Analysis
-
max time kernel
954s -
max time network
962s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
11-06-2024 09:53
General
-
Target
1.exe
-
Size
447KB
-
MD5
9823800f063a1d4ee7a749961db7540f
-
SHA1
9d2917a668b30ba9f6b3e7a3316553791eb1c052
-
SHA256
a9524de985a3ecc43e11dd7c051a4bbfe08c3d71cde98ea9bb6ea7f32c0cb174
-
SHA512
c48624e32dba7f08ce0ca8267e541b123c6a9bf848b81d9e62f7fc4bec9b8ed801a6204ffaece4decf0d31bf2595867ff6f8c0b176e366848b61145cc585e41e
-
SSDEEP
12288:Yn+KS3UINuBGCz0SxWUNmH2o8PXwU9Eq7zKloxTwRtjauqCXy3X:Y+FUKWAHNqXwUlzD9w7PqCin
Score
10/10
Malware Config
Extracted
Path
F:\DECRYPT-FILES.html
Ransom Note
<html>
<head>
<script>
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
</script>
<style>
html{ margin:0; padding:0; width:100%; height:100%; }
body { background: #000080; color: #ececec; font-family: Consolas };
.tooltip {
position: relative;
display: inline-block;
border-bottom: 1px dotted black;
}
.tooltip .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.tooltip .tooltiptext::after {
content: "";
position: absolute;
top: 100%;
left: 50%;
margin-left: -5px;
border-width: 5px;
border-style: solid;
border-color: #555 transparent transparent transparent;
}
.tooltip:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
p#base64{
-ms-word-break: break-all;
word-break: break-all;
-webkit-hyphens: auto;
-moz-hyphens: auto;
-ms-hyphens: auto;
hyphens: auto;
}
p#base64:hover{
cursor: hand;
}
</style>
</head>
<body>
<table style="position: absolute;" width="100%">
<tr>
<td style="width: 25%;">
<span class="left" style="font-size: 14px; font-weight: bold">CODE:
<br>------
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
<br>00000 00000
</span>
</td>
<td style="width: 50%;">
<div style="text-align: center; font-size: 20px;">
<p><s>0010 SYSTEM FAILURE 0010</s></p>
<p>*********************************************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>*********************************************************************************************************************</p>
<br>
</div>
<div style="text-align: center; font-size: 18px;">
<p>The only way to decrypt your files, is to buy the private key from us.</p>
<p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p>
<p>In order to receive the private key contact us via email: <br> <b>[email protected]</b> </p>
<p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p>
<p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<br>
<p>Base64: </p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">9GX6wEPpUhnJOuqUjj+/DLA5dujXv6nFT90I29c0ilM8fMNeyJTBzl6SJOTkX++T1WCFrg9V4/+4o4zNFOILFMwAiTvQK7Zxhf4gcOnpzs8rvrhQzxDE7AkQn8s0MXTabeixLGITmqP2sEWShcZWRuJdCc6ugwF5vXLEflwWNuyQiuQGqnO/uvm8l5YdwTISyVpTXJnRJaOP/hkKTRhCid3akqnfsaGTcwNiJGGP/AYp1ZSMzukPlwuLcvIgPBOYI4+fiKFEkNkHG8V1ROh7a+jpVhzFKAyeCMv+ZZF2k8mYdeoWY26Dgw3OGg3a+sLqgTAZtTAt4fp1A7z9RfiHsh5o96Yk0WLHhNB79PmaH05dNtUkwJ66NmESuFI2kETcHs8ZhU3zEyge51mWUSS0FX7JWEiDAthp0cS30e5S4yPjnNFzwMaGr0Kzcehnqwk79GZKf3s7UYOsOF3LS7lPriGpDH/NrQCfdtmtyoRCtFIXMf4BLc68REQaAb8hCkAOjD91+82cgpxRKN39vCcLfJENMRLTgF7O8LmWWvV1QuhCWCa0UfyQ3I8J1I56hU7D9q5K57Etm2+1mHY+R/95xnPo9e+dB8Y1q4/DWgbQmp0zH0/p2ohEOLJoeQG1LFSRXdQ1W7LlO9S8gA9nVBydp+QtTZ2DJRZp5gjdMQvbuYZi+uB8OoSIXp8mp44z3mJ7XjpN4ut+mZlJlLIJV6oAfciYvWwySrQ3Cd7aIgSF90OtX677z/litBWBF9WcSzg+NSvuavjPq9XLOlC6Tod5A8Xq3c4lZuoPkcNLneFjz5Nb5P5XwYmas9syduXQyeVkGNok/758WkbHNI0CXxHXVHR+6lq3ZMc1n7u2hXK+UbEchyJjz2ulzff3Dr/0HtjVGTNBa+HiDe1HGjzGVBY+wAuvnwYGmoNmQj+brQG2UXOoBMNvLeHIFI4ZPvJRmFTNFzSP5r8qyUBAyzBwTY0dkFtMpKqmaaPtREEUxWmZVXxnkcDoU1hkkvQklSzbvwuZqS0TKXbl+q1ezQ9yYaW5hKlGjLmQ64bFr6uoHn+ShXF8IirD5FnbV80m6e9BjPjlIkUMdmyUY0JImQiBwt7EuiEe7UAwPp40iWPmae1WsgwRWctam84lGhE2vAdYWwhq25O21WM3OOOq+JFWHWNcjfx56VZUruiTfXjBipfeV8wqaAohc0n2MZeWI3r+vYz2PING8w3Q6vVFPgFNzQstDPyqjHJ5AyBWrbJw+tD/eJS2keU0XB0YtJZoSeAkQKpur62ffKPj4cbvdVc35+6ylA/0kDQWqyEEveex19oL7YNIE097Gm5dbrTPt3SNSFGfu1EsW3h61nOSBdIvaz50qLfZ/FFJsZPWAvHbv+tkghwhtXtHkXqb/xz754Nrp4DG2+IUBj0qTvZEla9HJI/nBhWurjUTXof0Sm8Dpx6BBqSgXtNol6Piv14ygq9eIIaR5xUmGnIFGpDMyEXxLTta8ZELUJKQqGgUfjCaUYf+entC7LoDLtxwTWy66tE63c7jP3oi7HaMMK5NRVbyl1rWPy4Tz7+M7nKdrIr/I2l6n6I3Lx/4Ov6+gdlnFytAFIzFdmJPxtuZXOuiAKV8mUqsL1eQmBfKVCbroouzPYEIlNWZqPVysXF4FPPlkLlyn+eDNX3XgRzKmnzRFbAHeh1yWHUNnNMk6WnCpN8bvb+XXVRe6K2gYAY8wKEjjOwerDcXYfgKidVUOqijnf0eiljM2vFI9Nvzwm4YZZtWv5jpyLX1z3pwBJAzBkNTBtIAV/dVuFsgk0mqxhQm6m3WCeZRGK2dVQS/oh5b+eELNURZk/6F5YoAxJz4WBH65hOisAvXYkpmAm8c+HDjljIDTYQZwZV/p43LbsBr7mDHqVU9L6FlE2k7+J/PFsPq9UbNYBnwB1EzKhXfH4AbmxdhpDDEVASg1kHGx2VHcIUUy4JLw53tFowQ2g86TplkjBf4TWU5bK5Yz+gaSkOrQlJ7/P2hSPg4U760hy3Pux9GP7aaNjxFEAruVNvDR292hRBnzrAih+94ZA8CvXYNws374NJoXtCKyGO1N9Z35qosO41UAWhRLcD7/o3DSqErdYzQzVIapu47+gOncjTXUfs3PR3ARzqjXSjmaamXlS8piJ0XOu1ZCg7vPe9ZOwp7Da7znTsLeK3F9Lv/e5s0nnNJrU4A/W5K6VhcDlFkYULxK+LtQvnNZA2e5KiG4IsERzWszaN5QVCZWAoiOAA3ADQAZQAwADkAOAA5ADEAZgBhADYANQAzADEAMAAAABCAYBoMQQBkAG0AaQBuAAAAIhJPAEEASQBMAFYAQwBOAFkAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCVnwAQwBfAEYAXwAyADAANAA3ADkALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAA0ADIAMQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHD9peFyeAWAAQGKAQMxLjA=<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00<br>00000 00000 0 00</span></td></tr></table></body></html>
Emails
<b>[email protected]</b>
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\ris\..\Windows\c\bbe\c\..\..\..\system32\i\..\wbem\by\gv\iy\..\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wbem\wmic.exe"C:\pjoig\bjf\ndrvr\..\..\..\Windows\v\..\system32\txh\..\wbem\vu\cjonf\ihdqv\..\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 23962⤵
- Program crash
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x470 0x4f81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 392 -ip 3921⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4152 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5348ccf8f265db9d6588c37f06f89a5dc
SHA18518e635cc4aaaeec1db342c29be880cd19154e5
SHA25611a769eb18e3bc89df0778031f47c8b6efa0aa656d2d3a36d4f519afc408f3e8
SHA512eb10ee4e9efa6ef36db3f293ac336b4b22f9d6a786ff0ed310b10a930b3f672834731290f542373d12272e6dcd8b3c3f5a47892d8a0b1e2c4f09180c179fe433
-
Filesize
356KB
-
Filesize
360KB
-
Filesize
360KB
-
Filesize
360KB
-
Filesize
360KB
-
Filesize
360KB