General
Target

05297f8224bf663a3376a5983377e747a56256a18b30c914a2e10d5d5a144862.exe

Filesize

391KB

Completed

16-02-2022 23:21

Task

behavioral2

Score
10/10
MD5

e8e9272aace01bb4620601f1fe51e278

SHA1

21de9ba136a16e1929f7d50ee1b5bb8b30e85406

SHA256

05297f8224bf663a3376a5983377e747a56256a18b30c914a2e10d5d5a144862

SHA256

b292539a41236a51fafafcd62edab8f0118d2cccaf3bedd1c1f6faabb85b0257bf8abc04b47911538cb4afd0792d1cc9a25df0d7a3693950beb47edd4e8294bc

Malware Config

Extracted

Path

C:\DECRYPT-FILES.html

Ransom Note
<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000080; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <span class="left" style="font-size: 14px; font-weight: bold">CODE: <br>------ <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 </span> </td> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><s>0010 SYSTEM FAILURE 0010</s></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> <br> </div> <div style="text-align: center; font-size: 18px;"> <p>The only way to decrypt your files, is to buy the private key from us.</p> <p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p> <p>In order to receive the private key contact us via email: <br> <b>yourrealdecrypt@airmail.cc</b> </p> <p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <br> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">cQsKJeNmSJzye0CxQJaG0JOOpi48VqoObbsnvQOIG7dnIp+w2JMcIr9wDtMevXsdiMHGEfuwpNCI83fyBlvYN9Rhs5nkRbPUw6tM1+IvFeoivTA6NK3MtGpAB99XZ5xCRwU49kG87ARm0N6XhKOXTrwGDkImn5as3IxwvvbLYGSULpO/MfvtIErSXCaLTnVMk7k9qTekmuknHLzLkLAJPgcE8beM+9hh500448aEkOsWGmnvRE7QpoUx8IaKZfXvc4wEmouJSHIFAXDkiAiuIaytjmxX8dqUsW1Kw+DHqpyhVh7OIpvmXY8DJfR3IIzfEg18N27fR7gvJsGb6aUk4ItytnIBRafmVvwAudy0Sqn9kFDQixZIfeeT+x8FbpC3nNeEaKy54c6Zrf1Wu04N5WDALogQGsW9i9BFVhtq6w6KGq6C+foqI7BTOv4BvT+a7sr14HMO7/W/NEq8LYw3IqOIs0l2eerbAztHu4hFF51lJUBchgXz0LvUujaP/zqH3fikjQUj+Jd6lQIN7JskkXlem8QM3UUhJs18cPkcmrLv5rLquER1WnUbHtAGgv/R0CfQRfu2SXs3Xezmg2SP4SGEC2BH9u2C4LM7NPPVDDuX0RxEpmBsmp4p38fy5PlhBhB/JCYYyOfbdsWl63TC7InaQtguJOj0koQt9qgs9NNjG8lFpR38yrZQwNCxLowIy2WNruVxFF5Z+YbHB9sAl3GYEHS4nsIrB4+lFUquurGfpA0SigeLTE7jGc+7BdjDBklVvtfihkJQDywKx2MJ10f2GB0I46x28SkPsAF4pMzIk68LvZaKLzLPsfqY0r5Wy2MWttaLRwyGbfSmyPdcZSWwnn1SkWAJ7XuXSRRF19BvCAzdXhIdcZOSmh/aYmqaL2+V6whfytvSfLbK+LOCz70HOv/4zhflb4FqI32F5fd0BX+WPgovtb7AGQ6l1YaWoDyB1GPCXfGhhxsHLhBrSUbUdcB5fC1JmNXUzGYmQi9pfahFTs/f1Vm1rBvRVmbow2ynB0sUMk9tY5TJxIEGK++Fn+K2WoluavWrbj/ycs52TBtX8i6GodfCkeEXOwUQaRs7V8WFoVw8FG7nCeBmBCe6vKTJJtTBF5mKrI9Adl9QLf6XVQvQFuye/sjleu0X0DJ69tNKvkzytRVU23C237ihYI0jWpjagNtMA3M16oCPCDTZ/eB2coXtNc8ktbX5ufEOPB7JGAxrKZW2bnf5p+S7my2LYKVoHkUfqKM4tEp/cPM73N42bnhYRnMSsTLhUhIkXp6X9QVwpGTdbTBlmYXoaQGWUm09dxku1La2LAxMuk6qinHTzhQu6Xhb8LE3ZfI1X8GprJyG7gFWsnVJj6YjjykiTWXgb/wKZkdb5sAQTJHGFXtXr0b2CXh/4G690XeWa7+zfrVDk7vXJjZNcSuwW78X4YxlBE37E+qN/SG2dmi0dIGN6+moDqyNtG2LAQKhZ5/2IgUVEdseFd6qpGUdu7tABpYs2OwIIGE+1xqMlxUtwt2UY08EN2PIcwiT8j+nlEee7zDP1Hex+XIMMqOe8VBzi1orfHgs+sPjYVKT7PLdX5QobZUo3BrQLFZd75DeERBrkAF6OGxw/XvadCB4pVbaSCj4WhFm2zwV35LC6BGEtJguT52rLh74PNiV341kYMs8ywYcFD5F23GEUblkBZ6D0UOCf/K3bsSgw1JxDM8XIUx1XWQaOnyajaRZnXSTJcSTRxL0cd5k+pqvt8SgDLhAfMx23fTshp0jlolWLPw/i2TJ4huFuiM/7QoVIwRTQcNKvcxPfgvrGOC+o1/uRByMq8eGOrH09I+s8Ygvy/VRGq4UfhfUxugBZerUmvDFhONlKEdCsEyuERx5RV/JrHwQRG/Pn8FVZ5cIs+9eQoxr/kBZv4FHQ0oRkDIpwRuXrDpMUD3NQDpN/MT4sBPeUeYx6i2RwAxyBHevMjgf1tZB8AwhNR7kSeoWnKdrf4Jp3qE+o/F6w9DHqESxUaP8R0WjSs5G8tqKqtC3dtuaUl6RwZUTPoop7+f9swTQ2oGyCPPyTGhFyndN7GnX8lWhyju+znA4iNgJsSXNC/IQwbzyQjbgzHJEsIOWU6mugn354um7VXJZJkz7o1olmKoeWFider8SLXHUpmgzoHTpWOh9OAdZZ4si4Ku6b2altFBsFZVzaSgOSVEGVxXddSYZEG1Klc6m8bdy2xVcyvseC7D+lSonlXSsEfWWwHP7gCxZQAoiOAA4ADAAMgAwADkAOQBjADkAOAAyADgAMwAxAGIAMgAAABCAYBoMQQBkAG0AaQBuAAAAIhJKAEQAUQBQAFgATwBQAFIAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADkALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwurG3DngDgAECigEDMS4w<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00</span></td></tr></table></body></html>
Emails

