Analysis
-
max time kernel
158s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
16-02-2022 22:51
General
-
Target
7dc5561778965eb8caba07ed32d5a683dd4acc8731e56525c1931363a3451c23.exe
-
Size
455KB
-
MD5
c7ff4562fa2f817435f54ece870eab73
-
SHA1
49d2bcd881723f239b66dc6eac8816419e86d486
-
SHA256
7dc5561778965eb8caba07ed32d5a683dd4acc8731e56525c1931363a3451c23
-
SHA512
bbe34ea8cf5ff1c8ccab6b3b077238923f005555c2137dfc6b7ad8e2eb4ac849f8145dbaa3029d192f0af0358bab82bf588c3b9e7109636fd7a928ab1e8cc5bd
Score
10/10
Malware Config
Extracted
Path
C:\DECRYPT-FILES.html
Ransom Note
<html>
<head>
<script>
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
</script>
<style>
html{ margin:0; padding:0; width:100%; height:100%; }
body { background: #000080; color: #ececec; font-family: Consolas };
.tooltip {
position: relative;
display: inline-block;
border-bottom: 1px dotted black;
}
.tooltip .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.tooltip .tooltiptext::after {
content: "";
position: absolute;
top: 100%;
left: 50%;
margin-left: -5px;
border-width: 5px;
border-style: solid;
border-color: #555 transparent transparent transparent;
}
.tooltip:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
p#base64{
-ms-word-break: break-all;
word-break: break-all;
-webkit-hyphens: auto;
-moz-hyphens: auto;
-ms-hyphens: auto;
hyphens: auto;
}
p#base64:hover{
cursor: hand;
}
</style>
</head>
<body>
<table style="position: absolute;" width="100%">
<tr>
<td style="width: 25%;">
<span class="left" style="font-size: 14px; font-weight: bold">CODE:
<br>------
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
</span>
</td>
<td style="width: 50%;">
<div style="text-align: center; font-size: 20px;">
<p><s>0010 SYSTEM FAILURE 0010</s></p>
<p>*********************************************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>*********************************************************************************************************************</p>
<br>
</div>
<div style="text-align: center; font-size: 18px;">
<p>The only way to decrypt your files, is to buy the private key from us.</p>
<p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p>
<p>In order to receive the private key contact us via email: <br> <b>[email protected]</b> </p>
<p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p>
<p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<br>
