Analysis
-
max time kernel
173s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
16-02-2022 22:36
General
-
Target
daa0ac4896cdfdae324b228d5c620fb3ab4a33ff73d991a3587a086c7ffb5e93.exe
-
Size
426KB
-
MD5
e07b67ebfd8b9628237a9cc955a136fd
-
SHA1
c623d17c0bbd9fb753328c8d38068ab57f9b9758
-
SHA256
daa0ac4896cdfdae324b228d5c620fb3ab4a33ff73d991a3587a086c7ffb5e93
-
SHA512
a3061c67c6ce4d982a4de514c891e3eb1ebe5a5bd471292407921e86f3336f8a7e1e3d2beae353c468b399a5d5b22e5615d1b5c78db19863bb7f410d61d11afc
Score
10/10
Malware Config
Extracted
Path
C:\DECRYPT-FILES.html
Ransom Note
<html>
<head>
<script>
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
</script>
<style>
html{ margin:0; padding:0; width:100%; height:100%; }
body { background: #000080; color: #ececec; font-family: Consolas };
.tooltip {
position: relative;
display: inline-block;
border-bottom: 1px dotted black;
}
.tooltip .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.tooltip .tooltiptext::after {
content: "";
position: absolute;
top: 100%;
left: 50%;
margin-left: -5px;
border-width: 5px;
border-style: solid;
border-color: #555 transparent transparent transparent;
}
.tooltip:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
p#base64{
-ms-word-break: break-all;
word-break: break-all;
-webkit-hyphens: auto;
-moz-hyphens: auto;
-ms-hyphens: auto;
hyphens: auto;
}
p#base64:hover{
cursor: hand;
}
</style>
</head>
<body>
<table style="position: absolute;" width="100%">
<tr>
<td style="width: 25%;">
<span class="left" style="font-size: 14px; font-weight: bold">CODE:
<br>------
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
</span>
</td>
<td style="width: 50%;">
<div style="text-align: center; font-size: 20px;">
<p><s>0010 SYSTEM FAILURE 0010</s></p>
<p>*********************************************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>*********************************************************************************************************************</p>
<br>
</div>
<div style="text-align: center; font-size: 18px;">
<p>The only way to decrypt your files, is to buy the private key from us.</p>
<p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p>
<p>In order to receive the private key contact us via email: <br> <b>[email protected]</b> </p>
<p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p>
<p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<br>
<p>Base64: </p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">wosAk7koojxjrSB0ORsLkfOPuGkI22BhAQ5IXFTrW48HFG7HwciHaDU2VcvkEUwpcFpFYyCNBUEaQgdj8n00Za9fGM2532GtuO2MZwr2bz7O9DANoZWNEmHHrvVaEE85DBuUUBGv3hNDYqaXmCxiLTa0kJGLpc2s53GNeYjzK2dtLzDMqfa+HXT8m3qxuuBAU0H55DVEVTrJ8ZhfxTcnjx6pCcE0bN7nGzFZ5rq5HWOjGMcn/P/Pi/DR1UgpmHsKrT+ARb4ztLHg06joZhMNTmFqLKsJkLCKSgC2keYX1zEmUskkGumiGm+KDLSAauyhMEKMjn28vqVnO2J69EJ39Jtpi7bDjcx6xqrvORjQzjc8QEpI8J/qcCLq16CROH6o/HlkCJOqp9m0vc5XeK7dRTDUpZw6EtAomlAjpnDbwUoObrSDfpP6Xy7/+HzaYHvLIN6thZzJWczsnkU7ulYaeru/oLGrYsoGbUGdfYjwbCQgkAx03ey3xmuSc9o2msNbisNMm/ym/fEfZTVae1MDgjl44VNM46bf/7eih3FNTw0UndVqIG59DlTsdMTNoQwNSPSY3elxlxD9f1WnjBB9zh7OMv9wGbsQ6u/DbBD5BhxJ+R9FsVbMZUbCGFeV/u0rN1sgNaDarshnaff9DtVjkx9jbLQ1EYGH21WJ2R5RLrM/o8x+aGI7hdiBQ7RtwfwMAOtXkUrLoPz0Ssb1vwCi4C3ylLhg4cDzTjet1zYqmPa1Vgp2npk5nJaiNVtOAweENwnI6r0NvoYPaShSqX/mFW8cWnOY/AiV3SruEXBTQ4XsWfOJJ9tsYqRiVOyxrRpH/OhZK8xbnqC2fe5E88bXPmSGLm6qYiYnIZVBmN4u9JxvWiW1uaQDerlfaWtuZze9DSE5df+x6Y+9y8wPeDbv9rZA94RsqJdTRS/1/kOjMCUy0Ovf5uDPpjH6KimPxsFfwsgjwa70DM5768SUS+W02GhM3lxgv31GbwU1W8Gx1BawcEiRAyuinJLFcMS16TYa3VswevhQVhmhU1U42UgAohVhy7GgBU4SyiUJDD2K4wvc4HIOgEm1ejgQUUTreXoJHWARgzga1QmdH8N+d0NkaPfzmELQCekO3AD0yAs5XTt7rB7Kw791P5PrE5+OZ6YtSqzyE0ybl3n8lVfll3uNl67DOvQPnTxDturkBVBTJrwUBCcloZbmJK+2oppLFgRq4Orb87CBzpqp2zzqrjOnlaAIikHKWq38F+w5BJcLLVJfSvRZ+cb0JqBAwlxmSXdteLzjR508sJQoYVRbrF+05HMXkIcIVP5N/tKYq1qxbBkyGNtc89PvJWK9+tm4E8rTv8RIUP9zcBja6EKuG7+cO+LMm+SQoHUyh55iTLZ5xQApHwZIsX18Tda3ttS8piyx+d084BwWV51Q/BGjF5T73X1dFPZm6UVYhNIv8EfWVYDmizVSDjQ3LnfdCcAA3T+xtVqCsacqK2sbgLERW91cbSKds5LcpeGZqMWi6yhOwHcW9waK4DpdxcFx2MpEjY+/4h/YyTkS2MoJZIin4hvmW+9NOZOIV3gejXWYrNphB4E8JiScRujOMX+6OdSPULrbJ97DL8p2MS14V/ytKbExnySWbh4fLCnI5zhmTcuXlWZ48tAA+7VUMXTqvSXHERq8aYZ5k8rJCwIVWdRoXvClk/FzhFwABC4Jg7zp7m7RikKlSDUnLzlwtfTv0q6x0AtkIsLOPAOQgWckzd6PB6haMiiDy21KEBE3F0do1OWfBz57zhpmwrkgTwfoYPxuaonCUwcbtZ0uzsY9zh0XCfbxLjJ1jOIO6DpfiAWrjFP9oZ5Ys/W1L61CEYd5niyqVzchF7Ym8zgUAeqDnGE2BPcdLRMG9dHrNiJ6stBVEoXqQvzyBxUx6j21P2vkZYU7IE7i32fkR6AIUyw06PltsuUNSAn2AcwofX7uDprvsO/Kq9gmxIqNkEiA01UaMd4uHFR/XargLVupJsOSCs6vK9cjQot0kIKA5oIX9dCOcwVNWBbPFGVbWO4QUyAGsCO457vMwvwJ6ySL6RbmjdsHP3fAXYaVQwrvp+44U4mu0n32chLjcvG4qXcPtLzwt4zi/bV2LlXhzLuoU3sSthIL6V12klkxJKVIbOgTUkOHCAbxY8CjC5tm8g31X8haQEmoV1IAdAGrfVZMQE/z0b+8+cwUPfIIHKtlkMKy7Uvl5tQ8UXtfODPGWeYxO0f0FZhwGeG1YqX9awoiOAA4ADAAMgAwADkAOQBjAGUAYwAxADMAMAAzADgAYwAAABCAYBoMQQBkAG0AaQBuAAAAIhJKAEQAUQBQAFgATwBQAFIAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADcALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwrdy4DngDgAECigEDMS4w<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>
Emails
<b>[email protected]</b>
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 51 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\daa0ac4896cdfdae324b228d5c620fb3ab4a33ff73d991a3587a086c7ffb5e93.exe"C:\Users\Admin\AppData\Local\Temp\daa0ac4896cdfdae324b228d5c620fb3ab4a33ff73d991a3587a086c7ffb5e93.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\bi\..\Windows\wli\wftl\..\..\system32\p\qghdr\xh\..\..\..\wbem\e\j\avghm\..\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
16KB