<b>yourrealdecrypt@airmail.cc</b>

Signatures 7

Filter: none

Collection
Credential Access
Defense Evasion
Impact
  • Maze

    Description

    Ransomware family also known as ChaCha.

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Drops file in Windows directory
    svchost.exeTiWorker.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SoftwareDistribution\DataStore\Logs\edb.chksvchost.exe
    File opened for modificationC:\Windows\SoftwareDistribution\DataStore\Logs\edb.logsvchost.exe
    File opened for modificationC:\Windows\SoftwareDistribution\DataStore\DataStore.edbsvchost.exe
    File opened for modificationC:\Windows\SoftwareDistribution\DataStore\DataStore.jfmsvchost.exe
    File opened for modificationC:\Windows\SoftwareDistribution\ReportingEvents.logsvchost.exe
    File opened for modificationC:\Windows\Logs\CBS\CBS.logTiWorker.exe
    File opened for modificationC:\Windows\WindowsUpdate.logsvchost.exe
  • Suspicious behavior: EnumeratesProcesses
    05297f8224bf663a3376a5983377e747a56256a18b30c914a2e10d5d5a144862.exe

    Reported IOCs

    pidprocess
    446405297f8224bf663a3376a5983377e747a56256a18b30c914a2e10d5d5a144862.exe
    446405297f8224bf663a3376a5983377e747a56256a18b30c914a2e10d5d5a144862.exe
  • Suspicious use of AdjustPrivilegeToken
    svchost.exewmic.exevssvc.exeTiWorker.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeShutdownPrivilege2948svchost.exe
    Token: SeCreatePagefilePrivilege2948svchost.exe
    Token: SeShutdownPrivilege2948svchost.exe
    Token: SeCreatePagefilePrivilege2948svchost.exe
    Token: SeShutdownPrivilege2948svchost.exe
    Token: SeCreatePagefilePrivilege2948svchost.exe
    Token: SeIncreaseQuotaPrivilege2200wmic.exe
    Token: SeSecurityPrivilege2200wmic.exe
    Token: SeTakeOwnershipPrivilege2200wmic.exe
    Token: SeLoadDriverPrivilege2200wmic.exe
    Token: SeSystemProfilePrivilege2200wmic.exe
    Token: SeSystemtimePrivilege2200wmic.exe
    Token: SeProfSingleProcessPrivilege2200wmic.exe
    Token: SeIncBasePriorityPrivilege2200wmic.exe
    Token: SeCreatePagefilePrivilege2200wmic.exe
    Token: SeBackupPrivilege2200wmic.exe
    Token: SeRestorePrivilege2200wmic.exe
    Token: SeShutdownPrivilege2200wmic.exe
    Token: SeDebugPrivilege2200wmic.exe
    Token: SeSystemEnvironmentPrivilege2200wmic.exe
    Token: SeRemoteShutdownPrivilege2200wmic.exe
    Token: SeUndockPrivilege2200wmic.exe
    Token: SeManageVolumePrivilege2200wmic.exe
    Token: 332200wmic.exe
    Token: 342200wmic.exe
    Token: 352200wmic.exe
    Token: 362200wmic.exe
    Token: SeIncreaseQuotaPrivilege2200wmic.exe
    Token: SeSecurityPrivilege2200wmic.exe
    Token: SeTakeOwnershipPrivilege2200wmic.exe
    Token: SeLoadDriverPrivilege2200wmic.exe
    Token: SeSystemProfilePrivilege2200wmic.exe
    Token: SeSystemtimePrivilege2200wmic.exe
    Token: SeProfSingleProcessPrivilege2200wmic.exe
    Token: SeIncBasePriorityPrivilege2200wmic.exe
    Token: SeCreatePagefilePrivilege2200wmic.exe
    Token: SeBackupPrivilege2200wmic.exe
    Token: SeRestorePrivilege2200wmic.exe
    Token: SeShutdownPrivilege2200wmic.exe
    Token: SeDebugPrivilege2200wmic.exe
    Token: SeSystemEnvironmentPrivilege2200wmic.exe
    Token: SeRemoteShutdownPrivilege2200wmic.exe
    Token: SeUndockPrivilege2200wmic.exe
    Token: SeManageVolumePrivilege2200wmic.exe
    Token: 332200wmic.exe
    Token: 342200wmic.exe
    Token: 352200wmic.exe
    Token: 362200wmic.exe
    Token: SeBackupPrivilege3584vssvc.exe
    Token: SeRestorePrivilege3584vssvc.exe
    Token: SeAuditPrivilege3584vssvc.exe
    Token: SeSecurityPrivilege4652TiWorker.exe
    Token: SeRestorePrivilege4652TiWorker.exe
    Token: SeBackupPrivilege4652TiWorker.exe
  • Suspicious use of WriteProcessMemory
    05297f8224bf663a3376a5983377e747a56256a18b30c914a2e10d5d5a144862.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4464 wrote to memory of 2200446405297f8224bf663a3376a5983377e747a56256a18b30c914a2e10d5d5a144862.exewmic.exe
    PID 4464 wrote to memory of 2200446405297f8224bf663a3376a5983377e747a56256a18b30c914a2e10d5d5a144862.exewmic.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\05297f8224bf663a3376a5983377e747a56256a18b30c914a2e10d5d5a144862.exe
    "C:\Users\Admin\AppData\Local\Temp\05297f8224bf663a3376a5983377e747a56256a18b30c914a2e10d5d5a144862.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:4464
    • C:\Windows\system32\wbem\wmic.exe
      "C:\f\mupgf\gtbg\..\..\..\Windows\v\..\system32\axm\tlyi\nc\..\..\..\wbem\sae\gk\ls\..\..\..\wmic.exe" shadowcopy delete
      Suspicious use of AdjustPrivilegeToken
      PID:2200
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    Drops file in Windows directory
    Suspicious use of AdjustPrivilegeToken
    PID:2948
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:3584
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    Drops file in Windows directory
    Suspicious use of AdjustPrivilegeToken
    PID:4652
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Initial Access
            Lateral Movement
              Persistence
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • memory/2948-130-0x0000023BB8990000-0x0000023BB89A0000-memory.dmp

                  • memory/2948-131-0x0000023BB8F20000-0x0000023BB8F30000-memory.dmp

                  • memory/2948-132-0x0000023BBB610000-0x0000023BBB614000-memory.dmp