<p>Base64: </p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">NqXpx19CXM42/mZP7G1ifp4TFPEjvvgztELSABB/tHz9auCpXzfXc1HY/BJTsXks1bmPseO5ArZmmEyaNVGiFpRLrdjMI8PM2QG4lTqY49dliol/D67NOavZz1t/NwFp0HmJOxPN0GiaZOabS+x9SSNV/JxseNhLJkC5ImiqDwox80ynIhbtR4xlv+jk6BohifY+DMJ0c4E3ts8VRPzB/EpG6t0Z/L7ROiPUpGxA+1ETl+ERZDe+cMHSiTdVwApDzaOmPbvQwIUp9Tk0Jiw3ArI3w5kSPGXFZhe0gpBO1tV+ys45q/iGuF+qGCae2NXsiELdXHtwv5ey3QsaIOH6UW5Id28buuc4sdKd/zZ+/qDk1M00UQ4wxAplf0f9FUkIC9xL55gLzA4ywgP51EbSWIKVqmI5Jv5rAeZ1a2lkZY9fzvRI/11/VmX8uyjE0KO2MqUD1Nh2l7XMec4nU+cJL8IFkZy8tGP06YIcNrvklK5BOfdl9P7GANRsIBjKfRyNaqi4+bNUAgdyM/Rb1OccSKBeVzTRjMZRb1QX5L1heIjbb3Wkqhu1NetHfA2bSXPeqO7AGQz+FmbxldIcuD5bS/oXgeoEg+4ifSKfAmT7CiPr6PKj9CAkwdzT4bdELFM7WqFTREYoch3hCVdm/vckaGiTv9kRKiz9l/cwi6CL5B0qeGEKRzYkygNLNfZ5UFS496B/SZcZsWOKGOKcTgsTtljy81KE+BskS5pe1r6Kvl7pm0W6rlLRms78rXpfWUhpBqMeAZv/w9JHEWmQo9fp3wdcU9pRTHcT434EBxfAsztQUATSSXtuuGAUnH71MskUEQ/0ApI7Of5uCVu/X0xRVERbsrssMmp3D6mOeOx12z8+lK6mI/y4hU+IO6egRKLhzOOLpp3K6qEEz9TVNw7DAxRfwvZNrK6apLaD3M+Xv5DwP8ejMk6CqZDHDP29Gwn4K/YWWo6FhcjhPzsQajstkq6lB2CqWo10l5mh2MNZUEjbeF2Oi7Mnjb5epFvxAdS2CS3aPjalbdVjzHyLzXlW0HkVWjx9eyu00OCS3dUcQWkVWZ2XYdkt44Q6OLIEOXrA9ciXVrNF5O7kkHSokskR1sgZNops2VPhQFLE6NiCPf419IdOkYYlOmCv7U2BJmuHKplvB4VVN2lkO2gzKecMXKQqDZdurlWLY6co6Rx+5nlkB9jPhl8CL26aUZp9TM2WA0miYFoOhcYzsgewteb6CJ6SHruGDcruDmvtG6fqbXeD1wiKcxs9qYJAaUs09tPCFPCpvkkjjpp8bfNwmXDE9Tfebb0kCu6hXvYekmxpoETbhHM2EBdpMtXoEyVRvg7RM456K82Lxcxs1tZCi8qol5y+fDYEyWu+OsOfUZnOkFuMinVb+eHBmeRmC8Qmuj/Od7lp4TtoVIP15UdNhQPc91wtPmDyBQLXCZNEaUTaO05mmwPgHaPVGpgHu8szH6ZDWZ7tGLHkG1qCSxNeQ2KHeDDvd5DEjuy79dtAnQ31abPBNtkZxjqXlhRGw4o7bmLBis3UMkUDNE2dIpRPik6YipW2pPlq6zpAtGlcrwjWIVgIWifCcR8SgLx4nqd6Eeo1avqK4IFcAjpY5sAYtEOgaCt3w02uk7hKGxjd+4xkltoTY82olbE4BKmuoVx38Km0T63l2mpKoeMzOrlx5Dr/rzfkpev2TraSmDHhTYRuO0kE6PREmjOoq8q5nkYrrR26/+pSyX90aiXJDtEDz13JCPE5GouxxJ/3QRVF3SMsv62ntzCURI7Fw3Pf0GLreBjeGgwDzprihtGSSRAzgxeiRs3v0DzkHjc4kut7eY09+Ke8qJ3onvF+mIWLxJDcbm7naeLuQSG37mfL9QIlSMAUooQAl4HZ1ikaKQN4Qe4Osu+6FoQvQ2WDNMFbRSzFWDVDt/SsESaNOu7fh0Og5eNhd+g0tTEKHKgDJsGvdYh9xHU+TZkfsRbqs77sFscyWND5QNiSN7MzYzUwAFDDW2m+L09rZMh4OQGLkw3FCNqZ6dMx/BmwrElpO0PpY2TijOlcpCfqL9qrSZTtygFaD28miJsgOvJ0H4YHAnJTEhiW6Vdl1qfFpKcZm9vWlKKOruzhq9XFxJ5fDw0S8swdGEBwSZJ2V933Fr3YbF31JQrpHdoSg/VdMHvnVruiQihfVSI3VBk5QjBYGsOucVgW7gY7Ozgw5LikwC6lSNh7BIm/ta86P8wfdPmsqOQJGanEDrj3acSmGwoiOAA3ADUAYwAwADkAOAAzAGMAMgBhADUANQA0ADYAMQAAABCAYBoMQQBkAG0AaQBuAAAAIhJSAEkAQgBDAFEAVQBIAFEAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA4ADIALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwvoO4DngDgAECigEDMS4w<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>
Emails
<b>[email protected]</b>
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 3 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 45 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7dc5561778965eb8caba07ed32d5a683dd4acc8731e56525c1931363a3451c23.exe"C:\Users\Admin\AppData\Local\Temp\7dc5561778965eb8caba07ed32d5a683dd4acc8731e56525c1931363a3451c23.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\hqfjq\bfc\..\..\Windows\i\k\wvswy\..\..\..\system32\umqh\..\wbem\nymw\yvwf\dnu\..\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken