mafiaware666 | ec53369ff55e735e14b5b87eb793dabf043ce0fd7f93bc47fd0e5fd4fd7e6a77

General

Target

Chrome.msi
Size

288KB
MD5

10cca9ff7368ddfb2301d36fa386669a
SHA1

9ec12af4a97eda16513aa51ec685601c64eec626
SHA256

ba9933fa2ea29f27d73736ecd78d3f598e4786f2207e29fa6c7f42f008d529a9
SHA512

c72938d43e08de87c0328a500810e0c33448110eefb3eaf9569dbb9b91e61e9db4022ca6359e84e2a9b376077d5242948ecdbd2fb433b508a4006463d56d1c85
SSDEEP

3072:81L7cspAtO9mXwCGjtYNKbYO2gjpcm8rRuqpjCL42loHUvU0yGxr5GqM2a8VlhD5:btO9iRQYpgjpjew5DHyGxcqo8f7

Score

10^/10

mafiaware666 discovery ransomware

Malware Config

Signatures

Detect MafiaWare666 ransomware 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MW-e8c18ecf-edfd-457e-a87c-719cc607733c\files.cab	family_mafiaware666
C:\Users\Admin\AppData\Local\Temp\MW-e8c18ecf-edfd-457e-a87c-719cc607733c\files\WindowsFormsApp1_original.exe	family_mafiaware666
behavioral2/memory/2672-68-0x00000000004B0000-0x00000000004BE000-memory.dmp	family_mafiaware666

MafiaWare666 Ransomware
MafiaWare666 is ransomware written in C# with multiple variants.
ransomware mafiaware666
Renames multiple (96) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

ICACLS.EXE

pid process

1548 ICACLS.EXE

pid	process
1548	ICACLS.EXE

Drops desktop.ini file(s) 5 IoCs

Processes:

WindowsFormsApp1_original.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	WindowsFormsApp1_original.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	WindowsFormsApp1_original.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	WindowsFormsApp1_original.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	WindowsFormsApp1_original.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	WindowsFormsApp1_original.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exeEXPAND.EXE

description	ioc	process
File opened for modification	C:\Windows\Installer\e579877.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{397740B8-798B-4DEB-9E03-ACFFDDD4BF05}	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File created	C:\Windows\Installer\e579877.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9942.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

WindowsFormsApp1_original.exe

pid process

2672 WindowsFormsApp1_original.exe
Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

4564 MsiExec.exe

pid	process
2672	WindowsFormsApp1_original.exe

pid	process
4564	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000073c7eb973396fb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000073c7eb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900073c7eb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d073c7eb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000073c7eb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

