Analysis
-
max time kernel
33s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
22-06-2024 17:04
General
-
Target
df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d.exe
-
Size
534KB
-
MD5
8e8eaa9b81f664c796225ac49e9ecb71
-
SHA1
320e25a4b4918dd76582c7f7e68f3d68268b17f7
-
SHA256
df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d
-
SHA512
66529bd7faa3275856fa87e7ec5ed250b0fc694f12e5fab2d1e84aa367844d42c7a19911065c9f2985752d55addc921797c77861081f2f40b5f1a69f84d935d0
-
SSDEEP
12288:1FF+1IiVMR/La01MZa03EiYIRKoMDKd+A1Ll7e7:1FFroMROFZa03EiYILWWvll74
Score
10/10
Malware Config
Extracted
Path
C:\Users\DECRYPT-FILES.html
Ransom Note
<html>
<head>
<script>
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
</script>
<style>
html{ margin:0; padding:0; width:100%; height:100%; }
body { background: #000000; color: #ececec; font-family: Consolas };
.tooltip {
position: relative;
display: inline-block;
border-bottom: 1px dotted black;
}
.tooltip .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5 px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.tooltip .tooltiptext::after {
content: "";
position: absolute;
top: 100%;
left: 50%;
margin-left: -5px;
border-width: 5px;
border-style: solid;
border-color: #555 transparent transparent transparent;
}
.tooltip:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
p#base64{
-ms-word-break: break-all;
word-break: break-all;
-webkit-hyphens: auto;
-moz-hyphens: auto;
-ms-hyphens: auto;
hyphens: auto;
}
p#base64:hover{
cursor: hand;
}
</style>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="Content-Style-Type" content="text/css">
</head>
<body>
<table style="position: absolute;" width="100%">
<tr>
<td style="width: 15%;">
<td style="width: 70%;">
<div style="text-align: center; font-size: 20px;">
<p><b>Encrypted by Maze ransomware v1.2</b></p>
<p>!한국어 버전은 아래로 스크롤하십시오!</p>
<p>********************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>********************************************************************************************</p>
<div style="text-align: center; font-size: 15px;">
<p><b>What is going on?</b><br>Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system</p>
<p>You can read more about this cryptosystem here: <a href=https://en.wikipedia.org/wiki/RSA_(cryptosystem)>https://en.wikipedia.org/wiki/RSA_(cryptosystem)</a></p>
<p>The only way to recover (decrypt) your files is to buy decryptor with the unique private key</p>
<p><u>Attention! Only we can recover your files! If someone tell you that he can do this, kindly ask him to proof!</u></p>
<p>By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.</p>
<p>In order to either buy the private key or make test decryption contact us via email: <br> <u><b>1) E-mail: [email protected]<br>2) E-mail: [email protected]</b></u>
<p><u>Please write to the both email addresses</u></p>
<p>Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies
<p>If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one</p>
<p>Below the Korean text you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<br><br>
<p>*****************************************************************</p>
<p>주의! 문서, 사진, 데이터베이스 및 기타 중요한 파일이 암호화되었습니다!</p>
<p>*****************************************************************</p>
</div>
<div style="text-align: center; font-size: 13px;">
<p><b>무슨 일 이니?</b><br>시스템에 고유 한 개인 키가있는 강력한 신뢰할 수있는 알고리즘 RSA-2048 및 ChaCha20을 사용하여 파일이 암호화되었습니다.</p>
<p>이 암호 시스템에 대한 자세한 내용은 다음을 참조하십시오. <a href="https://ko.wikipedia.org/wiki/RSA_%EC%95%94%ED%98%B8">https://ko.wikipedia.org/wiki/RSA_%EC%95%94%ED%98%B8</a></p>
<p>파일을 복구 (암호 해독)하는 유일한 방법은 고유 개인 키로 암호 해독기를 구입하는 것입니다</p>
<p>주의! 우리는 당신의 파일을 복구 할 수 있습니다! 누군가가이 일을 할 수 있다고 말하면 친절하게 그에게 증거 해달라고 부탁하십시오!</p>
<p>우리는 귀하의 파일 중 하나를 해독하여 나머지 데이터를 해독 할 수있는 작업 증명 자료로 무료로 해독 할 수 있습니다.</p>
<p>개인 키를 사거나 테스트 암호 해독을 위해 이메일을 통해 저희에게 연락하십시오 : 메인 전자 메일 : <br> <u><b>1) E-mail: [email protected]<br>2) E-mail: [email protected]</b></u>
<p><u>두 개의 이메일 주소를 모두 적어주십시오</u></p>
<p>다른 국가의 법 집행 기관이 항상 몸값 회사에서 사용되는 전자 메일을 압류하려고하자마자 전자 메일 주소를 사용할 수 없을 수도 있으므로 서두르는 것을 잊지 마십시오.</p>
<p>지불 할 의향이 있지만 우리를 잘 모르겠다면 전자 메일 주소를 저장합니다. 나열된 주소가 압수되면 우리는 새 주소에서 귀하를 씁니다.</p>
<p>아래에 큰 base64 얼룩이 보일 것입니다. 이메일을 보내고이 얼룩을 우리에게 복사해야합니다. 클릭하면 클립 보드에 복사됩니다.</p>
<p>복사하는 데 문제가 있으면 현재 읽고있는 파일을 첨부 파일로 보내주십시오.</p>
<p>Base64 :</p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">q5rumgB+lP1CLey5n20M/7JnRAGBeBubS34On8ndsqvLrlAig6CEvobOGEktNS85NdbgQT0JCAZN09//MT1O4PdTox/1FA0IOKuoQhc7oNHRFAAyLc7nmTNkvNgv6cMmSVroHopmzO0ZmkE7t/NfmeJ9OYQu+5UqDZ2QB622lWxUyutTepHhHKxr6pJ/zHE22d/D0zuRsA2HupIkWrAyzLAwAWiOmtJH2dhgXotkswqgsNxt5EtI/Hj43BjdRAuCD0gIx5Fcc/VKLP/ydZr63hh4l6DH0FE/rSsn2l3JOcXHheu9YNJsZrb4FspTzUUqWqXuehrGO1LAiJ6kwiqvGRIyR04z3azvpd+1q/9lOj7N0aqFv1PJoLf37WEfwaaX0+TkGozBHcbB4q9yp40vYPc69y70B7p9VMghiml+H0G3q5yWwokcCXlOhpJ5WlO8wZzrJ4ZrFrk5CIPqfRDf7Az+vifmHej4BOEvREkgdBRKZuDj4a4olvp8Vd2bpjp6JZI0DeHHDvp2bNvuok7EtfXOOYtSmDkz2sJwmGNXFuBSOJ1mdHaJCboNeMlgJUreEGcFMO/CcBElU9gKSQMDOzWPEbGRCjAgDKCZvaUgjJ3MtycENSVJT8fEWSOMkfwnboYsGr4eV9vUNJDW2fLf890jyB2I8RmPap4kTPcdX2uGfhtbYn4e9gW98+QP6RQgYibkxUr1CrhR+57xCoB6+Wg4v3bPkTznVApHQZkcOB5VqPE6eOM4tGwosUzyoJC4THdZ0FxjFFnHPwdKyHWSHdSvvYVbnjI4syIvsDrgG+i399jtDc9DIY+MX85Rdfpyw3IfnP2rmw+NXsoU3/IBOU/+mg2SalK10aD80db0gC9zTsOgGWd5q3Y7daMQKDzSVDNW2JLtXi8dJ7bhTkisiG5AndJPWmyiKRltDa62dkCstNmyprDgwLXEgoElJq5UWipN1N2QhkRGz47ei2sk4fe1p63NgFXN6cVWnJ45cLb8/r7C+8IjcpYUCrPuc3P2DDw+F3lUlTltSGpr21dKPNAYkwiGfb+zwOzMwq8slkKHSYQzb0Qq8eZE/koHKG6HzIohiE0HOxlLjPpi1gzi0k9Jxs6P5D0pde2Nn5IJ1rnU8vRJi9HNdfAqxjnYkZvfC4/jXoWYUdS277/Js/ecxUEFeKt2J/tIuDUoGwUqdOUndUeCNLyJf4c/cjP7VrPEwfXBNG+RzCUrhcB8J6IXM3R8ScMIW0VbtI60I6bq0n/+cDXPWJ3W6/wz4FgWggAN/sEbFlpoJlLcWl28KaOu1+oQUOfx2of2SQz3phYYpTISuuh2u25wDZFl3MIRmY0DoghKlwl8hfzm9TXr7jS+5SExds39hII2O2o4pWv+ChWczMOKrUni8GJvPiYWHkZYRJrCGlIXsM0gz+mlhdz9NY6lIoaDo4AvUHRG+46Dvpfph991nN9ym2/47ovpsobNHpgyMA+TyZKx4aULubkt5mnQNSlgeGpHIXXliKKSKFqftSV/+qnpsNru6QyV8FWPplZDWGic7qH/ZdlxBw3FT3aeMtJoHQWifNROs6UXf6OlN1SJmcOGg3sS0+nRNiQ6bxtyQv1MMRWFgebNJ0Qwth+sCkHqbnnokK4NOFoLMq5RC1KebBHi1XPAXWxyjGRkIBlrv6Jk6jh6eMlJSIucTp/RKAuw8HEtSUtloQyXzdE5KVNljUSLFHxDO1vIXsKZYk1idCjPVsmHDdY2vEPqfWfq8zFeI6Si3anYAIeRyqrvcl6o+3vIwa4ombpqp+7g4UoR3jeQzz7V9Fr9JAIheNlWh1jHetMv2ahIFzJv+y/GMxu4MrVGu5DR4IK6JNHmc5zJZ9+hEJ7J5NbSzoT7r1eB7ek9+DCeZArMKpu/pLZGiAmrspSgvG/qE4x7xwQc6RsR/SxVBjoE+BStqPyC/2rIcZouay9rgFpdzKQfTqXH/5YyKQCmD0cbMu1Tmdq/UJocJ2htHADrjiw+vdn0c67bz01HKPtAG44q2yR1+O1dZhPuqkrXxYfUeh6PY+7wa/UBxKcjpm8PmcPu2osqbnN0U1X3cUCIBLjGgWae/HHpXCYRQ+8SK4TucRozXlZ4p+OqktKSfN5DKeSdcztWYXdfknsQAQPR9Z+H0s3Y8l26d3lzk97zgVY1lkoX/INTJmUaYJ6XsdHqYf04Dlh/prGGM+uvK04qormggLWDBa1L1RIrY+80egHHmlE0GqZRSXAkIQoiOAA3ADEAZQAwADkANwA1AGYAOQAxADIAYQBkAGQAZQAAABCAYBoMQQBkAG0AaQBuAAAAIhJUAEkAQwBDAEEAVQBUAEQAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCVnwAQwBfAEYAXwAyADAANAA4ADYALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAAzADgAOQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHDxzdh7eAmAAQGKAQMxLjI=<span class="tooltiptext">복사하려면 여기를 클릭하십시오</span></p></div></td><td style="width: 25%; text-align: right;">
</tr></table>
</body></html>
Emails
[email protected]<br>2
[email protected]</b></u>
URLs
http-equiv="Content-Type"
http-equiv="Content-Style-Type"
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 55 IoCs
-
Suspicious use of SendNotifyMessage 54 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d.exe"C:\Users\Admin\AppData\Local\Temp\df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\nfa\wjx\rbak\..\..\..\Windows\g\qgrpr\..\..\system32\wo\g\kyg\..\..\..\wbem\p\dmv\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wbem\wmic.exe"C:\bfv\roceb\wad\..\..\..\Windows\gc\jnr\..\..\system32\ll\bv\..\..\wbem\gt\joemc\tx\..\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
940B
MD51a251b2fd172046b544ea774b27636dc
SHA12ef6aaef3905abb7ab03f602088ecfc4a8597128
SHA256259910c6781e1528df2d341ce6ac06d4299fb053d994667fb6c507f50bc33068
SHA512a70498a96f1da4e3c198bfaba0a8cef6ffa2fec8dfeb28e388c49442cb2bdec4ccb825ddba9216a8d7d508974da7c7a7ba6e7619510f3582ccb676beaec9613e
-
Filesize
9KB
MD5e134b90185da011b3a9a1461c17945ff
SHA1883f54deabc4c776289448a0da3ec82c05570168
SHA256d0f9df7f9682cab742c5fecb4ecd947f4c93eba7b94f1ea118258e58c3481715
SHA512a72613bfa950e7bf3827d10548938b85e7241b282bc3e1eb9c587ea168a741c07e210ff9ea05ff228d2c2b52941ff2999d3b3f198c2ca9469b19c65457921c4d
-
Filesize
360KB
-
Filesize
360KB
-
Filesize
74.3MB
-
Filesize
1024KB
-
Filesize
360KB
-
Filesize
1024KB
-
Filesize
74.3MB
-
Filesize
360KB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB