Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    168s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    16/02/2022, 22:44

General

  • Target

    a9524de985a3ecc43e11dd7c051a4bbfe08c3d71cde98ea9bb6ea7f32c0cb174.exe

  • Size

    447KB

  • MD5

    9823800f063a1d4ee7a749961db7540f

  • SHA1

    9d2917a668b30ba9f6b3e7a3316553791eb1c052

  • SHA256

    a9524de985a3ecc43e11dd7c051a4bbfe08c3d71cde98ea9bb6ea7f32c0cb174

  • SHA512

    c48624e32dba7f08ce0ca8267e541b123c6a9bf848b81d9e62f7fc4bec9b8ed801a6204ffaece4decf0d31bf2595867ff6f8c0b176e366848b61145cc585e41e

Malware Config

Extracted

Path

C:\DECRYPT-FILES.html

Ransom Note
<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000080; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <span class="left" style="font-size: 14px; font-weight: bold">CODE: <br>------ <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 </span> </td> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><s>0010 SYSTEM FAILURE 0010</s></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> <br> </div> <div style="text-align: center; font-size: 18px;"> <p>The only way to decrypt your files, is to buy the private key from us.</p> <p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p> <p>In order to receive the private key contact us via email: <br> <b>[email protected]</b> </p> <p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <br> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">Kuz5siAHbP7Us9fVSs3Nqvkc6YBOa8dswz/zj+3bfqWYZvlhOE6CsogvE1qkeMrj0Aa42KN0BCpvIXBLqeNy646MECssvg4g05/sckTzZerRJOc60Sve347Qa1Bts5lq4vLn8O83SRyT7QooAxs46a+EohQC5MCs5iPXabHPksWnrvxJ12t92L+WPsM+t5deL5OjTeHZGQ0V+A0qxqidHs/addQz0g5TwoorlVDQzEhbyaHV+Q3V8dxe+w8GWm1p1Bld/fO849qXKH/s1tcJdi0peIPSBbSgaDo/1XkCsuc3l5YZ7bNNSFG5NoCMWmTaTz66/cajOj8Z0CVietd8I2DIg19pNa9X3ardtmxE8WBdeIqGKxgJ4oe095vLm9EexzgLO3kRH/F7iPPyCgyQhWY1dr+TYRPvxBm+H/uWGIjkHY9jrYP85dnH4F2SwxpiE4jVlLNvsHf9cPkY9NAQ/Ln01C4AgNSczF7j6IfvTShu6sA5He7kVaExVNzoCD5AgkURvOLF+vbOIrSAVPgWHS8G3QhMa8viLxLoCis2/uxsWicm+g0BCAnv/+LyhNktd2+OQ48oXgp+xUev5Iqn9jjbMsyrZnq3p3vXv4GjEvj83Ro8mIwOjdyRTYScGVrLHtgvHFzpaFqTQJDbueDnxRwItBDWyYH64PcTOJrjaiQ3TkermYgJ98bebWzOGWp3FXOr1ncmciLHc0PNHG52RHyG3aE0GBLtitEc1tsuqaCMtbhWTOQQDjCovw5n6Phrnad9wGZZK4iPhqdwWO3NO5MnMurvxzs0bUEMcNS58ZxC+TZ2nGvCNmtnU9VEGrSvhOwFayNdz5qf/NMtMGMfFTo68YAHOGVTyesdoNiWtHd6xpNjq5rsakJcPnAlqyW3omyT23XFlzmq8ceYnE3m1/1w0gBAzBvdPXhJRfhlrN7rqFgyafr4bKvVwegYVc/mJAhkTkJMZ/RZQuXrD0z/fqpj8bGaWNocg61QSn/c7bEUj7snQFd/0ImZXdgwgSnqj1C6CyUIvuVPJFx4PJ2FAZEINvDE+E5mUKdlT7DMSfNyXljZS13Dq1km8djokYdoBV0IZSym/2vJN78rOjNaRSH8EnT4XPzqfmJckVdp1/FTFlX3rwGqwVXwRBcaZmLZJeky26lvBmhK+XOMK5n6+LlvauT8beA28RNx1+SpMx1newU/Y56ifTIeibh3uuwPy7QUN2m8Rzx55JzVJOqecEbFqw1ILAdzPjgFqJzdA0HwRSDCkWZpb7EzHzYahpskZh3ntN6ARKEQbwkLZy0mam2h0BlLuBq3ZblZlRYEIjw/eveAWyDbsn1WN2/rZMfJrrdu1uOkcYgvU6/vV/tbKKdFjNABUR09h4LFxeTHLo1DX0ywxib7W3CSlbSu7HsepSsoIn1gUY22rFH7VKboNha8UU2vlVw/+YuRkJ8OtpuUm9zWRrD2M5OBXGHFoFfMvuKBhGW0hfkUQ+8n3BAK3P838TM6vKo9hYRep+stqnXSRaI/UVXUk6C8tjSMQJ2sQDCMPguXFhPJPa2r0XFqGFUM6XDEJzm0VQyW45DpS6Bgo69yvkcJrG92y8isodGzR7kMbI+pqaQnov0UL04d8hb0oNp9YD/ruhoaEByD1jSQypTS83yoVqPsBppc+BB1g9pZXBR7+3jggfESTmeOicyZ/nsVcd3Pi4oPDQYsDO8WUe2cINZESZTXMCS9x2UwfRupmNGG+LupxHBUqqgUV80WBUhGlA1rICyRkcOx91TptDj3w3ofMwPLSeF0zcG1/x8n8QHRUs90NzIlw9uwDa/lzqyoTxe9e/P4fVpPqO9vZaHH1cYxi004+7JJjhfxN/DHIFi2Sr6aoHsFVVG7ajBa4lkK/xW8wvetGCzdsyq4weovo7vACjujFFNXAfUTKCmIHfVdhxKjfb0cmOMKVvkYGwJXkOof0NTgQeNof/nFG2i6G+i0fO9e4JrTwqf8fdi8aXs4YGB/WwwB2IEQIKn/sWIqGPaQ7UVA5fWFfd8uH0dkMjptdYoya3JHtHLZL4jVYPWBs1PkMkFcvXjosxeteSi79U8VPlrDT0QO94BuX2WXlF8cdF5Wb6mB0TQNyIOSchB98RB8Iw/ZTg5gLBB0GhSXPu3NSzGdndJdPAZilj2RoKAxb//vxsypkjgZ2ge0IBnrWteQslSvnnfbT6eIM834u3OzDq2adDUgi4+o7WiDUSmZofNZy9u7vLBReIiGJgoiOAA4ADAAMgAwADkAOQBjAGUAMgA1ADIAMQAwAGMAOAAAABCAYBoMQQBkAG0AaQBuAAAAIhJKAEQAUQBQAFgATwBQAFIAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADkALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwxdm4DngFgAEBigEDMS4w<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00</span></td></tr></table></body></html>
Emails

Signatures

  • Maze

    Ransomware family also known as ChaCha.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Windows directory 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9524de985a3ecc43e11dd7c051a4bbfe08c3d71cde98ea9bb6ea7f32c0cb174.exe
    "C:\Users\Admin\AppData\Local\Temp\a9524de985a3ecc43e11dd7c051a4bbfe08c3d71cde98ea9bb6ea7f32c0cb174.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Windows\system32\wbem\wmic.exe
      "C:\ghmo\..\Windows\nvtsa\un\jnxkn\..\..\..\system32\l\..\wbem\nb\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:208
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4264
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:5084

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4672-133-0x0000000000830000-0x0000000000889000-memory.dmp

    Filesize

    356KB

  • memory/4672-134-0x0000000000AD0000-0x0000000000B2A000-memory.dmp

    Filesize

    360KB

  • memory/4672-138-0x0000000000AD1000-0x0000000000B06000-memory.dmp

    Filesize

    212KB

  • memory/5084-139-0x000001D169160000-0x000001D169170000-memory.dmp

    Filesize

    64KB

  • memory/5084-140-0x000001D169720000-0x000001D169730000-memory.dmp

    Filesize

    64KB

  • memory/5084-141-0x000001D16BDB0000-0x000001D16BDB4000-memory.dmp

    Filesize

    16KB