Analysis

  • max time kernel
    153s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 12:56

General

  • Target

    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe

  • Size

    351KB

  • MD5

    391370b48b8f64f86c628742b03de53a

  • SHA1

    0c4ef4daef2458ae999d2d3bf3ee837491369a25

  • SHA256

    d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125

  • SHA512

    62527b56eb597c1a177f154793f0734ed3e54df7dfd36e619f07a44cee2e22190920fbd15d34a5c8fcdd54853cbad95a797c6fbadc0f5f19ddf25b13945b4adf

  • SSDEEP

    6144:nNlHAp8tUArLrLrLfMemq5MmsCdKSXZ/cJlCJ6AWJE9V50DErTNg/ydlb4fQ6wFL:G4DmGw6yDKNg6dNoQl+v

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-2890696111-2332180956-3312704074-1000\DECRYPT-FILES.html

Ransom Note
<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000080; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <span class="left" style="font-size: 14px; font-weight: bold">CODE: <br>------ <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 </span> </td> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><s>0010 SYSTEM FAILURE 0010</s></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> <br> </div> <div style="text-align: center; font-size: 18px;"> <p>The only way to decrypt your files, is to buy the private key from us.</p> <p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p> <p>In order to receive the private key contact us via email: <br> <b>filedecryptor@nuke.africa</b> </p> <p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <br> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">EzIBay3eAI2eUI91Zne78IeXNhDLpWJGZJGwHZq60norfxs4iNwmdeN34kwKO5YzU3GR3H22ya5Fv+lmWkgAS98QZWWRYzBISa8XQHAa3i/UK7pC4K4yduWnLfQhgNGPJU9Q2kkqwYfbgvyEGQGygCk0GwIGTBv2+0DgwG2OH7y+PHzng8RiM5LRK8F3/ahnOx3DOTe6jTZGqNS65N2CdGNv41cULKbJkjXtw0XaNAKnBHgHQduJE+X1g/meK+UE42exNbIK0bRjKJ8BFYOWHpdZ4O2nx8Jb38GuWqNVlpwkFeTHh0Vc46OEza+1MX+NfQaBmU6qf3Y8CCUIBKYOxIZmV1HinsadMeUwOBmIgVw0sUTuu3Y2DookOFIuug9+Hq3mBVO6Yme7SwZFQeBwIi0oOJUeIE5W7TMPmPygnAT9ns16grFyiuqJpI5wctCYntbnQtu5MLAEzhwWWKZISera63CeS58T00WQt0J6EOIG7q+8TrJPWpPC18szwwTA9HJT7IItK2Kk8Zsp0XAVAtrbXR1Jxmuzi9q6VAe3iTcFpqtGFsUI6VxVzQ5aZqqGyqYxB8RhxU/0lZjkypSIVThbQPXQoylLlcIe3UuXyni0TIVmN7NEyyo+Sl29nj0br6+9QyBjghsg+p+vmkp4Cm4URUPQxuhOJgDYQK36DtlUjbSxDj4wCcuVI012rmALRz1RWfukwplSFnLbM+F/DpvM95vyeSEi77vvbX8m+4wxFdvKTd4K4aSRoGurY3+Hg8isC6jm79u5btkuCDeohhducbY6+Vq6CdTt44hGuEs8NVaHbF0K5NH97Y7MOUYC89dudvVYsbl0EXCT6shT2+vnB0R8CJZfPqKvzn3mtT0Wvfm5UsHYFfbmvE6CZIdO3gQzH5aSxMA2YRdqiYaJa/F6DC+BAjQI6ApaEYNo73EfqGVJgVxFpAtRxRiSAOBnzxJVOHkS9dY6ULDEOVyleM9Ib8eGNMrWiRWPjH3WbPGT1Id5ACfda3TnncLTsbCit6d2sHNZa0cZ7ymjlsDZq1LC0N5cFJUOfdBIJ1EbTyCcMEVQlAlmM78X3iDNA4zt1Q1UWjqSrLT+ywG3F+3GLlwaH5vP+hJZXZZUkZrnxWb+4K99/jKWps5n9PkMmecMe/HNVmscTxldVHCl1knJXfvTelb8JjDdNB4dt2Kp5g6BhshvesO8Fn9kgF2od+mwJ2Q3gWLUK4KLBHsmv1iUSbBDWuV9fPvWWXwew+KbqrM+6bW9PSlTUPQm2xNkZE/BKdUPsm2ayyzwndP6yvuTyJum/FNR/AH4t7zP1X23gKXpCOUDhX7acypFMNxLrjZPyBO64RJNcwqEVVHzbNe09Kj0p7mzWA3ij3ITrqwFzn9FaOwSXc5Z1fQMohvExVIdN11vLlGD+kCapVm0PRLT2upGkSQVgAlsfsXhPA48Q3epOY5+Kwq72usUABKK2dCySR72BP81QzJ9NT9tptjl5+22W9WcN86lnDo/ISJcdKpJHgVejSWGAICTI5bcXWeHFkiBfpIX7pFKYfC/BUnCMFyveAdSpxNsBWV2P8XRkS4mb81W+hkXHXE70GcyjEDOrHHSPDcm1Pfp/nkGP6zBGO/uyN7KxIq5kxJIBxdt+x/uZAYifgiJmIsibNkN+2+YqYhAFHPO7TBA2Iu9g+y1dgvAZVp341IUS5vRm2Y3rBaa3Fd93UfWKqhXr5wRHxgAONXtnrULcFlBlXh1tpyMhQrvHKAMrKYDTNq8RGB/Fsp/N+YsW0WhRst7h0iYxCXcm+TJlTKj5YdcKTe6WbCMHko7al9fNDBk0Xo3wkniXpheWJJ5lZscwJeOZfMNh7kypBMcGsgvqPNONxkjm9T4dIV/+hNsgFg1Um5HvdLtK/UOWrA4TH9/y3zIk1+DUvhTEAoZwDAkZ1VxckICruzrYzFZ4f8aPQ2FV/PyEwO0W9gGcGdx3hZNJC4ffLKcIW+I3OFf9dZfzOhafVCef7WGYfDHPNiz9UZkiblgeOpQFKI77sJxcem9H68ubyBfubs22aI9DkGRxaB2oeNbLyfjuQe1v5OS1PmYhbDShh+762Sw/aWDDozAvodbKC4DZwaqJPBVYFgwJMtMnuoEygosyw/1tMTOBlk6IzbdQKy9w0/J+IhX8dO3heq/UZlwxEpx77WKkGskvhpq4l4uLUI6b2wUeRx8bV5pnBRu466dJ7K4K3fzMQj23rn3fgN4XmuEHF3pKAoiOAA2AGQANgAwADkANgBjAGYAZgA3ADMAYwA5ADUAYQAAABCAYBoMQQBkAG0AaQBuAAAAIhJCAFEATgBEAEwARQBLAEcAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCVnwAQwBfAEYAXwAyADAANAA3ADkALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAA0ADIAMQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHCRm99yeASAAQGKAQMxLjA=<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00</span></td></tr></table></body></html>
Emails

<b>filedecryptor@nuke.africa</b>

Signatures

  • Maze

    Ransomware family also known as ChaCha.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops startup file 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe
    "C:\Users\Admin\AppData\Local\Temp\d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125.exe"
    1⤵
    • Drops startup file
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4924
    • C:\Windows\system32\wbem\wmic.exe
      "C:\cwmk\qbne\..\..\Windows\pd\..\system32\t\..\wbem\nuq\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3760
    • C:\Windows\system32\wbem\wmic.exe
      "C:\tim\i\ah\..\..\..\Windows\yisr\cuhs\dvby\..\..\..\system32\qur\u\..\..\wbem\gt\dbfhn\wqxit\..\..\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2784
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4720
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x508 0x53c
    1⤵
      PID:3948

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Defense Evasion

    Indicator Removal

    1
    T1070

    File Deletion

    1
    T1070.004

    Modify Registry

    1
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Collection

    Data from Local System

    1
    T1005

    Impact

    Inhibit System Recovery

    1
    T1490

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_12D5AE826878445BB2DB1431BF9C280A.dat
      Filesize

      940B

      MD5

      3fe7a729cd7d565f305511888b16e766

      SHA1

      949938375c1a51c1b73a7ae94110a2c21876fd44

      SHA256

      196b6107fcaa98142a6ef89c442c6f7dc9b79fa59b55284dbd0d49762c260ff3

      SHA512

      a732cb047e306819bd0e741524e53536d5f4b8259f6fd569c0a4e9c8c5655dd84b830958cf7eb01c368451381250fcca406013e1c1230633b101dde82768fbd6

    • F:\$RECYCLE.BIN\S-1-5-21-2890696111-2332180956-3312704074-1000\DECRYPT-FILES.html
      Filesize

      6KB

      MD5

      70f694511ef83e371efe623aa5dded34

      SHA1

      81b8b1ee49ee5e667a003475b10e6bd66589764d

      SHA256

      f094f8ac2ef943bd3cc8b68e2f09316bcceed15b0c907c38328f3955a89fdc2c

      SHA512

      6584094bc9aa05cb0d6e7d4d17ae579c3dc29e9e81f50360dc4a29c27805759fe02927d79aa39a91ed1d3ee3bebbbd5aa16d3856d97e286fe1ff1418c31978fb