General

  • Target

    RNSM00407.7z

  • Size

    957KB

  • Sample

    241028-yyr21awelf

  • MD5

    9632fca64622911a33ef8f985208e2aa

  • SHA1

    6035393621abbd0d2a32bfffa659d4c70398625c

  • SHA256

    dc2a27efa9cdda18cc0767ddd7effba126fa506d19598386cfe22526818f93eb

  • SHA512

    dc3bc1b40a6bceafdf9dd1a3ee6dcca576df404a51eff9548e0147ae0840d6e47f062d538f7ef55f770e901ba44a50b03fcee1f64ae6085af42db96b7921bbe3

  • SSDEEP

    12288:H+SZt3xA0EQCi52hXFK5xfkof0hO5KpZUthTs/0BMAhY8yLjNDgzbZY35IjdbpH:H+SZ/j25XoXfTf0hOc8bMAhY7LjZRI3

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\DECRYPT-FILES.html

Ransom Note
<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000000; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5 px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><b>Maze ransomware</b></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> </div> <div style="text-align: center; font-size: 18px;"> <p><b>What is going on?</b><br>Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system</p> <p>You can read more about this cryptosystem here: <a href=https://en.wikipedia.org/wiki/RSA_(cryptosystem)>https://en.wikipedia.org/wiki/RSA_(cryptosystem)</a></p> <p>The only way to recover (decrypt) your files is to buy decryptor with the unique private key</p> <p><u>Attention! Only we can recover your files! If someone tell you that he can do this, kindly ask him to proof!</u></p> <p>By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.</p> <p>In order to either buy the private key or make test decryption contact us via email: <br> <u><b>Main e-mail: [email protected]<br>Reserve e-mail: [email protected]</b></u> <p>Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies <p>If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">Ataaw6WSoSPisq/9QzCRlXO4OTqYLkiD9gpWaOB4k85Wy4FMmUUMSQilar1uOBrAbTJVf7mErb7oxJ3BVXSehwTCK+oO9a6ZyNofBdd30s7stGB4XjxyMcqrX8+Rd+hBzmlWh6nfnIOSlF9DHD37O5Nc8lWRrPoVWfGDuQ4hLLZj9W2yAMjHxUBnglFoJifTpGcqqu+xtLP51is4UA79RBHOgq4So+i/zNG4uydCRTGP3KdCaMOwEVSTZ4uYpeT7+CjDKAmxwT9YHNbd7vbyrbgAExvgS+wrv+CwhBfud26ZMsiG28k6IdoqFU6RICz16Aonsmxapvc9AGA9TtIg6S11zi9kJcD7ZdxH/YbQSAqX7/WWLUtT+1rGrl0ZetseFm5RLJhGUMWsQzh2lq/1hLWWKoV/JvcXohyGZn1me0y6TJyM/5R79whXC5oksggsRmJYVZDJ/oXPP/1a3sAQB8G30GT1tHruK6GtYA8z30MLJxQGpd0X+YqPU/w8m9rkFumom7NgZL1nJxRwuTxdBm4rWdBsA6aLlvwozu2RBB5lLnVWU8bI/aEkFcyZiVg3ygBvgOidr5gL24/ZxpocAXJVn+2xHNVw6Hd9r+vKG22qIOSmXrOmAiXoBqnchQ9XNqDY47BdYmOZ53qxEGBDAvyZe3z6CUnvrWvD0njHN3laziKXhLOX2LqAPVdXJme37+dKtdsMNeTzKVkN5oliVyDwejCepupliEgxK4GfEyAA5DMSeXPGNTBzhq14FqxhKujNCndUJd6YLhH/WDoCFw5JbUZHTTlZH5hBflUVH4+qSgv5NjGEVwWMeRlmyz9/e56msAwalroNiay12Da0yAQRZIi478dAWB659cdkOHzsEeCIXEEDLDFA+mnEX95lhtNNW+mhxcTlfiAq21hkugEZd+6mHimCvmIh4ArYXgIKqBsXibvl+Ssk4i+xL7yXCSuq/wvRcXTSfbgvIeDsOhEJfAB8G34WcLA6wyjHGMz1D3ua+7d6NifhF/fGsChMj2WK7DHf35EEdoXAdNBQhhgTiV0257wZOLusbFuYsd+w18lkf/CsDOjRvRZzM/adL7++Pzul3TPDlZcVO1kSsRH2+gumwj5MKg/0RK9Y+P3mwoU9hNO50yg/vDC3Ezl3AYiuvHlRTf3QQEkzm0f5zUNUGboubMeM+Rlx/UEdfRiWvU93MjNL0eB1b5m52ObAme75gSj7xtVF6fCzr3q0BJ2I0PohYrJg3epDEot2LW6OtFFwM8wv4yxKQmvhdL57GrSOiqXDrQ1p9JCn9T298XgH8uRNL7KUddqRGSVKAtn8OyWM8YSIJNFMzD+Xao9AZfdeSBTcHR9lmPa4bxKoxCHoCHMvREiB3tsQSE4v2O4/atDk7a49nmDCxzgoQ2INOxQe5O8mpYS9Zcdx/Chn5Op095HLQrNryDgdW02cKzn5nNzge2h1zPEvVptBK7m/Tk8wrzPxLDaPPGMNWGskrPrq1227jpMNKe0/Y7s1z0rKTkB5Kq+HgguW6MP4anqkfGtqoWWwQzwGxiH+3Xc8TDZJXDqURcK2tSg7IJ5ARWyvsOCzelzBYSc49+tzoFyDSKv+bX3knHYJwFebIaLiFn/X/UrxxMat1ylqojV9sYWxMyMhRKCueKA+DrrJIVFiwFOnq1/lB36kSqAnpPB9fJ7HZjEcn7stgZ02C6V3fok+fjumvKViH0HmZA64o3X2C7ZXGQEkZfNMv/xh/ZZppEeUT23JGWIrjl4OflQR1f/26GTgSchjnHic1KXZ6aT43d2YO/CPmgpydlkhUKjl39qViSVKOePXmRGRGPLo/fstdmDSe+MMHqsfZ60VqMerX2RX1GdN7eLuub7Qi8RZo9AmzJsV4ZvpbKjTL7IP1k0i9wi+GHt+AwdSM3MmZ7boqYVhAHOX8RE1W9k24hHdDL/oHvuhS8yDJ5ou+20iJKPtVJrN+HBJIE5LCFzHy9g8vpDuoHisKBfpmKwUEn7e8rPg4j5s1aAcJ53FQyw2EAmcox5vTksIiVZiE6cCUtDWUVepb9Oqvj41uHkrb+hJW3Sbzu+HpsiH9phgz5eFCK1TEKapAQ4uHxaUeIJTBdOL41gFLPdN2RrXaDsA2s0jT0VwXaPOHr+iXe/BjwS8I3GcMTBAiJybvkIVJfPWomMfhznydQF/SeW/jSM/megzy/v76NvRC3+c0Mfnp0T5i+JR+aPPhSIOHBBa6q+31l3cPSsceAoiOAA3ADYAYQAwADkANwBiAGEAMwAwAGUAOQAxAGMANwAAABCAYBoMQQBkAG0AaQBuAAAAIhJTAFAARABFAEIASgBXAEgAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCVnwAQwBfAEYAXwAyADAANAA2ADUALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAA0ADIAMQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHD7xONyeAOAAQKKAQUxLjAuMg==<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"></tr></table></body></html>
Emails

[email protected]<br>Reserve

[email protected]</b></u>

Targets

    • Target

      RNSM00407.7z

    • Size

      957KB

    • MD5

      9632fca64622911a33ef8f985208e2aa

    • SHA1

      6035393621abbd0d2a32bfffa659d4c70398625c

    • SHA256

      dc2a27efa9cdda18cc0767ddd7effba126fa506d19598386cfe22526818f93eb

    • SHA512

      dc3bc1b40a6bceafdf9dd1a3ee6dcca576df404a51eff9548e0147ae0840d6e47f062d538f7ef55f770e901ba44a50b03fcee1f64ae6085af42db96b7921bbe3

    • SSDEEP

      12288:H+SZt3xA0EQCi52hXFK5xfkof0hO5KpZUthTs/0BMAhY8yLjNDgzbZY35IjdbpH:H+SZ/j25XoXfTf0hOc8bMAhY7LjZRI3

    • Maze

      Ransomware family also known as ChaCha.

    • Maze family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks