Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
22-06-2024 18:41
General
-
Target
df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d.exe
-
Size
534KB
-
MD5
8e8eaa9b81f664c796225ac49e9ecb71
-
SHA1
320e25a4b4918dd76582c7f7e68f3d68268b17f7
-
SHA256
df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d
-
SHA512
66529bd7faa3275856fa87e7ec5ed250b0fc694f12e5fab2d1e84aa367844d42c7a19911065c9f2985752d55addc921797c77861081f2f40b5f1a69f84d935d0
-
SSDEEP
12288:1FF+1IiVMR/La01MZa03EiYIRKoMDKd+A1Ll7e7:1FFroMROFZa03EiYILWWvll74
Score
10/10
Malware Config
Extracted
Path
C:\Users\DECRYPT-FILES.html
Ransom Note
<html>
<head>
<script>
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
</script>
<style>
html{ margin:0; padding:0; width:100%; height:100%; }
body { background: #000000; color: #ececec; font-family: Consolas };
.tooltip {
position: relative;
display: inline-block;
border-bottom: 1px dotted black;
}
.tooltip .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5 px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.tooltip .tooltiptext::after {
content: "";
position: absolute;
top: 100%;
left: 50%;
margin-left: -5px;
border-width: 5px;
border-style: solid;
border-color: #555 transparent transparent transparent;
}
.tooltip:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
p#base64{
-ms-word-break: break-all;
word-break: break-all;
-webkit-hyphens: auto;
-moz-hyphens: auto;
-ms-hyphens: auto;
hyphens: auto;
}
p#base64:hover{
cursor: hand;
}
</style>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="Content-Style-Type" content="text/css">
</head>
<body>
<table style="position: absolute;" width="100%">
<tr>
<td style="width: 15%;">
<td style="width: 70%;">
<div style="text-align: center; font-size: 20px;">
<p><b>Encrypted by Maze ransomware v1.2</b></p>
<p>!한국어 버전은 아래로 스크롤하십시오!</p>
<p>********************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>********************************************************************************************</p>
<div style="text-align: center; font-size: 15px;">
<p><b>What is going on?</b><br>Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system</p>
<p>You can read more about this cryptosystem here: <a href=https://en.wikipedia.org/wiki/RSA_(cryptosystem)>https://en.wikipedia.org/wiki/RSA_(cryptosystem)</a></p>
<p>The only way to recover (decrypt) your files is to buy decryptor with the unique private key</p>
<p><u>Attention! Only we can recover your files! If someone tell you that he can do this, kindly ask him to proof!</u></p>
<p>By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.</p>
<p>In order to either buy the private key or make test decryption contact us via email: <br> <u><b>1) E-mail: [email protected]<br>2) E-mail: [email protected]</b></u>
<p><u>Please write to the both email addresses</u></p>
<p>Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies
<p>If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one</p>
<p>Below the Korean text you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<br><br>
<p>*****************************************************************</p>
<p>주의! 문서, 사진, 데이터베이스 및 기타 중요한 파일이 암호화되었습니다!</p>
<p>*****************************************************************</p>
</div>
<div style="text-align: center; font-size: 13px;">
<p><b>무슨 일 이니?</b><br>시스템에 고유 한 개인 키가있는 강력한 신뢰할 수있는 알고리즘 RSA-2048 및 ChaCha20을 사용하여 파일이 암호화되었습니다.</p>
<p>이 암호 시스템에 대한 자세한 내용은 다음을 참조하십시오. <a href="https://ko.wikipedia.org/wiki/RSA_%EC%95%94%ED%98%B8">https://ko.wikipedia.org/wiki/RSA_%EC%95%94%ED%98%B8</a></p>
<p>파일을 복구 (암호 해독)하는 유일한 방법은 고유 개인 키로 암호 해독기를 구입하는 것입니다</p>
<p>주의! 우리는 당신의 파일을 복구 할 수 있습니다! 누군가가이 일을 할 수 있다고 말하면 친절하게 그에게 증거 해달라고 부탁하십시오!</p>
<p>우리는 귀하의 파일 중 하나를 해독하여 나머지 데이터를 해독 할 수있는 작업 증명 자료로 무료로 해독 할 수 있습니다.</p>
<p>개인 키를 사거나 테스트 암호 해독을 위해 이메일을 통해 저희에게 연락하십시오 : 메인 전자 메일 : <br> <u><b>1) E-mail: [email protected]<br>2) E-mail: [email protected]</b></u>
<p><u>두 개의 이메일 주소를 모두 적어주십시오</u></p>
<p>다른 국가의 법 집행 기관이 항상 몸값 회사에서 사용되는 전자 메일을 압류하려고하자마자 전자 메일 주소를 사용할 수 없을 수도 있으므로 서두르는 것을 잊지 마십시오.</p>
<p>지불 할 의향이 있지만 우리를 잘 모르겠다면 전자 메일 주소를 저장합니다. 나열된 주소가 압수되면 우리는 새 주소에서 귀하를 씁니다.</p>
<p>아래에 큰 base64 얼룩이 보일 것입니다. 이메일을 보내고이 얼룩을 우리에게 복사해야합니다. 클릭하면 클립 보드에 복사됩니다.</p>
<p>복사하는 데 문제가 있으면 현재 읽고있는 파일을 첨부 파일로 보내주십시오.</p>
<p>Base64 :</p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">4UpXQzguVgcgsEr6J+wvR2RCaMtk4j5JzjzR1zHSf7968P8Rxwzp00ZpnaGeBXQ7x6vaDEqZB1CW5bxJwN03FuuRzps4zCSMeiXDxblxcz3f4g+yiRoGllOjPE4md1qC+e2j/9lhc3SdF+7b1ST8h2Uu3gqnAkT8cuH7u1GDwsvBC/Sdjp0jPUJxNCoOGsBVl1iwDv9Pr6966V2BcKjOpfiAqD+AfWFdihsZ8XURjy/Pmyj7dXubE5CAxJwG52HWXQjMaX5osqQ6zXDV4/fkCWCpCqABtZ3J+3deLd1njPY8lcHmEDOxJ67PVSnXJBn13/73dcQBCxfrF/i8GGnj5duubDHGAF4mx2hIv+SnnDzRPY0FYlGgYgebeYX2g3cHUt/YCISJnyoomgD36zChoC7sYoqmwbVxzIbuk0g7KlP8Kbw9nXqbGuDH/DsRVVvcjWBNT6ue5zDEQ/sy237h6ODSPHmu5sejVZWKf1DV6SGDDHfIk4h9Royta6iUC+LFnN3uTXvFBc4wYe1kRfbeIqiIJCZnEb6TvaUchBgvtEHeofHw8k5WkWzIGcAxCHnYqh8EyJLA/qhJc4e7WdaNNSzYeAg2J1jHfxjyD4tknVCGZnSUBLGCIeInF4nnytJQRp2hmfSo2+wpD3mhP/xFklu6c28xjcCgKgyoqOYm83K2scLh2tPGivEVQ/f38hM/69pzrjO/maH2k9LZDdY78FiIvwBVbZGO6+Os0Eve256+gzCL+0p4xdzShzlML1PZQS4mHEfpdfIt89UjHvH5m9McKD1G/18XHhs6tjb9eiK+rAK6C9w0v8TBzi3Y9u2BE6FYFnupaY4runpTQUUXHqYwCIRbKzl2iR1bXdk8SjJF6r4Uww9b38Y1sjO9morLSw1sDbwa2SNWjz0t9g2LxbSc1kLekGvP0sCcpOCR74baN5hX0z9uGm7BWbEiu7e9m9RhnSs6v6W7Y5tv89AnraVd0zpYxVk0p/H/YAM/PSck0jWBadJa4Sy7eaBT7ddBXOsVN4P5qFIZVQuSwB1T3HSMpbaHsDcloHLT/pKKGY5zv0WTaj0FYVNYfhL7fUojX7mb14XQf79CwYmQm8uofo8+di6XvPJ1CBIkqp91y35sMBwyTGbLzB4IiZpsEqXRDhNJ7gMkhh3rM4Q2aRyiDxpSDu/7Nd7UsJUUpJxiGq4jrGr9stPVaJ5ewooZ3ozAlMCO47A1L5iLLSHjOE3dxYQSwLUiRnsksg5EL3V/b8oniBpg6ckVWNTKZ3WQfxAO5YPPhtlUWQiUKAB7Fk6UMGXagYveisz7PAHg5a3KQ2xgQZZyeYOm81NP3dw/XB7ZgufL6RQ228cNB4g+v/Ro/AempK/K+wkogAFn2nMY4GxLDTZUUJQ4AgoSXXbaJ0hITReXCJ3z8INrx9kCR2dg9Fy0RLuo9zWIRCtyLoa3Ppcy6ndl78pKtPF14VabBO/8puufUi2gjh/t2T42IEr8BEGXT7jHiaYSF013e9t4od3gYhcTOV0XCmcCuNKX+bbElshA94rbwMAwsRDrW8edniyseNrp5xOUzgZWQm9HcXNh3aV3EymaDY7dCjeENLE/PTdjA+6VAIkfk1zU7VClOgmRPMqD6Y7B7IkuqMS4f40nyGqtVEF4+aTxFMBAd39LCji+mFLiWTXFXmbFoSOxByBOevF2CzQXqYgRuw2rroIt5v9gFpsNlFd+mJhe0GolXfYYBZEcIoyLX2eDIQSfEFOdta03bjR7mIgO+5THxf4Chxv+6UwlLcsDXbd5xwYqiGPpzVZqKBt+tmxLRCmeiqCyGRUIPy3K8eOvYkhWZMW2lGD8/U5dzdm5U/AF6cQW0g0hP/zuBLsJHWOktaTp+GjHrK9vIcH1TbHCXJ9ic1Birw9KJ1eBLAU/mR1bgHxEjtKP9V4paCH3ZqjHqh5AvTjPU2Y77+8+NzoL+owWO0bxlYUN9quFWJpQif61qVj7FfjZmggcjtpITxqa1jqYERo/z2tRMDBjupClYUJkGogmJ8/CsNrYce42e8NkYXUV3UiAhx8o3oFpVBsxKuwYYVs3/AyKum4jElQeRv5WZ3LMd9xndYEnqZSuJ7d60Q30Re6DfaF1UGJXwavCw/9n91Ot6EbbPGKQ0lW/F4gNih5aSkLOXK0mOzpHfpDw40Zh6dnM8hYdqPTS3Y55t3cegaOAJ9igVweGdwX9cunqjyKUTg8w08UgTgWqOjfKe8eCgZtA0woiOAA4ADYANAAwADkAOQBlADMANQA5ADcAMAA4AGQAYQAAABCAYBoMQQBkAG0AaQBuAAAAIhJOAEQAVABOAFoAVgBIAE4AAAAqDG4AbwBuAGUAfAAAADIeVwBpAG4AZABvAHcAcwAgADEAMAAgAFAAcgBvAAAAQlZ8AEMAXwBGAF8AMgAwADQAOQAyAC8AMgA0ADEAMwA2ADEAfABEAF8AVQBfADAALwAwAHwARgBfAEYAXwAyADAANAAxADUALwAyADAANAA3ADkAfAAAAEgAUEBYiQhgiQhoiQhwodTfcngJgAEBigEDMS4y<span class="tooltiptext">복사하려면 여기를 클릭하십시오</span></p></div></td><td style="width: 25%; text-align: right;">
</tr></table>
</body></html>
Emails
[email protected]<br>2
[email protected]</b></u>
URLs
http-equiv="Content-Type"
http-equiv="Content-Style-Type"
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 64 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 24 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d.exe"C:\Users\Admin\AppData\Local\Temp\df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\okytd\ucgg\..\..\Windows\rnkmk\xmc\ai\..\..\..\system32\bxy\..\wbem\kemw\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wbem\wmic.exe"C:\aprwx\wxm\qevc\..\..\..\Windows\xnskx\vn\..\..\system32\iff\..\wbem\tp\pby\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\CloseSelect.lock2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3b81⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD56d368b48a16c11ae83b200ac061e36e4
SHA1c3e2bc56b20ccdfe930f94f1799817122314504d
SHA256770b6aec48121a264af30c9fe9f92741aa59b1fa92c3798b59f2b7efd2d26322
SHA51240c060df2c4844aba18b38d7e00e57784a0e5395d3bd2610b2bd33a3e536e3cd5f1eb7c0b481ba76f870029367dba20ee43d52dbf5249a483d3a4ddace179346
-
Filesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
218KB
MD513e8857c11c103c86af5a010ba171f66
SHA1dd8f6ee3cd8b1ac01c480e0843c323805c3cf2ae
SHA2568b69fd5d6b540b3080b438f3cf0d42f3266654e786ce7dc5e85855d309e962ac
SHA5128454d4a02c15e12428628aaf9df2f5ec48d261e692a8b4f2e7e81d83c3acd6921bfb2d3ebc76f78f124fd0065852af348bec56a91e7ba9c54525615d6b7804b0
-
Filesize
940B
MD5ff283ff5efd9a52726d550a3454b8b0a
SHA1627312ba63b1cfb8ad0f825e95433377d5d2d17e
SHA25641da31ecedb0e533bbd7899c744cca240ac27f27384c1e30bda4d6d1fc645724
SHA512b90c1a87fd4cf97213128f7bd44e791d988261c332a60ce943b25f4a76c6aa46ee64d7111a6009cff4e57ae35e6cdd381977067597465104ebd95fb6e8fa11fa
-
Filesize
9KB
MD54dfdd91a8a05c9effc8408af947321f9
SHA19f8f17dca78335ce6c82f964d486513d0f91a661
SHA256a86ad920a3cfc59b26c3a2ea35683d8bcf56cfe89dc330d070ffe78878b1edb4
SHA5126da6ecc045beb9670aaaafc2f69c0e3eef2cd5d136c324d6b790575394808be60b7cc723f0ad70a8cb38a2855f0663055bf06281ef2c00c5a34677c8c4b77740
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
74.3MB
-
Filesize
74.3MB
-
Filesize
1024KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB