mafiaware666 | 7026f3039dffe9b6274b3bc5bd29ba5399d979c77bf80e20cd1c28965b4a7c78

Analysis

max time kernel
160s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FB345CA471C5BA5E86F62F15FA3F7B17.exe
Size

100KB
MD5

fb345ca471c5ba5e86f62f15fa3f7b17
SHA1

e2f15273e745384a9c5544d3125a2275dca57164
SHA256

7026f3039dffe9b6274b3bc5bd29ba5399d979c77bf80e20cd1c28965b4a7c78
SHA512

8125e5f2e06212c1841ad5359ed6e7e5c5329784b067e71adc78c668d7101493cf470156d41c2264d6c2baae635b179618041e589e6acb8ebd14a4d105e356ed
SSDEEP

768:5Dea8sjqvNAPLNngBTsvKBljHS/vJsUbKfO2yMMz/C1Yckin:VTjMWLvCBFyyUbKfO2yZz/Cein

Score

10^/10

mafiaware666 evasion persistence ransomware

Malware Config

Signatures

Detect MafiaWare666 ransomware 1 IoCs

resource	yara_rule
behavioral2/memory/884-132-0x0000000000900000-0x000000000091E000-memory.dmp	family_mafiaware666

MafiaWare666 Ransomware
MafiaWare666 is ransomware written in C# with multiple variants.
ransomware mafiaware666

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "0"	FB345CA471C5BA5E86F62F15FA3F7B17.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\ExpandWait.crw.jcrypt	FB345CA471C5BA5E86F62F15FA3F7B17.exe
File created	C:\Users\Admin\Pictures\HideTrace.tif.jcrypt	FB345CA471C5BA5E86F62F15FA3F7B17.exe
File created	C:\Users\Admin\Pictures\SelectUnregister.raw.jcrypt	FB345CA471C5BA5E86F62F15FA3F7B17.exe
File created	C:\Users\Admin\Pictures\UndoMeasure.tif.jcrypt	FB345CA471C5BA5E86F62F15FA3F7B17.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BrokenPc = "C:\\Windows\\SystemFiles.exe"	FB345CA471C5BA5E86F62F15FA3F7B17.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BrokenPc = "C:\\Windows\\brokenpc.exe"	FB345CA471C5BA5E86F62F15FA3F7B17.exe

Drops desktop.ini file(s) 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	FB345CA471C5BA5E86F62F15FA3F7B17.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	FB345CA471C5BA5E86F62F15FA3F7B17.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	FB345CA471C5BA5E86F62F15FA3F7B17.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	FB345CA471C5BA5E86F62F15FA3F7B17.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	FB345CA471C5BA5E86F62F15FA3F7B17.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	FB345CA471C5BA5E86F62F15FA3F7B17.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\brokenpc.exe	FB345CA471C5BA5E86F62F15FA3F7B17.exe
File created	C:\Windows\SystemFiles.exe	FB345CA471C5BA5E86F62F15FA3F7B17.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	884	FB345CA471C5BA5E86F62F15FA3F7B17.exe

C:\Users\Admin\AppData\Local\Temp\FB345CA471C5BA5E86F62F15FA3F7B17.exe
"C:\Users\Admin\AppData\Local\Temp\FB345CA471C5BA5E86F62F15FA3F7B17.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/884-132-0x0000000000900000-0x000000000091E000-memory.dmp

Filesize
120KB

Download
memory/884-133-0x0000000005980000-0x0000000005F24000-memory.dmp

Filesize
5.6MB

Download
memory/884-134-0x00000000052D0000-0x0000000005362000-memory.dmp

Filesize
584KB

Download
memory/884-135-0x00000000052C0000-0x00000000052CA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads