7sfG0THTHBBwOnzQnEbkjXAr/dXfqi4sgVsmn1GA/EJ2YFznSpTltFzfnsacE4YiQkvCeyRRFHb3xvcNPyHEAaQ/RdbgpWLuPGEqK1Lbq5i9MrStKABgxkyS3KA3qxPJBDv2BAyarYFaYu9XC/Qkf/Jr+ci/NOapZiewQbq4BvZjWQudpb1kkVdbuvV511hOW1Sz0xT6pYCuXJT2VK158lcCmO/YcFj82bUZSY2oV3JSM8DIPo0Et/WSDeMk1y1XGCZd4Bz1Zpq7p10ZKvrmnhR9omHDkXdlpCEn75V+SPVraCc0qr6F5GMEaSL2pl8KhoZWdUHk8GNEL333zwmtgos0UgxiFHcp9ai8Q573byeQspUgMkx9Ca7mHTo+jZqyNm8scqbSJh7yUWzj4PypzoLRkPId0FredMVlEvrQiPLzUgBe1+viR1PrwmhCB7yP+iq6hb8IdN+QeXVLg9d2q7uc6HuHpLtUEqSwdY/L+hmLaKOGv77F626mbnlaXaPqySvhyIMRtCLq1EKvvRHxIbhM6SBJJGomIactAz6KyAjzJns0VpPT+Hv1bGcpW1N3aNx5MluAzKyrCwseYCEQY/4vR8IfopKMeayy4zomUTycCxr+x/brLawI5+u3A/MS4ZfFwszfu3Z7ew4OoydyvLUWv5aIigXcaRXU5XyjiyNieW+iWRntffAveudeg/OsXO7h8P6r3d78emQGFgoiOAA5ADIAZQAwADkAOQBjAGMAYwA0ADAANgBiAGUAMAAAABCAYBoMQQBkAG0AaQBuAAAAIhJWAFEAVgBWAE8AQQBKAEsAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADkALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwvtjYe3gBgAEBigEIMC45Lm9mZmw=<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00</span></td></tr></table></body></html>
Emails

<b>getmyfilesback@airmail.cc</b>

Signatures

  • Maze

    Ransomware family also known as ChaCha.

    trojanransomwaremaze
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\138e4c4e33a36e147d296a4d9695e3adf1a33611d97e0365dd3884be1c26c60e.exe
    "C:\Users\Admin\AppData\Local\Temp\138e4c4e33a36e147d296a4d9695e3adf1a33611d97e0365dd3884be1c26c60e.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1592
    • C:\Windows\system32\wbem\wmic.exe
      "C:\dgmkk\p\vs\..\..\..\Windows\bbstf\u\..\..\system32\xwbph\..\wbem\do\gfuqx\..\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:912
    • C:\Windows\system32\wbem\wmic.exe
      "C:\wx\p\mapyg\..\..\..\Windows\lvrnw\..\system32\o\qmhci\..\..\wbem\t\n\..\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2012
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

1
T1107

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1592-54-0x0000000076C91000-0x0000000076C93000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1592-55-0x0000000000B50000-0x0000000000BA9000-memory.dmp
    Filesize

    356KB

    Download
  • memory/1592-58-0x0000000000B50000-0x0000000000BA9000-memory.dmp
    Filesize

    356KB

    Download
  • memory/1592-59-0x0000000000B50000-0x0000000000BA9000-memory.dmp
    Filesize

    356KB

    Download