Analysis
-
max time kernel
171s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
16-02-2022 22:45
General
-
Target
9fcab81f339b7e009a40e9f263f8d2e56fcf1ec5fc230ee47c69e0b672b7c272.exe
-
Size
381KB
-
MD5
6405a2a713548111aa9a1a807fff6df5
-
SHA1
a8eb4ee46b792072347a73b21fad832f200128c3
-
SHA256
9fcab81f339b7e009a40e9f263f8d2e56fcf1ec5fc230ee47c69e0b672b7c272
-
SHA512
f0b576ed89c04541b7a6a2b5ff8a5ab7c8911ddd3573c9653bf536d337e9ef219c9465372ba061e5133ebb38feeebfad1a9e9d25c9fc9471c8c10ee0341747a0
Score
10/10
Malware Config
Extracted
Path
C:\DECRYPT-FILES.html
Ransom Note
<html>
<head>
<script>
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
</script>
<style>
html{ margin:0; padding:0; width:100%; height:100%; }
body { background: #000080; color: #ececec; font-family: Consolas };
.tooltip {
position: relative;
display: inline-block;
border-bottom: 1px dotted black;
}
.tooltip .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.tooltip .tooltiptext::after {
content: "";
position: absolute;
top: 100%;
left: 50%;
margin-left: -5px;
border-width: 5px;
border-style: solid;
border-color: #555 transparent transparent transparent;
}
.tooltip:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
p#base64{
-ms-word-break: break-all;
word-break: break-all;
-webkit-hyphens: auto;
-moz-hyphens: auto;
-ms-hyphens: auto;
hyphens: auto;
}
p#base64:hover{
cursor: hand;
}
</style>
</head>
<body>
<table style="position: absolute;" width="100%">
<tr>
<td style="width: 25%;">
<span class="left" style="font-size: 14px; font-weight: bold">CODE:
<br>------
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
</span>
</td>
<td style="width: 50%;">
<div style="text-align: center; font-size: 20px;">
<p><s>0010 SYSTEM FAILURE 0010</s></p>
<p>*********************************************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>*********************************************************************************************************************</p>
<br>
</div>
<div style="text-align: center; font-size: 18px;">
<p>The only way to decrypt your files, is to buy the private key from us.</p>
<p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p>
<p>In order to receive the private key contact us via email: <br> <b>[email protected]</b> </p>
<p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p>
<p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<br>
