Overview

overview

10

Static

static

10

skull.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2025 11:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    skull.exe

  • Size

    1.3MB

  • MD5

    3dce90e3a6daa8810d0dec78fd960e7d

  • SHA1

    d44f4aa742092f33ec60264e15f09fd127a7bb87

  • SHA256

    096ef1633a1e4b28ea46406a6324998b5f4dc59f6596c3dfbe7d6ee403186733

  • SHA512

    bd68ff08882a61bbc4d51ca4ae2e055e20db853c79f6ea0dd5867e673af38785ddc4f992c1891ecf6d658bba89556b23797d708f3d7ca1da1eb4332f9a2ea84c

  • SSDEEP

    24576:RTSTiRsBE12BIVpT2QhYpAILUo/g9QZqpMC3QVbIoTdWR8SfEuGujqZF13z8H81:RT7RseZDT2tSbvQsIbe8YVjPH81

Score
10/10
mafiaware666discoveryransomware

Malware Config

Signatures

  • Detect MafiaWare666 ransomware 1 IoCs
  • MafiaWare666 Ransomware

    MafiaWare666 is ransomware written in C# with multiple variants.

    ransomwaremafiaware666
  • Mafiaware666 family
    mafiaware666
  • Renames multiple (69) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops desktop.ini file(s) 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\skull.exe
    "C:\Users\Admin\AppData\Local\Temp\skull.exe"
    1⤵
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    PID:2452
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4100
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GroupHide.csv.jcrypt
      2⤵
      • Opens file in notepad (likely ransom note)
      • Suspicious use of FindShellTrayWindow
      PID:112
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\___RECOVER__FILES__.jcrypt.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:2292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\GroupHide.csv.jcrypt
    Filesize

    487KB

    MD5

    d018de2dd344bc6be8b5aeba1344d5c1

    SHA1

    7924b7ea2365cfc133e0699747a581e6b7147f02

    SHA256

    56052dbf752ec649d55e1449bcb6d0d1e64c6ee6f36f250c58ae37cee1f32865

    SHA512

    c9d2c8687f2458f3941615f56b0557d5043ef6cb25fbd8dbb1aca927aaa765dad568938ee5c53de3374c61830346702c1732dc9334c8552d52cd3d9cdf8fc597

    Download Submit

  • C:\Users\Admin\Desktop\___RECOVER__FILES__.jcrypt.txt
    Filesize

    3KB

    MD5

    8efdf2c9bda6f498b6ad872ab45c4364

    SHA1

    08738ac6765b78ba111bd957d66a6d761de45db4

    SHA256

    285be6e25d46cb90d3027d222198b7abec9584550617ba11fbbfa6dc887439df

    SHA512

    84bcd93816df15bdeb4e479120895f11aa6f7e08a44802347004c1a4e288bcb85060a6c449fa70e62e53869561b5447ea43a4ffc58ff5fa7c245ac2698f577bd

    Download Submit

  • memory/2452-6-0x0000000075060000-0x0000000075810000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2452-3-0x0000000005370000-0x0000000005402000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2452-4-0x0000000075060000-0x0000000075810000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2452-5-0x0000000005330000-0x000000000533A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2452-0-0x000000007506E000-0x000000007506F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2452-26-0x000000007506E000-0x000000007506F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2452-29-0x0000000075060000-0x0000000075810000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2452-33-0x0000000075060000-0x0000000075810000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2452-81-0x0000000075060000-0x0000000075810000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2452-2-0x0000000005920000-0x0000000005EC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2452-1-0x00000000007D0000-0x0000000000922000-memory.dmp

    Filesize

    1.3MB

    Download