mafiaware666 | 7026f3039dffe9b6274b3bc5bd29ba5399d979c77bf80e20cd1c28965b4a7c78

Analysis

max time kernel
44s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 16:04

Target

FB345CA471C5BA5E86F62F15FA3F7B17.exe
Size

100KB
MD5

fb345ca471c5ba5e86f62f15fa3f7b17
SHA1

e2f15273e745384a9c5544d3125a2275dca57164
SHA256

7026f3039dffe9b6274b3bc5bd29ba5399d979c77bf80e20cd1c28965b4a7c78
SHA512

8125e5f2e06212c1841ad5359ed6e7e5c5329784b067e71adc78c668d7101493cf470156d41c2264d6c2baae635b179618041e589e6acb8ebd14a4d105e356ed
SSDEEP

768:5Dea8sjqvNAPLNngBTsvKBljHS/vJsUbKfO2yMMz/C1Yckin:VTjMWLvCBFyyUbKfO2yZz/Cein

Score

10^/10

Detect MafiaWare666 ransomware 1 IoCs

resource	yara_rule
behavioral1/memory/1492-54-0x00000000011C0000-0x00000000011DE000-memory.dmp	family_mafiaware666

MafiaWare666 Ransomware
MafiaWare666 is ransomware written in C# with multiple variants.
ransomware mafiaware666

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\brokenpc.exe	FB345CA471C5BA5E86F62F15FA3F7B17.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
296	1492	WerFault.exe	26

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	FB345CA471C5BA5E86F62F15FA3F7B17.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 296	1492	FB345CA471C5BA5E86F62F15FA3F7B17.exe	27
PID 1492 wrote to memory of 296	1492	FB345CA471C5BA5E86F62F15FA3F7B17.exe	27
PID 1492 wrote to memory of 296	1492	FB345CA471C5BA5E86F62F15FA3F7B17.exe	27
PID 1492 wrote to memory of 296	1492	FB345CA471C5BA5E86F62F15FA3F7B17.exe	27

C:\Users\Admin\AppData\Local\Temp\FB345CA471C5BA5E86F62F15FA3F7B17.exe
"C:\Users\Admin\AppData\Local\Temp\FB345CA471C5BA5E86F62F15FA3F7B17.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1188
  2⤵
  - Program crash
  PID:296

memory/1492-54-0x00000000011C0000-0x00000000011DE000-memory.dmp

Filesize
120KB

Download
memory/1492-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download