5000 msiexec.exe
5000 msiexec.exe

pid	process
5000	msiexec.exe
5000	msiexec.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	2680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2680	msiexec.exe
Token: SeSecurityPrivilege	5000	msiexec.exe
Token: SeCreateTokenPrivilege	2680	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2680	msiexec.exe
Token: SeLockMemoryPrivilege	2680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2680	msiexec.exe
Token: SeMachineAccountPrivilege	2680	msiexec.exe
Token: SeTcbPrivilege	2680	msiexec.exe
Token: SeSecurityPrivilege	2680	msiexec.exe
Token: SeTakeOwnershipPrivilege	2680	msiexec.exe
Token: SeLoadDriverPrivilege	2680	msiexec.exe
Token: SeSystemProfilePrivilege	2680	msiexec.exe
Token: SeSystemtimePrivilege	2680	msiexec.exe
Token: SeProfSingleProcessPrivilege	2680	msiexec.exe
Token: SeIncBasePriorityPrivilege	2680	msiexec.exe
Token: SeCreatePagefilePrivilege	2680	msiexec.exe
Token: SeCreatePermanentPrivilege	2680	msiexec.exe
Token: SeBackupPrivilege	2680	msiexec.exe
Token: SeRestorePrivilege	2680	msiexec.exe
Token: SeShutdownPrivilege	2680	msiexec.exe
Token: SeDebugPrivilege	2680	msiexec.exe
Token: SeAuditPrivilege	2680	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2680	msiexec.exe
Token: SeChangeNotifyPrivilege	2680	msiexec.exe
Token: SeRemoteShutdownPrivilege	2680	msiexec.exe
Token: SeUndockPrivilege	2680	msiexec.exe
Token: SeSyncAgentPrivilege	2680	msiexec.exe
Token: SeEnableDelegationPrivilege	2680	msiexec.exe
Token: SeManageVolumePrivilege	2680	msiexec.exe
Token: SeImpersonatePrivilege	2680	msiexec.exe
Token: SeCreateGlobalPrivilege	2680	msiexec.exe
Token: SeBackupPrivilege	3584	vssvc.exe
Token: SeRestorePrivilege	3584	vssvc.exe
Token: SeAuditPrivilege	3584	vssvc.exe
Token: SeBackupPrivilege	5000	msiexec.exe
Token: SeRestorePrivilege	5000	msiexec.exe
Token: SeRestorePrivilege	5000	msiexec.exe
Token: SeTakeOwnershipPrivilege	5000	msiexec.exe
Token: SeRestorePrivilege	5000	msiexec.exe
Token: SeTakeOwnershipPrivilege	5000	msiexec.exe
Token: SeBackupPrivilege	3736	srtasks.exe
Token: SeRestorePrivilege	3736	srtasks.exe
Token: SeSecurityPrivilege	3736	srtasks.exe
Token: SeTakeOwnershipPrivilege	3736	srtasks.exe
Token: SeBackupPrivilege	3736	srtasks.exe
Token: SeRestorePrivilege	3736	srtasks.exe
Token: SeSecurityPrivilege	3736	srtasks.exe
Token: SeTakeOwnershipPrivilege	3736	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

2680 msiexec.exe

pid	process
2680	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

msiexec.exeMsiExec.exe

description	pid	process	target process
PID 5000 wrote to memory of 3736	5000	msiexec.exe	srtasks.exe
PID 5000 wrote to memory of 3736	5000	msiexec.exe	srtasks.exe
PID 5000 wrote to memory of 4564	5000	msiexec.exe	MsiExec.exe
PID 5000 wrote to memory of 4564	5000	msiexec.exe	MsiExec.exe
PID 5000 wrote to memory of 4564	5000	msiexec.exe	MsiExec.exe
PID 4564 wrote to memory of 1548	4564	MsiExec.exe	ICACLS.EXE
PID 4564 wrote to memory of 1548	4564	MsiExec.exe	ICACLS.EXE
PID 4564 wrote to memory of 1548	4564	MsiExec.exe	ICACLS.EXE
PID 4564 wrote to memory of 4296	4564	MsiExec.exe	EXPAND.EXE
PID 4564 wrote to memory of 4296	4564	MsiExec.exe	EXPAND.EXE
PID 4564 wrote to memory of 4296	4564	MsiExec.exe	EXPAND.EXE
PID 4564 wrote to memory of 2672	4564	MsiExec.exe	WindowsFormsApp1_original.exe
PID 4564 wrote to memory of 2672	4564	MsiExec.exe	WindowsFormsApp1_original.exe
PID 4564 wrote to memory of 2672	4564	MsiExec.exe	WindowsFormsApp1_original.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Chrome.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2680

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3736
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8E764A230544CBE5FCF4E0269A24ECEC
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-e8c18ecf-edfd-457e-a87c-719cc607733c\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:1548
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:4296
- - C:\Users\Admin\AppData\Local\Temp\MW-e8c18ecf-edfd-457e-a87c-719cc607733c\files\WindowsFormsApp1_original.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-e8c18ecf-edfd-457e-a87c-719cc607733c\files\WindowsFormsApp1_original.exe"
    3⤵
    - Drops desktop.ini file(s)
    - Executes dropped EXE
    PID:2672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-e8c18ecf-edfd-457e-a87c-719cc607733c\files.cab

Filesize
37KB

MD5
b050ee720b47e099ebeb9fb585ddcd80

SHA1
710b83b1c892872623581cc629a22f7f58672651

SHA256
040c3c2ec3e91c3f6d6b7b895017f08ece1998d0fcae1d40d75312fdf3dae5fc

SHA512
86209153e7be31e5dd638f79dbef639fd8c5642d56b01bc9f8a4370553cf71fcedc82141072739625a7cf397096f0e8cacc774a92796d13ca81b83ed5a89a32e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e8c18ecf-edfd-457e-a87c-719cc607733c\files\WindowsFormsApp1_original.exe

Filesize
37KB

MD5
fcb4ddf79552dbc16151c4f002e72a81

SHA1
5a6655bf73e42c6e0eb35b58aba5bba91745fb49

SHA256
1e16152df45f8830bc7f5682342fd632dd724cccfd752f9fd1be4cd2c2606179

SHA512
2ef11bf7e3539d812e54a2b6ccd5901fa60e1c873ac19e71e0b1d305090a742f492e2d4ed836b3897f8795335b9181bceb555e2a5c143cff59843ef921e1a4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e8c18ecf-edfd-457e-a87c-719cc607733c\msiwrapper.ini

Filesize
1KB

MD5
a4a3b6395c02a7354c43e61611498160

SHA1
062fb22c3e9f898cc6b872c2b0c78097cb77012e

SHA256
1cbfe677d405da6f2896198c000d2235c5102fde84db08685e926a292b17288c

SHA512
de0e3e42af0f5fc763ba0f6f50875d7b9a82590a4ab6fbe5e4e762a18c3726dea324ca31169d91aa6145b743555abf93e1eab26f1b55741b8ddd289248a9f98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e8c18ecf-edfd-457e-a87c-719cc607733c\msiwrapper.ini

Filesize
1KB

MD5
c5cf251280a7fcb3040162331e5dfae2

SHA1
3ec3db83383ff638c0b1354a7d62bd2263696fa0

SHA256
352c2ed20ac5caf19de2985172ad699e9d64b33faf75aef9c4e8aa4f508ba6c9

SHA512
942e8d230585711fcafc5dcc4b6ebec50f1801c35784a6fb3f6c44d438be10a3b2039bf7bdf2b301d0ce03da9208fdcdb21d87ff47ba392e7dce2bdfdc19299f

Download Submit
C:\Windows\Installer\MSI9942.tmp

Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
c2f011023fbe4d8858095d8d35baf009

SHA1
d7c7d610ab27189a1f1a461dbfe2ef272b5e9df2

SHA256
075347eaa1601034673621f381949c204e7249d6cb02383dcbcb437c67531760

SHA512
9912f73ad9679588e881ecde47389f5ad82938f57bd36ef422c28dd530303a63c7331cad556b7533fa7abe3dc829ceb2c43b53910c98b5791f84349bca8c168a

Download Submit
\??\Volume{b97e3c07-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5fc4c506-7c6e-4ab1-8fb5-d4812362f4ce}_OnDiskSnapshotProp

Filesize
6KB

MD5
a495a1cb62e28ddb16d653588c019aec

SHA1
cd9f97aeb6b72a5a719b9fe92396dbf9d1d1a565

SHA256
dfbddc823d3ae5282502ab378283262890c6a7789f5ff876e7b4d2a448f43828

SHA512
52a7f3726fb1ad25394fe30cbae3734d17154db1274a012efef5e6eb3c0754d793c7d2986d206417784773712d4223bf68e0ac76a38f663c9420921f0414a94c

Download Submit
memory/2672-68-0x00000000004B0000-0x00000000004BE000-memory.dmp

Filesize
56KB

Download
memory/2672-69-0x0000000005620000-0x0000000005BC4000-memory.dmp

Filesize
5.6MB

Download
memory/2672-70-0x0000000004F10000-0x0000000004FA2000-memory.dmp

Filesize
584KB

Download
memory/2672-71-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads