Overview

overview

10

Static

static

05297f8224...62.exe

windows7_x64

10

05297f8224...62.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    177s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    16-02-2022 23:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05297f8224bf663a3376a5983377e747a56256a18b30c914a2e10d5d5a144862.exe

  • Size

    391KB

  • MD5

    e8e9272aace01bb4620601f1fe51e278

  • SHA1

    21de9ba136a16e1929f7d50ee1b5bb8b30e85406

  • SHA256

    05297f8224bf663a3376a5983377e747a56256a18b30c914a2e10d5d5a144862

  • SHA512

    b292539a41236a51fafafcd62edab8f0118d2cccaf3bedd1c1f6faabb85b0257bf8abc04b47911538cb4afd0792d1cc9a25df0d7a3693950beb47edd4e8294bc

Score
10/10
mazeransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\DECRYPT-FILES.html

Ransom Note
<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000080; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <span class="left" style="font-size: 14px; font-weight: bold">CODE: <br>------ <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 </span> </td> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><s>0010 SYSTEM FAILURE 0010</s></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> <br> </div> <div style="text-align: center; font-size: 18px;"> <p>The only way to decrypt your files, is to buy the private key from us.</p> <p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p> <p>In order to receive the private key contact us via email: <br> <b>yourrealdecrypt@airmail.cc</b> </p> <p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <br> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">2+W1qufLs2UfRfN4H+u8tUglGmjMLx1IXqT5OFzBepsjUWZanmMZtQYmOlYzh6NWuKYQnA1XYrGmOPe5raAIzRWcA7gsKDH5QlJq0R5N0V5cI+oJTMtsQlxp9T6OGoQGaKxbvLLRgI8SjneEhkgLFGWtXgsTmwSjTzkSw4T55RdvN4TMPC9ytE0LM3W2GDM0VdkZRtCSAfLCBuorlsIhldRWtR4wwRQyTPuGijPm7QjyHQpzv2a2clVXkX+dKFA6RYwwAyxkl11F830naC//Rn3jT1KpQYgpx2pJiWDn8pnpfgxzrr2RN1U52JXDu7OSnIeM+CvwsktMMGmK3oPkV6CSIHAuIrieP8yV1Dewox3v85J0o8p7rxGrwF3UrVIvQHNjZid9RjhTLhc+oreKumzCiZU1QaGMt9FuneyS3GIBMVmsuScTHpBfj6Z0rc57WW0+jRNviQ3RZGluupv/rNIZ71l0j3lpLzYQs2QBfqvYblhAljWjUwiefub2WoWl2scOPqnfqx0Q9E4lTnBd7sn4eOWn3gqE4CEzVnhSq6PZjpX2oNrNgFR0wXR2Oi8ZFnQcllFOo+u9igjmj9xVlKHTa7VMwVM0/L0wHOeTko9d5K7RmFWpV/hqwKsSxJL+Pp3u0PcS+C1PZirxt5sINnPrQleglDc70AahjmocGvZLFkrzd00fy9Qhl53FKULLRID8wu57zNhC05OsHQZhv9bsb92RUEc1YtatxATwTzASIAaefYBUZcjQzHT0gwFIcN1Q4AarF2+wIVPMshlKj3YboHakpjszFifADfpSfUvXKtZOzTH4Aw+yvmWkjix2hvlX/iFYq9NPFcGm0gZ31dVsAvWUYtzODO5slAjMwveiSYR1o7CIKsFNE/TZUBt+J64RRrvA0caec4m7RbX9VVDxVNFxK5tZEaKU46b2V2Qe06aA/oivy90KSBpQcSKZNGle0UWlZT2BVGlFI4LpMBErqTM1pnvhXvFMDh6oMLXoAPWjKq9x2s6v002mhjU366qgxVxdb23WKiUCv191FqoAfyu6Q69TdaUn+XhPpebdELnOJg4IOpC1upG8304XsN8BbNQ7FZoF6fk+qYsVJO1NrIR1UoOxqooOXh4cYiZNqabnq6TF8qsuoQ2F3EGnQCH/rZo8qWHJGrCw9F4Ch41DJ2AZjtw+3tFnR59ghQGRWSyb+UjMG3GMrfDFvcvEFNyGrtnAoxqyq96zBVUnVnWkd7bp5fDWJ/FQnbGbcZZLGmGq8ZbN7ryVaN8HJbZjUvhDu9wk5eP2zXMSLe2qREbCO8PUUpdBfLyhnvS63ZPmcAfris1JYVB4Z3R7oNRE3B59q9znaUe5h+4KTYjYYSAq8N5nvAz1ua8dmt2/pb3Kyws9jKrJZPprC1FqHBVC2GDYLmmqZWVFf89Lb0ltRa7j6ktmqStLZcuWYJkNAWtqkI8WpfU+YLd9NXnFc032BCDlfhcVHrTYhBaHp+sr6u7EDKUlcKiGcpgNHevlJSSpX/rBWTXgFRh5xq/NfGwJmyIx8RySxQIlJDQEHD5r6u1ip/661DhtJJNAzKPHH69RsTWJpeGVF7X479CQhP7YdQSPYThGlLgMwn+EE2ZmuDmjE31xa2g8eCR++btSgKG3DaGjzoWOHDsrzFwKrTNRnWROMXcoBgU52583EIN1H4AZeYdmZ4TiVshU6vjH4ZL2Zxr13clSMl4X7/8OKHyUUC1+IUyrM6fXPb8Y+iHS9RB4ib1ie22I0dwkRjQNbZuZoWaiKqyTxNgvDc0v+TxQdY4TTTE64Tpunm6+VEUte2bZo5B+Ii0gNukyvARRSOUrLl0c4RGfY4eFVuMtl7MKWGi95ybsA+NCbZcyALeHpzR+Dvu0A+OPDyUTx9Rf+qM3ezoLjGuFTOXdZ8Lbv0PfQQ62Itb7g0fLiul3SmcFovN5dViyXI2EM2scZD5sni+OisAlyPxh+czkzpqLT8u6JX4LzBDOdkmgsWLXVNF3p/XGzOgXzU2yfKyy8NoM6Zu//6yLWipoF9ChoA7lKrUY4H4jk0IhzZTGRjX/eY7yYNVuwy/CgQ62Y5cYzX1YNW0XdrcBBD0Q9WFSC8PCEWfRDYqhXY3+ORTDCAATa1IE1BcNcCJQsqNM+FsqaipofP87KLY7QMF/cnoiVfSNVx8GxEWHSYundxrI9SRbwEG2NLJf10sKJOfXdQz7oTORfY43xvxsGVtJVgDoOsiwGlNEgFjdEwoiOAA5ADIAZQAwADkAOQBjADgAMgAyAGUAZAAwAGUAMwAAABCAYBoMQQBkAG0AaQBuAAAAIhJWAFEAVgBWAE8AQQBKAEsAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCNnwAQwBfAEYAXwAyADAANAA4ADMALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwko3Ze3gDgAECigEDMS4w<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00</span></td></tr></table></body></html>
Emails

<b>yourrealdecrypt@airmail.cc</b>

Signatures

  • Maze

    Ransomware family also known as ChaCha.

    trojanransomwaremaze
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05297f8224bf663a3376a5983377e747a56256a18b30c914a2e10d5d5a144862.exe
    "C:\Users\Admin\AppData\Local\Temp\05297f8224bf663a3376a5983377e747a56256a18b30c914a2e10d5d5a144862.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:964
    • C:\Windows\system32\wbem\wmic.exe
      "C:\are\..\Windows\qn\rd\..\..\system32\psbxf\rnew\fb\..\..\..\wbem\xkhb\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:660
    • C:\Windows\system32\wbem\wmic.exe
      "C:\vno\fh\..\..\Windows\rcfk\bkg\..\..\system32\spn\bwj\..\..\wbem\sjv\cyib\hws\..\..\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1096
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

1
T1107

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/964-54-0x0000000075341000-0x0000000075343000-memory.dmp
    Filesize

    8KB

    Download