Overview

overview

10

Static

static

10

Ransomware.exe

windows7-x64

10

Ransomware.exe

windows10-2004-x64

10

Resubmissions

12-04-2023 11:41

230412-ntr64ade2t 10

31-03-2023 17:39

230331-v8d2cadd8y 10

Analysis

  • max time kernel
    112s
  • max time network
    107s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    12-04-2023 11:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ransomware.exe

  • Size

    322KB

  • MD5

    39f33d6842fa6495ccd7a41e8ddcb9b8

  • SHA1

    61cd2b3e22e2e6e514d611d3154e001f7e9fd195

  • SHA256

    416d2f821b7cb984859cfce43be981c5c9bc1489446ba41951c041d5801b65cb

  • SHA512

    97e8b15b82b70efebbf5cbfbbd4ac4925a7300049f5866bf01b59396de43c633342b5bc2ed657aae573c9f77e2dd20fe67234110aef048c49a2af9c8bd45dc29

  • SSDEEP

    3072:iMMFnguNpdYSkMXV2KMMEuWgY792XaY6UTuuAk2usbA+klAGPqhdp4efHxub8ehY:ideMXVeuWgY79OWpmq/yQxuAeS9Jb/

Score
10/10
mafiaware666ransomware

Malware Config

Signatures

  • Detect MafiaWare666 ransomware 2 IoCs
  • MafiaWare666 Ransomware

    MafiaWare666 is ransomware written in C# with multiple variants.

    ransomwaremafiaware666
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops desktop.ini file(s) 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\Ransomware.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Suspicious use of FindShellTrayWindow
    PID:1996
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ENCRYPTED_FILES.Locked.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1600
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1704
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x508
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:948

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\ENCRYPTED_FILES.Locked.txt
      Filesize

      4KB

      MD5

      9b571a4c5e7fae04334be40c87ac415a

      SHA1

      e93bd1bf128b5da075fe9741d395a558da85849b

      SHA256

      fa705830ab3920a9d7978fb4a8f1b6d4d0f1189675ef8cb10049157ea980b738

      SHA512

      28a563e5dc1d660c3298092e6201051b3145eb884739c6896de88d8a7b2a953966223c2526f2111fa8cd3ba09eee559ac346a68f92fbe62b46ea9f0e8b9935f1

      Download Submit

    • memory/1996-54-0x0000000000820000-0x0000000000876000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1996-55-0x0000000004A30000-0x0000000004A70000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1996-56-0x0000000004A30000-0x0000000004A70000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1996-83-0x0000000004A30000-0x0000000004A70000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1996-87-0x0000000004A30000-0x0000000004A70000-memory.dmp

      Filesize

      256KB

      Download