<p>Base64: </p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">cZn6gDRAXyntZRotKC81mylbvPBc9QKetoiVjU0BxPfBxljA8YlNuis39WZZ9r3Y6DU7PdEyGYvdVSAX4OTdRqUmh6845qAfiagBLI3UGn8Ny09Rv/phY/m4GdMnslZFbEj7wb6hah/8JIP7MBc6jDGEU51r5Saf7+gHpaKswcB4iB7amOkOTBJ4uWjQG0XLdrVF6XChnU7whliUPgaOQqrYhHuRK6Sz1sg1T4muVpYXFxNL9in+ADpnHP6rS+0nijwBtW54nDqpInpRChzLDUN84CfWNIwraJslXqzn1POjnKWNkYkLQ27dkdFPE7h09zrnrnV5vb0AZSPJI4skXLfqS6HznuzBOE43IrSO8YTJdjK+oLgMG0UXB2BRUxBGj/QIUM5pCD2bE8at90G9Ir8I1CCWaeS6nMACD9IyrMp08+qI2GBsYKEv2EEUUkt40dTO0RynDUZvGMb03wULx5gMZW9DyuV/vM7jPGZSHfdXSDRfHXZK7nbf2jTb6hT8DNut44f8v+KKHuFuUg5tc8CRQ7AEOE9KZgLkHoegtgOA9cZIwGF0HlpgMZyZC/C5/PeKHzZt4MWPyyQKdJRCCO8jDQHegj1hCGKBa1I0Y89LYMmym0o9KZi4vdaHxNsuU/s3v1zYJLEy2nQqMwbtFF9kSNAqWx2rhePVphMeblMgkO3jQGqFN5xxaL5BF+zCZqzXuJdZisRMtM/z5DEdjMAeUlq+o61lAFgCavQyEepQim0wa2MizUft5H/nBUcviJgBqcpHgJWzgXM/FO13IY5Jnyj9Rk8vdfYsHSx8wpLA5X/RZ+qWJ9Q4b5ROjTulYUU84l5vkG5/XmE4+rhnvZh7Y/NBh+QtYeQ4liqT4oZNen2EmoCRWAgrw1SXJTc4G832cGrVSJ7CxXU6hI7DY+F5BGhUtXnoR15NJVK2fwOCRYZBRSqHU8tv85wYTsVLEVGbSX4sfDnKNrZFvSha289QpSZ8KLS+/KuuLThShpYAXvdUF4pledqEjxZw/pTxnu52NZ6H8jKlFuaK9RxCpl8wHGthMTLgRpjdUItncOhhp92P6kdaAL+mA9Mq0GZrnc5BAdFyXNRGAC7etiPC9S6Se08JFEX1ESPvjMA5rY/Sejzd7akHkHDe4/QoXCwEjwGvTi1JkMoHxm1lPcPo1AkOjwzHECMoQ61A3NHriO3Mk3PrHA95w55mcaFTQd4DjsDVXDh7yrE5y8cBlYZcvbU5ic1W94KMIdl8PiTCzOPAkTCuMBwF9blw72fpaTkfHTuWzJffdCY2eXq1NoEu3MArvRqScHa7HrD2FkvBuQCNeuKwCNPMziLlTimHsSG2QwQyENrPkxt9ZuhHyZJpLboATbObnB4dxPV/TyEWROgV6eEcfSoDY3mgOlKKNB84uzP7DyGZTBFM9AfCdK8TK/xA9LWn7FfHrSMjVR6fP97aDWqx4QQJdo4xQFRXd2ii9xrCPcKiQmfPD25xmBa2rPi5DXxfDGbeoWMasL8nQG9sCOZwrAO0y1PRSA3MCB/yoej8coly94ssAMGMVJfxQkLTcv7VgQie4M6SFwBoOFt8jTQS8rtmw190jStZ4m8/wBTks3VwaV5YgTzUhn7tV2D/ytdOLKWWO0a2WaeTVY7g0M2SDFkztUwPR/b3DoxwarkOPV6MtheQcRWhN8WnVgN+m1VaTqn20sZf+3HR2pAhoO2lBqr6lAhFp6dfTjkHqQe7wlTSvjIlsVAcWlxDMyGsOWbYkxEW+BAKSWJK+60DVKBPsL11R+onGKfuSMUQ2dHYim/qxSfndobOFUKXXbVJbMqSIputMTuk/zKnfMZKc4409M879TT2n4QSRFzibqah9kSPpIHCqZfq495RskwjNy8CW+JaJAEbqYL3yGLDUb+FIREtEyl2DLqcanREbdZi7DZojqwXinYlOL+FJjKi3XV0D3ymaF46K5cAnpN2/QnxQbYZT2W1SRhs6anZup1EXF7I6O94hzaR9OQByb7LotC5kXrKxOggteN0uRGAby4ms1G5YlxHZ9XX9ZXpLmI7dDrBafsM5eHkpvNvgVWalyrmS4/R4qSUZOrc0Im8Eg92Jc/uQdaopv/VSTdUtaEm4xrM3rHJg0JmNvHh8mxMyNQRcGjs7JowBBkjbgz7h1e8udLgtdSkgQFwd6O/2nMqPNZJ2oX2mQFyfdUiNI7A4nyKEbOT/pWltZxe63eF60auClhAZqkGQ3xzl0wlX3EC3QoiOAA4ADAAMgAwADkAOQBjADgAYQAxAGYAMQA3AGEAMAAAABCAYBoMQQBkAG0AaQBuAAAAIhJKAEQAUQBQAFgATwBQAFIAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADQALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhw5p23DngDgAECigEDMS4w<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>
Emails
<b>[email protected]</b>
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 51 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fcab81f339b7e009a40e9f263f8d2e56fcf1ec5fc230ee47c69e0b672b7c272.exe"C:\Users\Admin\AppData\Local\Temp\9fcab81f339b7e009a40e9f263f8d2e56fcf1ec5fc230ee47c69e0b672b7c272.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\fsx\hu\..\..\Windows\iehs\..\system32\do\m\..\..\wbem\c\ij\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
16KB