Analysis
-
max time kernel
176s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
16-02-2022 22:54
General
-
Target
71b684c0b52bfa1a8b79ee57b99af14a87b977489c08d002b784bdf7584993c5.exe
-
Size
486KB
-
MD5
a66202a5f7e693196a03ebb371ab5c5f
-
SHA1
1d55ed4048f1ab5fc485776081526e758297e214
-
SHA256
71b684c0b52bfa1a8b79ee57b99af14a87b977489c08d002b784bdf7584993c5
-
SHA512
946a34003e65eafb866db270d90477bfa0828e230e42b7a998d11bddce21ca72fe31f23add3c714c4dcbb2c6c7e55df7328f662529819d3874e8973e78d4a5cf
Score
10/10
Malware Config
Extracted
Path
C:\DECRYPT-FILES.html
Ransom Note
<html>
<head>
<script>
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
</script>
<style>
html{ margin:0; padding:0; width:100%; height:100%; }
body { background: #000080; color: #ececec; font-family: Consolas };
.tooltip {
position: relative;
display: inline-block;
border-bottom: 1px dotted black;
}
.tooltip .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.tooltip .tooltiptext::after {
content: "";
position: absolute;
top: 100%;
left: 50%;
margin-left: -5px;
border-width: 5px;
border-style: solid;
border-color: #555 transparent transparent transparent;
}
.tooltip:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
p#base64{
-ms-word-break: break-all;
word-break: break-all;
-webkit-hyphens: auto;
-moz-hyphens: auto;
-ms-hyphens: auto;
hyphens: auto;
}
p#base64:hover{
cursor: hand;
}
</style>
</head>
<body>
<table style="position: absolute;" width="100%">
<tr>
<td style="width: 25%;">
<span class="left" style="font-size: 14px; font-weight: bold">CODE:
<br>------
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
</span>
</td>
<td style="width: 50%;">
<div style="text-align: center; font-size: 20px;">
<p><s>0010 SYSTEM FAILURE 0010</s></p>
<p>*********************************************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>*********************************************************************************************************************</p>
<br>
</div>
<div style="text-align: center; font-size: 18px;">
<p>The only way to decrypt your files, is to buy the private key from us.</p>
<p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p>
<p>In order to receive the private key contact us via email: <br> <b>[email protected]</b> </p>
<p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p>
<p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<br>
<p>Base64: </p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">xukdAVphQc/euxQViWIwtNek3GQnVOhtgLtNJFRLvsNUHvMT+FEj1VJ962MJ+2KyVYNxTe/cC9qS6jRgtVn0LM4YyAKQ4J/Z0xvoeY5rhfVs9Ee0t0yJLH/NlDye2kKwF5lBfR5PGyhtdRcmz64JX+qmEGIbawN6bTUxKXqUqlEDU9ANmJ5KxQd9oSTgptqnslBPeJFVHhgPdvQ2iMcwPK5Gj22g2Zo51xSIO4SLkpOx8T1MYU5e29FD3TJU8f/VEKf/Oh33rrt+C4JnowgbeWVtxoKjoNv6sgulXF644wduJ/C6V+mVA/DVHSVkGg7k7BoFLYnisJizz+bDFv/wdHOJVJ9XMtb9OjLhBHMRufunEonNIyAw2eISFTRlXJCl7TaEZnMrkHXCBqI3xho+3J5ojvuKMwq6fjeT53wxtcEKo6bQSYkQ7AwSYiTvzx0lZbqCrvBL48YemIBCppf+r5e3eOrtzowCGBPRBQGt/XBhBE02cbVwvl4WkY0FLXVqGc8ZOzCRDbUSu5HlTDKGnybRi+4buiuG64Uo1Jr+9kuf3c2CzEGqwYQjqLLoDRFJWMXbrx4YkMcfxfeVKthppHji/BZa+gUNlJpt272Ah/B1MeJIlC4bYACDloJ8Nc+0hQ8IMmg/TD1cmd/qPRS2SQ0Bu8WtlvwqT8ggITCGMQ+Ymh/Rrk6YnGqdAwMgz+ZBNizUU38JSQypeTEdSByhwxkQFFmvPENsvRMOZcB1iR/YmIGeJMpgM+P50huEaAq+4q42BBOpVjSvuMbSLUtWjqGtEqTpt1c41TezJo1P+5TZG6eRme2r33z8CT6fjmUM1EaRe6aOvZ8w0tEmr7P4VUudeleMYP4ZPeSkZ3Na3ziUvewb8L4socBagxVxY1Km/sM1oo+7QpMgks8Ud1cUPm12J9onU5kQ50844TNKMGJyztYbr2L8WC/r/0eVr4gbUw0yIAYImWEgTt8XlUOiBH8BTjehW+OroKWLE358sEjraCesGAmu4rU40ijUCpbBeLp9Jk9mq5JzHjATiI6UAUYQ3RnkyBgKhsaB49LLAI3WUs/coIx4vSYGWKRyCXhIizgO0hxbF4ZkklZW0EjgVUsatYrFWHdYzuqzw0vFXlxtx+uyyuOApQi12Gq8iHqYTe7Q4EYMzReBtP8SrVj6I/o7zkaS/ba/Ogg4di82wAPbzMDSyPNrye0kxLlcrGKteQSTVcR/FabW7FPdMfWwaU7lR6zkm1y+5JUjdqxfnEsOqNuR1pK8xZ5XYeIxPv36UZnocmA0Y3Hdjruz3o03v4ZUR9AXqzSoD2QgVZTvQXl5hAUzLsRjRWyWg/YmHPaSyrm0LUrH2XJrPwATWZ1EbpycpdnU0ry4olXPq6apsa7Fj/PlJSmo75wcyKz+PEFsd9+EsOQ6Tw0F3amQ5qwVakF/wcxkPpv6gEhPS2+lFUxrLTj/NLy6zad2QeCNIdGzuYU51zepPU0odf2b0hcxsCxZdFAEvF5jyVrLD85tQBax87nXtb5g7cKD7moJxpELTk7kBJjXxmcNxGpfQnH2pPGgoqktThZ5F4u3aBvnNVsEm3eljEHzyJkKIKeawJ2Gb3n/Kt1OSW2ZE5R1an92RSccQ1E0EyO5sQPi+r+kt7apr6rUgpBl6Ld8lumZVC2DRzdEDfMc06THFBXsLg1XJEkGImgpP2gsO8fabAsiO2Dvudb/bHum6tkHKDVILY1exTseyRV87uKpMUxbdrTzcXIp+ETYxf1YH1yrHDOdavRwAL3EI2bHPWUIeg2lyVVuIbtmQDKKDk/4yZ6qKbb33AB7VDc/jHwJTpPFCEow+e+DsvwB5TeTmQCY3XlM5rld/st3wC0GD5Ov1ay/L/0FTwLCd5HLkn2O76XwE6TWKZ9ojnFBYx/8ajLynsphZNSt1+xEIpzl3m4hYeemVMzIhpjsmJnoSMX3xmTtJ7KtCofA51PsiGVdPglkVHn7oisPLlm549sl6slwiWsW+ZYODDeW11lF6dpPC0iMByLYab/Tinp/xr883vkGYWkVd8HGBht/f0K9PNXup+ZYAS+lS1WwMZS6HHIAHWAf9frBvhUXn0w+/3YVm55CCH63RbbD2dhG3vmAQSkIOzAMZtYLHVSBlZMchDIVoqw71NO8T4ugBbRz/WFFvMsoLsbtMWF9FMZ61f3zXVWbWAoJMNkRJ0+eEEadzqgYJV7kCWBKywrXLFUw0Vn/5vZaSm95cYtPtO/LdAoiOAA3ADUAYwAwADkAOAAzADYAYgBjAGUAYQBkAGUANwAAABCAYBoMQQBkAG0AaQBuAAAAIhJSAEkAQgBDAFEAVQBIAFEAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA4ADIALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhw6fy4DngDgAECigEDMS4w<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>
Emails
<b>[email protected]</b>
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 19 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\71b684c0b52bfa1a8b79ee57b99af14a87b977489c08d002b784bdf7584993c5.exe"C:\Users\Admin\AppData\Local\Temp\71b684c0b52bfa1a8b79ee57b99af14a87b977489c08d002b784bdf7584993c5.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\qv\..\Windows\x\dsnh\..\..\system32\ur\dp\..\..\wbem\aw\stw\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Modifies data under HKEY_USERS