Analysis
-
max time kernel
62s -
max time network
67s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
19-09-2023 12:34
General
-
Target
d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
-
Size
351KB
-
MD5
391370b48b8f64f86c628742b03de53a
-
SHA1
0c4ef4daef2458ae999d2d3bf3ee837491369a25
-
SHA256
d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125
-
SHA512
62527b56eb597c1a177f154793f0734ed3e54df7dfd36e619f07a44cee2e22190920fbd15d34a5c8fcdd54853cbad95a797c6fbadc0f5f19ddf25b13945b4adf
-
SSDEEP
6144:nNlHAp8tUArLrLrLfMemq5MmsCdKSXZ/cJlCJ6AWJE9V50DErTNg/ydlb4fQ6wFL:G4DmGw6yDKNg6dNoQl+v
Score
10/10
Malware Config
Extracted
Path
F:\$RECYCLE.BIN\DECRYPT-FILES.html
Ransom Note
<html>
<head>
<script>
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
</script>
<style>
html{ margin:0; padding:0; width:100%; height:100%; }
body { background: #000080; color: #ececec; font-family: Consolas };
.tooltip {
position: relative;
display: inline-block;
border-bottom: 1px dotted black;
}
.tooltip .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.tooltip .tooltiptext::after {
content: "";
position: absolute;
top: 100%;
left: 50%;
margin-left: -5px;
border-width: 5px;
border-style: solid;
border-color: #555 transparent transparent transparent;
}
.tooltip:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
p#base64{
-ms-word-break: break-all;
word-break: break-all;
-webkit-hyphens: auto;
-moz-hyphens: auto;
-ms-hyphens: auto;
hyphens: auto;
}
p#base64:hover{
cursor: hand;
}
</style>
</head>
<body>
<table style="position: absolute;" width="100%">
<tr>
<td style="width: 25%;">
<span class="left" style="font-size: 14px; font-weight: bold">CODE:
<br>------
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
</span>
</td>
<td style="width: 50%;">
<div style="text-align: center; font-size: 20px;">
<p><s>0010 SYSTEM FAILURE 0010</s></p>
<p>*********************************************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>*********************************************************************************************************************</p>
<br>
</div>
<div style="text-align: center; font-size: 18px;">
<p>The only way to decrypt your files, is to buy the private key from us.</p>
<p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p>
<p>In order to receive the private key contact us via email: <br> <b>[email protected]</b> </p>
<p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p>
<p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<br>
<p>Base64: </p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">cY0HVhEfTD58lKe0pDIdvfqOgM7V009kHcNruG+gs1G/auauwaGM7u4LgC5pXKDpJIJf9huppcD9pfAwajVeiFZflbZ/iYVrboUdUpiDQcfe20GIGmlxiPsq3QJaV78fOX5bfvdpirdsAKgH19Y5GtfBwueQ+4L62Hki3+pnT+1DnkwnbLjgna9NxsLhY3Irner+U8oJVV9elafqYp3EokoRwfM1pTKRLKvF6zLaGeZu0U+pkbHVW6irYUo2ieVHxskFYBwWCkA9Droa+UQ3yMdFgRL10KR+74ErcsqFh+uBhkoGeTDwuoMbPFvMWtI6nPuAUuOh2jckLpuAm+O+Izm9WQqDPpS2bGtBNkiFjhZfmC37423GQSGExzd1oHotbAERrdkAy9k3kHxCHVN5v5UxEUOaTMcNajGDLjvNh5JO0bMGRiB+lVDAsaBjssOFSOAPJxZkD7m2alckMhegwDb4V2MAtsMDSEly8hzzTbFSdJ3LpZX0EUYH+N7JGUrX2PScPN4kRB7qFT1AC1ayUteK44zBANfpRMQFW6mudEhpDZR2/cWAQ3Si0oOOPX2i9uZa+j4vAl05YN8KI07kOjxU/BXK/zeV6QaGH9Fi8MSZmnZOOTBjmEFKZTo1u/bBB0nCA89O6cNUERaFWmFmJntxLkqCWzQWj9Vz+gVILe3jRtXBXB6MCsZuUV7MvnxOZA0Fz5f8P+APtnxE5RTHhJZ3IzorrlFraTFt5SFov5oH0qHfXnDW00VQvAuja45t7/P45hSY2ruzg0fOu3DUTFkw/w3t8Nq9zE/+VscUw1Cycdpebui5xDjz4lTYjICd6hI/8pdofN+BoV6f6QdUr81t5j3myH4aTU0gBpYu5CHChMgALA0vhfzSjA2IoL+nAZAKYUE+Bhn1B7kRNQnIfycSZIkriL7ToJLKifV7lnZ0TG2Bdosad5hCzADbzeSbRLbdeY/L8cAHb0ptw0cX57uJKxNZliZl6SVe5VKJf+2RzKvuNSzm+jUXW/pJ5MrvLbYBwibvxlZBeP8GBkU5Nehl9wOPJrPhq3rZRJ4TRfuAkElLKfgHY/L2BybttuK9muU2HCwpRe3qcGvc4/RWo3W9p/tIX/W/88GMKUClXLbJ5U7RTQlikhWdia3dXY4PLdV6rSrirQYyYRAjPeVZr4DIoTSh6Qt2e/udtn9CCRKKyOTgkICj8QHX6KW7QfYQ9VMW8K1xZgxFz7BFrdduIwtj8AHJfLfVOwNKmYxWzdTknY5ejNMkXchvU+XatP/bkuC7gV6da2kXZepI5c+xWQhzVJhj4pHXnVWOr2T2WCZFWh70je2yQF8LTXSocm8aSwtZENrkEiC70NvF9qzmEqurZRDi49wLlj5zP5tlH1hZ6nddCrFCnXkpOswY2+53ARywoDhbJ0nCRkoetO07IcOlFGOsxzRM4wRzrCAnsGh/XmWvst5XefHdxu19XL85bviEAQo2flWJ75ZqaoUYMvXfKBgXS0noqAyAn55g0RHVc/Crhi6OIv9PHYihk1fnahie8Vkvz/DVP4n2wMRZ80wIe6O+Pn5uJZ2KuHnGlQEmCCs2w5btsHVvgy3jKOUTbl1AwEu3o246AbR+SettJ5SAiUtPX7xtwcy/1XXsFGmP0rVgqcxF5A/t0Vd/G1MDluqSmf1u7nhTUw/uvloKwYF48p8fBKpFDdCFZ+338orE/h6N9OUPej9OhUIpkc6OkdxDhosyp8InbsYzhkHzSqGpp4Lq+WytI6UoUPspzOqs8ptYf3PqMnPtpl9+sUK6bDNcfezZDrcLHs8/EqsjfhSkbaqRCYFUOBDeEskqF291UIcaWhfjQ98Is8qWj+oCwRu1FxwllobbcQ0FAI5nzk/+BDD/KF86GjIeNrjfcKv5pvoAOMsBOhOAYhozXpau5MgD4UKCpdixt37bQPPNlV9QluNUk6MqKUMsDIfy7osoVMH/K3ZacLXRJu3Ts0D6ehBIdbSyGQOzT24Zqs4tC6retlqZ/FcEV6aDuUP7H+WXgrKB83XVpuWxmBhnwcJcBdIJwHG1iHqdhpcy3yFE0HjChGkdJ3ltjt45NbqKE+fVRSB+gZTyM/tT/EVMJEkRVZ+3YbTp0LS9aF8zi6TCNAJH9RslZ6F7+laiLperHwOEZXBMwUkUaRMbNechS+spqKD+J6Nsb3P29VcvLWOB/MwkE/c72wlcm5EbOZ2vOunndv4k4CtkNM+4aXOlGEHxFzJIoQoiOAA5AGMANgAwADkAYgA0ADIANwA1ADEANwAwADUANAAAABCAYBoMQQBkAG0AaQBuAAAAIhJTAFgAVQBZAFAATgBFAFQAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCVnwAQwBfAEYAXwAyADAANAA4ADAALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAA0ADIAMQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHDr6N5yeASAAQGKAQMxLjA=<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>
Emails
<b>[email protected]</b>
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe"C:\Users\Admin\AppData\Local\Temp\d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\dxk\..\Windows\ls\..\system32\uxxeb\vmi\..\..\wbem\fcar\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wbem\wmic.exe"C:\g\miqfb\..\..\Windows\wdaxt\anf\s\..\..\..\system32\rhvvb\rpcyx\..\..\wbem\cck\bknx\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x518 0x5281⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
940B
MD50795ecfd36bca2f7620b3cbd0fe56480
SHA1ccf469a51e5510c3a6575721cc5166c38bbcec0d
SHA256db8f1c9ef4953aab528ad22334380fa39c37f73f8b0ac09472916e0500169836
SHA512eca69b6fcaf6367cabc2f6ff8a55af0c94e24448c48d0ce1fd22bc20addf83c0f129b6cac91d20a0827ac1ea048c84206b00b83d45da8747ccb54ff6daa041d8
-
Filesize
6KB
MD5ceb85b43e6bce6cd0bb5fa9c333444e4
SHA132b421b16ce6db3130ff7a62d915212ade74eea1
SHA2564f10b4f2f79af0d8ead02eee3b431fb82b1ce598e0c68d3ba7cb710388e614a7
SHA5125370949d03ad87a92716159789d31f15cbb90afa0d6f45aec0cb2231ccdeeed0cc816c14a3c9db91527fb1a528e2b4770f74aa028d6dbf5cb12cdf0ffb307430