Analysis
-
max time kernel
112s -
max time network
117s -
platform
windows7_x64 -
resource
win7 -
submitted
21-07-2020 16:16
Static task
static1
Behavioral task
behavioral1
Sample
MaMoCrypter.bin.exe
Resource
win7
Behavioral task
behavioral2
Sample
MaMoCrypter.bin.exe
Resource
win10v200430
General
-
Target
MaMoCrypter.bin.exe
-
Size
922KB
-
MD5
0889138a3894284e97b61f9a310e3e7d
-
SHA1
6c51969b1b1686abd8220191e12e647ab7312517
-
SHA256
5063ae08ea15ab78bd9062ca0d0813c0682a22583ecd1830efeb6afcc2dd45d8
-
SHA512
23317713644609a71953fc632478ee638d818bbb675e4f4ca00226cb4006a631800b3fe35c57aa85078f54155cb5d5c409e37fff25fc8315ee702a30c18f6f18
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\How Do I Recover My Files (Readme).txt
mzrdecryptorbuy@firemail.cc
3HYoqfBS1ZceA2AvmdEucbnEHp74nu9cjd
Signatures
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
svchost.exepowershell.exepid process 1288 svchost.exe 1288 svchost.exe 1288 svchost.exe 1288 svchost.exe 744 powershell.exe 744 powershell.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
vssvc.exeWMIC.exepowershell.exedescription pid process Token: SeBackupPrivilege 1804 vssvc.exe Token: SeRestorePrivilege 1804 vssvc.exe Token: SeAuditPrivilege 1804 vssvc.exe Token: SeIncreaseQuotaPrivilege 1836 WMIC.exe Token: SeSecurityPrivilege 1836 WMIC.exe Token: SeTakeOwnershipPrivilege 1836 WMIC.exe Token: SeLoadDriverPrivilege 1836 WMIC.exe Token: SeSystemProfilePrivilege 1836 WMIC.exe Token: SeSystemtimePrivilege 1836 WMIC.exe Token: SeProfSingleProcessPrivilege 1836 WMIC.exe Token: SeIncBasePriorityPrivilege 1836 WMIC.exe Token: SeCreatePagefilePrivilege 1836 WMIC.exe Token: SeBackupPrivilege 1836 WMIC.exe Token: SeRestorePrivilege 1836 WMIC.exe Token: SeShutdownPrivilege 1836 WMIC.exe Token: SeDebugPrivilege 1836 WMIC.exe Token: SeSystemEnvironmentPrivilege 1836 WMIC.exe Token: SeRemoteShutdownPrivilege 1836 WMIC.exe Token: SeUndockPrivilege 1836 WMIC.exe Token: SeManageVolumePrivilege 1836 WMIC.exe Token: 33 1836 WMIC.exe Token: 34 1836 WMIC.exe Token: 35 1836 WMIC.exe Token: SeIncreaseQuotaPrivilege 1836 WMIC.exe Token: SeSecurityPrivilege 1836 WMIC.exe Token: SeTakeOwnershipPrivilege 1836 WMIC.exe Token: SeLoadDriverPrivilege 1836 WMIC.exe Token: SeSystemProfilePrivilege 1836 WMIC.exe Token: SeSystemtimePrivilege 1836 WMIC.exe Token: SeProfSingleProcessPrivilege 1836 WMIC.exe Token: SeIncBasePriorityPrivilege 1836 WMIC.exe Token: SeCreatePagefilePrivilege 1836 WMIC.exe Token: SeBackupPrivilege 1836 WMIC.exe Token: SeRestorePrivilege 1836 WMIC.exe Token: SeShutdownPrivilege 1836 WMIC.exe Token: SeDebugPrivilege 1836 WMIC.exe Token: SeSystemEnvironmentPrivilege 1836 WMIC.exe Token: SeRemoteShutdownPrivilege 1836 WMIC.exe Token: SeUndockPrivilege 1836 WMIC.exe Token: SeManageVolumePrivilege 1836 WMIC.exe Token: 33 1836 WMIC.exe Token: 34 1836 WMIC.exe Token: 35 1836 WMIC.exe Token: SeDebugPrivilege 744 powershell.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
System policy modification 1 TTPs 17 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\dontdisplaylastusername = "0" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\undockwithoutlogon = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "5" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\scforceoption = "0" svchost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
MaMoCrypter.bin.exesvchost.execmd.execmd.exedescription pid process target process PID 900 wrote to memory of 1288 900 MaMoCrypter.bin.exe svchost.exe PID 900 wrote to memory of 1288 900 MaMoCrypter.bin.exe svchost.exe PID 900 wrote to memory of 1288 900 MaMoCrypter.bin.exe svchost.exe PID 900 wrote to memory of 1288 900 MaMoCrypter.bin.exe svchost.exe PID 1288 wrote to memory of 1596 1288 svchost.exe cmd.exe PID 1288 wrote to memory of 1596 1288 svchost.exe cmd.exe PID 1288 wrote to memory of 1596 1288 svchost.exe cmd.exe PID 1288 wrote to memory of 1596 1288 svchost.exe cmd.exe PID 1288 wrote to memory of 1616 1288 svchost.exe cmd.exe PID 1288 wrote to memory of 1616 1288 svchost.exe cmd.exe PID 1288 wrote to memory of 1616 1288 svchost.exe cmd.exe PID 1288 wrote to memory of 1616 1288 svchost.exe cmd.exe PID 1288 wrote to memory of 744 1288 svchost.exe powershell.exe PID 1288 wrote to memory of 744 1288 svchost.exe powershell.exe PID 1288 wrote to memory of 744 1288 svchost.exe powershell.exe PID 1288 wrote to memory of 744 1288 svchost.exe powershell.exe PID 1596 wrote to memory of 456 1596 cmd.exe sc.exe PID 1596 wrote to memory of 456 1596 cmd.exe sc.exe PID 1596 wrote to memory of 456 1596 cmd.exe sc.exe PID 1596 wrote to memory of 456 1596 cmd.exe sc.exe PID 1616 wrote to memory of 1056 1616 cmd.exe vssadmin.exe PID 1616 wrote to memory of 1056 1616 cmd.exe vssadmin.exe PID 1616 wrote to memory of 1056 1616 cmd.exe vssadmin.exe PID 1616 wrote to memory of 1056 1616 cmd.exe vssadmin.exe PID 1616 wrote to memory of 1836 1616 cmd.exe WMIC.exe PID 1616 wrote to memory of 1836 1616 cmd.exe WMIC.exe PID 1616 wrote to memory of 1836 1616 cmd.exe WMIC.exe PID 1616 wrote to memory of 1836 1616 cmd.exe WMIC.exe PID 1288 wrote to memory of 1608 1288 svchost.exe NOTEPAD.EXE PID 1288 wrote to memory of 1608 1288 svchost.exe NOTEPAD.EXE PID 1288 wrote to memory of 1608 1288 svchost.exe NOTEPAD.EXE PID 1288 wrote to memory of 1608 1288 svchost.exe NOTEPAD.EXE -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1288 svchost.exe -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Drops file in Drivers directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\System32\drivers\etc\host svchost.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1056 vssadmin.exe -
Loads dropped DLL 1 IoCs
Processes:
MaMoCrypter.bin.exepid process 900 MaMoCrypter.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MaMoCrypter.bin.exe"C:\Users\Admin\AppData\Local\Temp\MaMoCrypter.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- System policy modification
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Drivers directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config "AppCheck" start=disabled3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc config "AppCheck" start=disabled4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\How Do I Recover My Files (Readme).txt3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\How Do I Recover My Files (Readme).txt
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe
-
\Users\Admin\AppData\Local\Temp\svchost.exe
-
memory/456-6-0x0000000000000000-mapping.dmp
-
memory/744-5-0x0000000000000000-mapping.dmp
-
memory/1056-7-0x0000000000000000-mapping.dmp
-
memory/1288-1-0x0000000000000000-mapping.dmp
-
memory/1596-3-0x0000000000000000-mapping.dmp
-
memory/1608-11-0x0000000000000000-mapping.dmp
-
memory/1616-4-0x0000000000000000-mapping.dmp
-
memory/1836-8-0x0000000000000000-mapping.dmp