Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2023 12:56

General

  • Target

    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe

  • Size

    351KB

  • MD5

    391370b48b8f64f86c628742b03de53a

  • SHA1

    0c4ef4daef2458ae999d2d3bf3ee837491369a25

  • SHA256

    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125

  • SHA512

    62527b56eb597c1a177f154793f0734ed3e54df7dfd36e619f07a44cee2e22190920fbd15d34a5c8fcdd54853cbad95a797c6fbadc0f5f19ddf25b13945b4adf

  • SSDEEP

    6144:nNlHAp8tUArLrLrLfMemq5MmsCdKSXZ/cJlCJ6AWJE9V50DErTNg/ydlb4fQ6wFL:G4DmGw6yDKNg6dNoQl+v

Malware Config

Extracted

Path

F:\DECRYPT-FILES.html

Ransom Note
<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000080; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <span class="left" style="font-size: 14px; font-weight: bold">CODE: <br>------ <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 </span> </td> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><s>0010 SYSTEM FAILURE 0010</s></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> <br> </div> <div style="text-align: center; font-size: 18px;"> <p>The only way to decrypt your files, is to buy the private key from us.</p> <p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p> <p>In order to receive the private key contact us via email: <br> <b>filedecryptor@nuke.africa</b> </p> <p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <br> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">mFQ9h1O+r1yAr58j5TPCT65WSB+zEcNA76NIDBwsbm+MkvaoNBLiDbspMTCGRGqlgvs8fslybHKgycZAwDzUTjTQHGSJSYctccLWhcerkKUaLSztJLuSR8vcsz2FoCXihkZmK/YGK5L4f9yPBgAyVUFBV891RizfSbmHkZkM1m+aNWq5rcjmXRLfZ9b2MXfltPtHykOYs6nN0XeugfU+bXVIDluTEk0fIz4W7PV/GuSHt/j0i5EJ777/4h7QqgTqldamC0XYp3yxQj9GqKVNsa1MxvURBg6+1WbbYsR1bdfZ+vqY2PMEQ6tXQzqEOU0QET9jfspREqGh7vkV+WPiAi43h+6wknIOFt4sri2RsyPkGfK5JqYyD3KRM0u7Z7rw9Nqe6mwhliuDgu8dw1o+HrDrbS78RP0EHbxejRTmw48nJZvqeOsxMZNLs+gmO8bJoxJKePtmLJKtRuGNnBRFmoFT7J9IL5/D8PRI9+3UCu2esZeghvoAYj1Fzxp5udNT4D8Y8LxFmb3ZJNl+GboMG1eofshBEbcWGOyUWGU1rnJPf9zc9lPNJUL1tolsmp0jP69TUPT2E+BPkxgP9PqGRBaBLTubjcRP15yO3mjTcv77+SZlcEv2ZHz4zNkRlL6aFkcvDmFD44msqP+awQ9e864e9KjV6eXv/kHenBb5/jgUfz8qnHXPvzNxG3SGFVC3nlaEWCmsZo6KT8spAncstSKmumpcQM6WWrYfz6xtdqyRX2S3Lxm3W973qJU4qWdF0G3ssXKT9q7i/6tFwiki5hfl4C0GzikNNKwT4wwTWkFgguAUj5CtXW6pQCmrTwHREa/pABK1kwEdW+BiDZ/Zvb91giYxJ7OS4j2xMfnfxXuKkrY9wILB02gMsupdNCz3PmiQ0/DDlGnLwUGyBWSFpJaoGT9p1HI+h02RnV/RKAIxu+Sa1l1/MtJgxQ/vEixDqb0DN6/0FJL28GbR3pnJTs4dIBiUy+A2j1lbNT1eQ0ZpyWjQyud3lFN5kP2FcdHQERGPL11v3Jx66XJ8E32MxBHohvinEhIZybWDEceSweykb/U36EyOfLi2MQdQHfehZfPwMMy+5V5nKCdxpbZ0oE1gw0iDiqLcBsYsF9ckMtO8GrmiD0dU1HA7sJZ/VdPpvQRPGj6RHh8Z8CdhJws4xQHVpdXtdrPleciW84v02PTTOcmCMGCRy5Q4UXn5oYlH3x4O1i0++CxnuwgEy1THSMACicJ3gMaPd8g9uNCEC0wSyl/5Ez+jD3pY6+8WXNwPzTBHEtNw6fYaPbLPs+kJH/h6NDenKsyhA0Tm2IertE8E9J1+ZRurtKYcqHRn37JfOS9Xzk5TNLTtBF+ILa30JkqglvCGh2ChBYYSsUq7kAFAvseXw5dn5uAhWkf/jjW0j/2AvHXVKMXqf1If+UbT4f3aQqkULB/rnGBeSJggh9koYrExqb6RwbbGajfwyNDqXEEZZ/VyKmuAWNJQ6pc/I1Mt7OesP9nON22EVFHdBBkrO+PZvU2qk1gg0P2hCMp3IWVArimpZZj6URoZfbcSJPM1fBLijpoDya8/m8agMQ1unfOYBLnXSzMsLY6inOGb63TGYiJv5o27ElLoBXg8dfXAlM6oaVo30NMlP6uvw3e2CVJK7spmYUIvJKlOeea8c2Mmq8y4xFr4qqKMBHZerXVX4pNTUprZHPCImWPMqmh7RC5YB5LIQsJDStLfj58J8XwNMv/JQYkBQEEbLIYspBRW1ef6w9UqE1ahNmzACOaBJXuyDVLppQzMsvVKOT6RE4qLJQ76fd4K8xwnpwq+ygNl42xuUrKRd50cWBj7ICxPE03S3nNZjyue3e0VX6ul6LZwjMND5QhYITNHSu3u82UlFNYA5dZbdGXWcQMbYgvMrOhiaGq1Ted9HHM3hw9/9UduhxK3UCIC9nrbQmwrpKYW8s7yB54hge5xiNigxQabSSmD8CHv5wdwhxU9SVop2hF/2KvHPIU2FnDqG+D4VoPqDvSeuyt/V2eGYMzXMrawK3GxuYRuQ2H7VrUeoaCwBrmKwOPHCTDRETFbaNh6ynwhtgSn9IG4HoeXjoNl/In2LKDTymIUyrDc3aDbdJ72M9hB+/7Jr5XZWyQZ7dnYlSzrPDBVvipChNOGkDEZwdmfMgcsR3LfLOTlMfRTqkWAOGB3GogSrVQ0wXrQpO7cr7aamYZyaMG98rVL0URBV4rEJ2N5lka7eSpvuAUnwbA9hkMvHgoiOAA3AGEAMAAwADkAOAAxAGIAZQBkAGQAZgBiADYAYgAAABCAYBoMQQBkAG0AaQBuAAAAIhJLAEcAUABNAE4AVQBEAEcAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCVnwAQwBfAEYAXwAyADAANAA4ADYALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAAzADgAOQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHDMmNl7eASAAQGKAQMxLjA=<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00</span></td></tr></table></body></html>
Emails

<b>filedecryptor@nuke.africa</b>

Signatures

  • Maze

    Ransomware family also known as ChaCha.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    "C:\Users\Admin\AppData\Local\Temp\d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe"
    1⤵
    • Drops startup file
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:628
    • C:\Windows\system32\wbem\wmic.exe
      "C:\r\..\Windows\klsfc\qat\kdh\..\..\..\system32\avw\..\wbem\yb\x\catxs\..\..\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\Windows\system32\wbem\wmic.exe
      "C:\o\..\Windows\rw\uyiw\wkxjr\..\..\..\system32\jhcst\x\vkvm\..\..\..\wbem\fwpp\ofa\sfi\..\..\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1980
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2508
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
    1⤵
      PID:612

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Defense Evasion

    Indicator Removal

    1
    T1070

    File Deletion

    1
    T1070.004

    Modify Registry

    1
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Collection

    Data from Local System

    1
    T1005

    Impact

    Inhibit System Recovery

    1
    T1490

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_6C05534B928E4F6F91125D9EE0A20666.dat
      Filesize

      940B

      MD5

      ceacb585d206b94d693d2ad175a610a6

      SHA1

      d26f83a6c068cf41b5f65e7567272c7331c72601

      SHA256

      a7169f1aa3c74f3021bde36d4d7d63510d8b5a29ac52c64c224db5177023efb4

      SHA512

      5e53ce7e3b07d9c9a999ae4a1e30f805e3d8a57c6ac30fb3bff05859befe9263aa2ffcb6225243748a57a3a908ffa83a14155883a65121f05866eb7935454134

    • F:\DECRYPT-FILES.html
      Filesize

      6KB

      MD5

      f3f4beb786bc21026ab08dd48a55f3d8

      SHA1

      3e9fb69b7cd51934931d4fd18238b658eb219cff

      SHA256

      5e08dfec4d64c1d4ecb2bb51b59fb41bc135c52ee0ba484214654e00053ae6a1

      SHA512

      d54a891fb64c63b53e8a88545b927e64b4a1171cfaa87ac7cf2302a2f72ec5da35297ad3d8324dd33715734ccbaf851288fcd5db022945c1a3458b7bb88094a6