mafiaware666 | 36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe
Size

12.7MB
MD5

8348ef459bf80c77dbb19b46b8c0b8ad
SHA1

5d90fee216c24f5ed398d037fffc27147f8a89d8
SHA256

36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6
SHA512

e8b3f506a72a14adf52f3fe29a87f4db5078dda2aa857deefc6f189b3d1584eaa85c4eb2c4a23432c6c1528cba152ecb3e4b275aa7eeebf4ac9a413d1d8a32dc
SSDEEP

196608:LDBz0CUs3H74jT8vlJ2o+DE6QIwF9z0dUdqc+Y5NHT:LDzU84aJQQIGoGYc+Y5NHT

Score

10^/10

mafiaware666 ransomware

Malware Config

Signatures

Detect MafiaWare666 ransomware 1 IoCs

resource	yara_rule
behavioral2/memory/4812-132-0x00000000009E0000-0x0000000001690000-memory.dmp	family_mafiaware666

MafiaWare666 Ransomware
MafiaWare666 is ransomware written in C# with multiple variants.
ransomware mafiaware666

Modifies extensions of user files 11 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\DisconnectClear.tiff	36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe
File created	C:\Users\Admin\Pictures\WaitResume.png.jcrypt	36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe
File created	C:\Users\Admin\Pictures\PingMount.raw.jcrypt	36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe
File created	C:\Users\Admin\Pictures\RequestRepair.png.jcrypt	36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe
File created	C:\Users\Admin\Pictures\RevokeSplit.raw.jcrypt	36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe
File created	C:\Users\Admin\Pictures\SyncFind.tif.jcrypt	36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe
File created	C:\Users\Admin\Pictures\CheckpointDismount.crw.jcrypt	36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe
File created	C:\Users\Admin\Pictures\CompressFormat.raw.jcrypt	36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe
File created	C:\Users\Admin\Pictures\CopyPop.crw.jcrypt	36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe
File created	C:\Users\Admin\Pictures\DisconnectClear.tiff.jcrypt	36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe
File created	C:\Users\Admin\Pictures\UndoConvert.tif.jcrypt	36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\Desktop\Wallpaper	36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4812	36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe

C:\Users\Admin\AppData\Local\Temp\36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe
"C:\Users\Admin\AppData\Local\Temp\36a10d7ce157607875309bc9995258555b0f05862637bb2134abea22be1d0ab6.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:4812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control