mmlocker | baba76d578be903c9d78e3d6417636ba6a8069cafe9ccccdfce2bc19b43fc299

General

Target

baba76d578be903c9d78e3d6417636ba6a8069cafe9ccccdfce2bc19b43fc299.exe
Size

230KB
MD5

9fd056a806343253a57b3fb16260b16a
SHA1

6fe4d8992cd01266c26d28ef15fee7afa3ee0497
SHA256

baba76d578be903c9d78e3d6417636ba6a8069cafe9ccccdfce2bc19b43fc299
SHA512

e27ae1d1bb14c1ff6f962104cdb8a4e28a214fa90ede46fa3b974b89a400acebaac71b72140dd8aaf7ac386a6a239009eef19609343d05b6831e40648fdab6e5

Score

10^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4068	svhost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\ransom.jpg"	svhost.exe

MM Locker
Ransomware family distributed via phishing email and malicious game cracks.
ransomware mmlocker

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	baba76d578be903c9d78e3d6417636ba6a8069cafe9ccccdfce2bc19b43fc299.exe
Token: SeDebugPrivilege	4068	svhost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1992	baba76d578be903c9d78e3d6417636ba6a8069cafe9ccccdfce2bc19b43fc299.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 4068	1992	baba76d578be903c9d78e3d6417636ba6a8069cafe9ccccdfce2bc19b43fc299.exe	66
PID 1992 wrote to memory of 4068	1992	baba76d578be903c9d78e3d6417636ba6a8069cafe9ccccdfce2bc19b43fc299.exe	66
PID 1992 wrote to memory of 4068	1992	baba76d578be903c9d78e3d6417636ba6a8069cafe9ccccdfce2bc19b43fc299.exe	66
PID 1992 wrote to memory of 4068	1992	baba76d578be903c9d78e3d6417636ba6a8069cafe9ccccdfce2bc19b43fc299.exe	66
PID 1992 wrote to memory of 4068	1992	baba76d578be903c9d78e3d6417636ba6a8069cafe9ccccdfce2bc19b43fc299.exe	66
PID 1992 wrote to memory of 4068	1992	baba76d578be903c9d78e3d6417636ba6a8069cafe9ccccdfce2bc19b43fc299.exe	66
PID 1992 wrote to memory of 4068	1992	baba76d578be903c9d78e3d6417636ba6a8069cafe9ccccdfce2bc19b43fc299.exe	66
PID 1992 wrote to memory of 4068	1992	baba76d578be903c9d78e3d6417636ba6a8069cafe9ccccdfce2bc19b43fc299.exe	66

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 4068	1992	baba76d578be903c9d78e3d6417636ba6a8069cafe9ccccdfce2bc19b43fc299.exe	66

C:\Users\Admin\AppData\Local\Temp\baba76d578be903c9d78e3d6417636ba6a8069cafe9ccccdfce2bc19b43fc299.exe
"C:\Users\Admin\AppData\Local\Temp\baba76d578be903c9d78e3d6417636ba6a8069cafe9ccccdfce2bc19b43fc299.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1992
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4068-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing