Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
03/02/2025, 07:51
General
-
Target
skull.exe
-
Size
1.3MB
-
MD5
3dce90e3a6daa8810d0dec78fd960e7d
-
SHA1
d44f4aa742092f33ec60264e15f09fd127a7bb87
-
SHA256
096ef1633a1e4b28ea46406a6324998b5f4dc59f6596c3dfbe7d6ee403186733
-
SHA512
bd68ff08882a61bbc4d51ca4ae2e055e20db853c79f6ea0dd5867e673af38785ddc4f992c1891ecf6d658bba89556b23797d708f3d7ca1da1eb4332f9a2ea84c
-
SSDEEP
24576:RTSTiRsBE12BIVpT2QhYpAILUo/g9QZqpMC3QVbIoTdWR8SfEuGujqZF13z8H81:RT7RseZDT2tSbvQsIbe8YVjPH81
Malware Config
Signatures
-
Detect MafiaWare666 ransomware 1 IoCs
-
MafiaWare666 Ransomware
MafiaWare666 is ransomware written in C# with multiple variants.
-
Mafiaware666 family
-
Renames multiple (74) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s) 5 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 29 IoCs
-
Modifies registry class 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\skull.exe"C:\Users\Admin\AppData\Local\Temp\skull.exe"1⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c60ce27d-e784-4ef5-b0ae-535a52d250f5} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2360 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2328 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f191ab29-e626-4182-ab9d-1f8216aa52ad} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3124 -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 2944 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29bdc54f-682c-4a85-833d-01342a861023} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3928 -childID 2 -isForBrowser -prefsHandle 3916 -prefMapHandle 3896 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09733ede-41df-463b-85df-2a533edb2469} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4532 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4524 -prefMapHandle 4520 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9faeac0e-8cac-45a4-a667-c13d041c5a19} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 3 -isForBrowser -prefsHandle 5392 -prefMapHandle 4544 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f12c56e9-9088-4b63-86d4-c44a7484f909} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5616 -childID 4 -isForBrowser -prefsHandle 5536 -prefMapHandle 5544 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a3e9b6f-42c8-434d-a647-8ba0b6d3a3db} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 5 -isForBrowser -prefsHandle 5820 -prefMapHandle 5376 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51425337-b8d5-4812-8d90-581e7ba98914} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6240 -childID 6 -isForBrowser -prefsHandle 6232 -prefMapHandle 6204 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {380c6cd8-5ecd-442f-9b29-248f6e8881d7} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD57103fec1e10b06206065acfe2f902c5d
SHA1828e658f05c724778420a498060685ac78b35345
SHA256216e50837671d3132f38ac33acf75e556c3192cbf87da00b0b9610cfb49ece7d
SHA512ca8853e44a1d68f1f58a15bdb6f4abcbe18bdd8209c25e2198c1eca1d9f4bd652f194129365ca81cf83001392f5513602b1c3b3deab380c224a2930f409b0828
-
Filesize
15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
10KB
MD5069c37bf9e39b121efb7a28ece933aee
SHA1eaef2e55b66e543a14a6780c23bb83fe60f2f04d
SHA256485db8db6b497d31d428aceea416da20d88f7bde88dbfd6d59e3e7eee0a75ae8
SHA512f4562071143c2ebc259a20cbb45b133c863f127a5750672b7a2af47783c7cdc56dcf1064ae83f54e5fc0bb4e93826bf2ab4ef6e604f955bf594f2cbd641db796
-
Filesize
8KB
MD5800aa86c2d34038fc77ac4621bd96052
SHA1de0aa9193856251bc4605444ce7f187da366f0a1
SHA256517190a73fb57571a0b9fd6bdd9f32db11edbc70a6e71e3853523c358b6a2358
SHA5126f53d3114855d5ff675efe7e0e4500ac1c35665aceea808f82aec165fb5f2041aad9eb145e193f9e2c53eb610a68e62914b0eb66363364647a7e97c067e3b375
-
Filesize
5KB
MD591d715c25222ce386e7c9fab402ba89f
SHA1b7dc21fcbbc04989e587758be70e608360f72490
SHA25608c4f4d4ee7ad2438968c84a08e6437000ecb9df791837d0f7480b80c6aa8c11
SHA51291afd57f34531ab7e63769704cdb381bcb7c92c035dabe3782ce880eb18efbd57696a735a8e21d620e5dbf3915a417a489ea8c1db878a6c7ea9dc53a86d5b2a9
-
Filesize
6KB
MD5a2f7a20094f84176a184f744ef7fec34
SHA1307d3454345a390739819ac65af02935b745639b
SHA256ef68d6c9902efc74f6c592f359c938b7e29547b9a62c5f8a6bf4bcf10744d6ef
SHA512977f8f1259bca6242d85dac6e525bf67d4c94339119641bab2ba4d45d8be68f6a98a41bd9d7ed088a3fdd7e68b7e5cf08d37ab3a464291c653f14a409140f4e6
-
Filesize
982B
MD5671182d6b3d03def58cd272577e671d2
SHA14e1f0eba6e55c97d1197e31dc4a92709db4e81a3
SHA256df53114ef4fbbfdc1f76f77b77ac5205213da9707d5aaa007d670f9dcf90e895
SHA5127104689a0e633ded9436f03b7df14feb8a66aaafc1b5102976f733a334406477d2d890921ebbbdbd981a243ca49b8e1af9c0b3a0f6a046c1ff98a844bcd4d3c0
-
Filesize
671B
MD51fb32888fb4b710ab8de2ebf37b3f19a
SHA1035e76c4c417fefc63044275381b6de1d424d0ba
SHA256f857670bbdd8dace0450a2e151e1b2edbc8a33718911f0ceee5d47148cf315fb
SHA51250ea96b7762e70ce906653f1c41384a23cf6cbaa916feff95b24178d6e89baef8f7b7f81da4cecbd7932fab03492ab879acbd165173daf21bf845ba753d1f672
-
Filesize
25KB
MD5282326052ddee6eacacb475db219c6cb
SHA1ad20227b1e47d3ad33fbe31757bf0d17b6135e1b
SHA256cc82fd497520ce6404fd8d40b60f1361bd4561d90b65a8f343bf6aa03c411a29
SHA51284c0c58a20c8b38333fcb82634cf004f2ba2313e41bdf2e9660ea40011924521c0ced3430f35a47081454d75e31fdd6c02ffeed869b9f6c6e3111d1ad3834acd
-
Filesize
9KB
MD55fb4087d99fc3e0e3e5f3eab3cc5853a
SHA1d45c99a4afba2c7b71caa127091bec4a2c4eb4fa
SHA25665b44561638322a869691b8884884769748dbfce32eee7cf63d67a240dfb1006
SHA512d6453135d64631f6ee1ef8e6e2419b9e79d3f2ccf8f99140beb24e58f68382091c8282483cb6d5eb8781dc386958e7f844c00e29dc38808cdc004f623296bc54
-
Filesize
288B
MD56b77a9f779399e95d1cee931a2c8f8ff
SHA1826efd4feb0d50fcce5696111af7c811b81adcd9
SHA2563a0285c8233ef0324b269f7291094e19fd9b77259f9419861ad796f7e9c979f3
SHA512ef537c75fab8e86483ac03cc0d2feaf41575e35f54b95669a26bf6dfbf58021dc9a5bbe54d9537b55da3fbb0e0262adf6c5efd4394faaec81a31604533afec4f
-
Filesize
376KB
MD55d0a485c6575ffa77a45a9789921f9f0
SHA1207468b870c413099bb675a3e162346ee2d417bc
SHA256728b08f74ada44e54c1b8c28beb43047e7f2c34e6abf27484626975807a5a17c
SHA512fc94ec23d20863fad9ac2e97d919efb4d40bb9a914df7ecaeb063e6284cb008bb5ae1ec37eacc25aa3ea706ef1f00f769632314bfd5ff615b4dc217c3ebbc279
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
1.3MB