Analysis
-
max time kernel
165s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
16-02-2022 23:00
General
-
Target
4ff7eb34e69bc60cb01eea3098f88f4b729d4158b14939b012247b341452a75c.exe
-
Size
513KB
-
MD5
26328ef6a8d0476111b18a14fb84227b
-
SHA1
0386e019f5d1b581f75ba8a91dd204a0ffb7c8e1
-
SHA256
4ff7eb34e69bc60cb01eea3098f88f4b729d4158b14939b012247b341452a75c
-
SHA512
c74660fff3e5e82fba0bc57955f0a68f350eec7aebb40a0322ea81818ee61859a20cf47e94a35d531b98b83cca852a45e5e9ecc2ffce531b14c145f88432d97f
Score
10/10
Malware Config
Extracted
Path
C:\DECRYPT-FILES.html
Ransom Note
<html>
<head>
<script>
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
</script>
<style>
html{ margin:0; padding:0; width:100%; height:100%; }
body { background: #000080; color: #ececec; font-family: Consolas };
.tooltip {
position: relative;
display: inline-block;
border-bottom: 1px dotted black;
}
.tooltip .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.tooltip .tooltiptext::after {
content: "";
position: absolute;
top: 100%;
left: 50%;
margin-left: -5px;
border-width: 5px;
border-style: solid;
border-color: #555 transparent transparent transparent;
}
.tooltip:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
p#base64{
-ms-word-break: break-all;
word-break: break-all;
-webkit-hyphens: auto;
-moz-hyphens: auto;
-ms-hyphens: auto;
hyphens: auto;
}
p#base64:hover{
cursor: hand;
}
</style>
</head>
<body>
<table style="position: absolute;" width="100%">
<tr>
<td style="width: 25%;">
<span class="left" style="font-size: 14px; font-weight: bold">CODE:
<br>------
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
</span>
</td>
<td style="width: 50%;">
<div style="text-align: center; font-size: 20px;">
<p><s>0010 SYSTEM FAILURE 0010</s></p>
<p>*********************************************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>*********************************************************************************************************************</p>
<br>
</div>
<div style="text-align: center; font-size: 18px;">
<p>The only way to decrypt your files, is to buy the private key from us.</p>
<p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p>
<p>In order to receive the private key contact us via email: <br> <b>[email protected]</b> </p>
<p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p>
<p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<br>
<p>Base64: </p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">l6Z/JWC+edeb++CvH7+W08q97NW6sjAI2/PZjhy67ivnLQCMNcL3ZeGHX4k7GNn+vNMtdYyLJFVaz103PhKpSSk5Sy1RmRfFSX+e5J7SuxdiLREbaTEjOy4pzeHcRoztkMrwkUxiRqpyb3CuCvRiBOcgIuWU8xPe9OhtlaAtgPFyGMkwypDHIkPbN85O5O8Nrb71Uz059UpGUtSQBgW/FDs9CYm9gPI/Carne4LEPV0KTLIzu6oUS7HslVT2Bg9GIshUmweREB0DJKla67tLRSzO6AY0ageP8JsC7awvzMGyFOWqPfk5Zv0Et9QN/ijegUmUrshc7nsaAFjYmyTKpWKAi8qbhQHhL8TEitRrdk1DA3rjRUSfl6xyM/k+qEkEVYocVl5WlIoSptWof0QTlcYgxHfUd7Ru8D0ZRbSDcS2y2t5eK8bHNRpK5ffhxSh0QcpRHe4PQ9+9kZd34l3EKammUsUHcuErJUhzTIiU0jR0NQb1UHogXOC5W5LO/6SXuEnCRfpFHUmZmg103NPBfmhogCkP8RjSLgJRwPkvq/9xxsiq/nyDk7MSO0jIPWYwbtcJjG94z/VpZRN32uMOOiCP+58hv3Gl1nk1aoYMMwoU0n509R0znDwY22jTHUexp1bldQDBaMknUyWk5tii6sT9uqQVkfk4qbe2G7JBsa3+zux5NjFvI7jYa3qY2FcpZEwfeEE9IWvJBIinhp/RywlSdD8YWi+ahsRR0ypw6KmbYFcFr+xBwr847oyB+AVopGiMk8B70KM/46Xkx08WbSIuFNXmveqiepGm/g2nJcozVCEv5PBRo91sst0JX6nmrc1EmTalO+kVg/P0+rHc97zxzjj4Kqom0RfDh/t6G2BKVOmcPQFv7HPPqM95k8beygLwvdnj1TC5SRrqh1DGqqSbbUZ5t4N/IZw2ewTSvFwroqDFgqPHtIwiBhrJrwL4HPZc3c5mx1vXn8/Ps97ix5N/j6DXKGol2lfILUFnak++GMgzB2MSawVlxLDjdqjj/Ec5wwUtqqnayNIdrjye0KH2E5y5RvqjLLeBKfql6Eb4SF02+/lbCAW/t4iZgOKga6s/27sQkF8RECv00Mg/2vzNoSnFOBGCW9+71F0RY9zpyRb1+5XC13PnzHGG74ib0LLizTw8PMalse4YbyWzA5tcmFcVkLzNoDpPgowBKmIk993IiAd5fy8ZqLF/a6HiR9wreeu2ybpIuO3z1KobIJzneE2LCRIH5xFM1ViUiAR0VYR8DkAi//ghlfzfVY0rdfWG0cKq33UQ5KLjHh/9i9RrfvSZqgilVQ/YAk5mptyTZIEqO6XzLE2ighaukJ91Jj8XAyBOj+RcXi8BdLn/b0bswfFsSPzumsmFA8Z8bahDak4k7oAzA5WHd3K4MtKdcQjf0YgEtAUz+C31Zgm/vTi0cieOsT5TcW4ExA4om/1XR+MaEGXCH40ZVnKlSTDPXu7ctPwefLxOzx4c1LzBli4LQB1HyjD0JZR0e1QBP1kn12FBQJYXU5UO28BR9ltqYZu1/Epe7mcui12fOV31MFUkOXif/zuqGd/yf/ck3W1jophJE9Cg9rLmNOSeciFzxxaHV4yEt4+taUAj1H0Rmfn4X51/5NIW4wopWZsu2GdGC2il8IvmAAN7IRQU8vvyGPb98K6zhfUnthWMzpshye+qNrNIkM2ozNlF4ykqKTbkJ9V5OZRXKLIYHbYE6vq2KBUC37Si2ufhX/08pTgHqEM3pYsqQqUUj7NA3VNIAynXT9J3H/ahZdhamwNDIv7RaDMlOur4jD4M0l/KoLfb9dNAcPF/qXdXkv15h/eyZBLg7W9xGOANkkPyCmFNJFbjaiqg/lRXURWTpbdpgwCm/YCDls6OxtJTfJC+pb3ffXjfI+zL4U2pJShWQU2HXvtMy5DKXnjqvA0zq7rZb87P2nwkZ2jEiF3vtsPlKjg/HTbGHYcW8Igm344l+MG4/8wbkGpm6+s2/8c8Scu0qS99HxKn+VhX2pEQzG8FcDE4jJ3s2I0y0Mun3l67QHjcxiB+qCFn72+IGl5RxTuZdpOV7xlY//kn4bujXDBOengYCfa+sL12OKHQTWA6uCOKMGi/h2sF5+ZTEgqesqvzvfA9jSd4L7BvlQsgb+w26lfVFVF88OgDUdfx0jhjKWEOaF3g3A5YGRv/NdiI8N58SDPhBqvR5qER4Xwd/t5HJzHMHvPG4+6Alaks8HNRNIBAy11azIj40goiOAA4ADAAMgAwADkAOQBjAGUAYgA0ADQAYgBiAGIANQAAABCAYBoMQQBkAG0AaQBuAAAAIhJKAEQAUQBQAFgATwBQAFIAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADkALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwl/a3DngDgAECigEDMS4w<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>
Emails
<b>[email protected]</b>
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ff7eb34e69bc60cb01eea3098f88f4b729d4158b14939b012247b341452a75c.exe"C:\Users\Admin\AppData\Local\Temp\4ff7eb34e69bc60cb01eea3098f88f4b729d4158b14939b012247b341452a75c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\mdw\..\Windows\g\nc\..\..\system32\vhsqp\..\wbem\snv\j\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken