Analysis
-
max time kernel
141s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
08-01-2023 12:26
General
-
Target
3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe
-
Size
453KB
-
MD5
248c960c1ae54103dea5bfae924f28e2
-
SHA1
504ce8efee0f7f8329c09c6d045a21c795a84b42
-
SHA256
3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363
-
SHA512
5b3dd4be33c48cedda5b9270a6454540e837e9611db4d43b35e7290ff7e25dd3b5c0342de6de38f12e8c7d5f291c62ef026236825134d1181e7ba5bdf8103464
-
SSDEEP
6144:/P2vVfY9RbTrI5Tm6oUAcEtKY/e8lmceEoAE77OvaHhdRwc9/P2wdAn7gJRKKRqX:aVw9prIVpb3F8ltQlBwc9/P2l7gT6
Score
10/10
Malware Config
Extracted
Path
C:\DECRYPT-FILES.html
Ransom Note
<html>
<head>
<script>
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
</script>
<style>
html{ margin:0; padding:0; width:100%; height:100%; }
body { background: #000080; color: #ececec; font-family: Consolas };
.tooltip {
position: relative;
display: inline-block;
border-bottom: 1px dotted black;
}
.tooltip .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.tooltip .tooltiptext::after {
content: "";
position: absolute;
top: 100%;
left: 50%;
margin-left: -5px;
border-width: 5px;
border-style: solid;
border-color: #555 transparent transparent transparent;
}
.tooltip:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
p#base64{
-ms-word-break: break-all;
word-break: break-all;
-webkit-hyphens: auto;
-moz-hyphens: auto;
-ms-hyphens: auto;
hyphens: auto;
}
p#base64:hover{
cursor: hand;
}
</style>
</head>
<body>
<table style="position: absolute;" width="100%">
<tr>
<td style="width: 25%;">
<span class="left" style="font-size: 14px; font-weight: bold">CODE:
<br>------
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
</span>
</td>
<td style="width: 50%;">
<div style="text-align: center; font-size: 20px;">
<p><s>0010 SYSTEM FAILURE 0010</s></p>
<p>*********************************************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>*********************************************************************************************************************</p>
<br>
</div>
<div style="text-align: center; font-size: 18px;">
<p>The only way to decrypt your files, is to buy the private key from us.</p>
<p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p>
<p>In order to receive the private key contact us via email: <br> <b>[email protected]</b> </p>
<p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p>
<p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<br>
<p>Base64: </p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">Z/PheAobdL+bHevXijEkP3fbJ6IcAQfTmqDCootKc265RdyoMp6BtsOyCOQpHQORYqYJY2Ma5/zuBUGdL2/cfY5X4E/nuEj80GmsrjCW2rzNpD6g4/QjarQ5nSIWxTY3dseFHEvsBQ0fPSO8e7fxWT3NV2gWO75QBQ8Sgg+cEU2Akv4wzbBLokaaqCvgxQxvZ7dOH3aMjwWIvg6kVvYhx10MqZYiSZuHdyYbb9ABPr/xjmYDEdatMLrxYNBqWHHhEyqe9XxHHkdCYCuo4oRcpj7h4MwSS28O1ViL+xcxgmMllFVmu8lGs77hpsI+C/qUr/wuBTZQM7XrFTReljZ8mK+fqGBRomL6llTfcMJ9LOnnRdGJf1ZoeneEm2d/nxf4axpPDwEc6aeBNAs0BpfyYpvyv2+HkrN1ajbXWKxo+zY214gF8EIG6bvI0J0ogbrQPSFFyViS/1dtnmCNLX016HIw9kNWPamgAXMfV+IlXazEFCPvo3UDn6MIel1unZ1pnyoHTUMYAHkFjYjsDMVsmt0faAcGr5JvBdxuJL3Q1JNMmxSg2ka69ucy0/OeHsZmJTt17xGA+i9x2nvkAt2XYKFBxtN/d0FnWJHVrdOlQBuQIoUbnyRSGbXa0c4CKwupjBOuKUH4d1FeHHf7C1QNFzvju8EbKD2ivC8+5JyXXIRP/E49IYGBhBMhQnZFGQS3PDjxxu60TCYQzQvCbi0I2tO2F8vETwIIvKazXWKCB+G30JnroNxDKB3SteEK6AugTWLi8r1UUrZUHJRj9N8aMfTL/OK4VLPZIUyzpisXjc7anQwhnDS51Kkh7cp2GOFffgfgFNXvayAQmQlfYSuQzWFCe+YW7KwLOkXZBwUcoeEutHU7utdDRb433FImg+RjbrKiYB7xDQGyO2WbHjPawjxjITytBh4V+vmsMptsOmyJ1dk7fbFR0j2OQqYyUdEDLT/6kKJvVrdEqikdtJ2PEwNF4nQ85mByqzH+SlCPHfJClsRquDOHZrQcuz+ngoSerd0e+Kb6LZXEnLZrVVgYKi3gX+vX5SKUxUiXFIX39qLI6Jgn/QthgSeY8CxVg5XnFZoeSxGXRiUjDykyJzmzrSGQLzOzO1rFYy0okVhXGT+Sb86Y52zQwGyCcqraynF3qVQIKIrZdoDZhxlfziuhy5Kq3XN2XgxzBmB525v7LDtN8ZrGgvWH509VWneLCDXfo+OCET2qVUQ4YGDN22oTQk10hDTueXBmvfJL3IoN0vlOkJyO5yLXJe+y7S87q8HEAoUAVWMdBfZxvKnNTLP7HuIb42lgkrRiAKVT74eP/sc4jpg8wYajI25iRy3ZjwI7/ZE8oaDLllg9C8HS8y72ligtmSzHDgJy1tLdFHIl++mrbot92ee70TsF4SciGrAqIboGVL/K2YV/6L9xl97lBurKGEeTqxZiOBFiqftMaEOMUsYfBrESisqxsRH+vXgHsX2vU19PSLSZjE3FLVVqi89EL5mkGb0GUZf0nhnS6nUZqDIC929uzSq+y49po16KnfWM3vK98QW3LhZoCoZdjlV0rHx5WzGbO3k8Q2FuFN5AXO7tnQuaiEJvkPi7mJT+gaRJdh1zs0Y1NqfP7sdE8yCXQdANqOjv/WmJz/O9qFylhOIAX6GnFQryobRk/RCdTSmjjEQCepN4zsgIAgZd7oErK3bhl2hhvPRe+hGQDAqy25D3U8y5wcKln9wiEumrANMcLR1yEkHIWqYELravIsfKPo0fwE/kQjAcm/fKPl3d7Hrwc+XbIxn1hCM++rNlLZ10/mAi68bzRs1yjPdxBqv7pEt1/47ilseOs4nkaqwWU7qBP62HSfeAleYuYiJStfiD1tvGagTDrwzK2Kl5gaceGwM43Cv4B1IVBv2bFjyRYoEHTtuzMqf2WDzPZiQCipaYqze3+uwnRVUTJJ61EN1yLfU9ceu6vaPtiuU75PJgTe6xv+3/L7AknUqRgUgmiNfBz1a07VYkFP3/xOgBWTxzRX7Mh3r6tWOtckbFzgKlxgS3e58SEBlAsa7KFJhapv8aBIRq23AOHYV5yU5MtUHTRJIEmzHyabM22lKhuioBLKsV6iOJ5y40vl3CVrxlmvSq/ZYci6eYI/OOD3gX/2bwGFgMOFPl9BcAPgDSwnwqzWMHz5hoMDxjmwxxnrk9SWdmduvB51IbzJKqJ3S8GqWd41GWJT0R1QwEyc6mgIEXbbtJWfRHGUeVHR4VwNuijD87XQoiOAA4ADYAYQAwADkAOQAyAGYAZABjAGUAZABhAGYANgAAABCAYBoMQQBkAG0AaQBuAAAAIhJaAEUAUgBNAE0ATQBEAFIAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCNnwAQwBfAEYAXwAyADAANAA4ADUALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhwouawA3gBgAEBigEIMC45Lm9mZmw=<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>
Emails
<b>[email protected]</b>
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe"C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\ny\..\Windows\gnji\gb\dwg\..\..\..\system32\xmgr\jgsut\lwanx\..\..\..\wbem\v\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wbem\wmic.exe"C:\bhxnt\..\Windows\aency\mrs\nt\..\..\..\system32\mrcd\..\wbem\xyq\eu\mysw\..\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5401⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
356KB
-
Filesize
356KB
-
Filesize
356KB
-
Filesize
356KB