Analysis
-
max time kernel
138s -
max time network
31s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
21-07-2020 16:18
Static task
static1
Behavioral task
behavioral1
Sample
MaMoCrypter.bin.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
MaMoCrypter.bin.exe
Resource
win10
General
-
Target
MaMoCrypter.bin.exe
-
Size
922KB
-
MD5
0889138a3894284e97b61f9a310e3e7d
-
SHA1
6c51969b1b1686abd8220191e12e647ab7312517
-
SHA256
5063ae08ea15ab78bd9062ca0d0813c0682a22583ecd1830efeb6afcc2dd45d8
-
SHA512
23317713644609a71953fc632478ee638d818bbb675e4f4ca00226cb4006a631800b3fe35c57aa85078f54155cb5d5c409e37fff25fc8315ee702a30c18f6f18
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\How Do I Recover My Files (Readme).txt
mzrdecryptorbuy@firemail.cc
3HYoqfBS1ZceA2AvmdEucbnEHp74nu9cjd
Signatures
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
MaMoCrypter.bin.exesvchost.execmd.execmd.exedescription pid process target process PID 1304 wrote to memory of 1440 1304 MaMoCrypter.bin.exe svchost.exe PID 1304 wrote to memory of 1440 1304 MaMoCrypter.bin.exe svchost.exe PID 1304 wrote to memory of 1440 1304 MaMoCrypter.bin.exe svchost.exe PID 1304 wrote to memory of 1440 1304 MaMoCrypter.bin.exe svchost.exe PID 1440 wrote to memory of 360 1440 svchost.exe cmd.exe PID 1440 wrote to memory of 360 1440 svchost.exe cmd.exe PID 1440 wrote to memory of 360 1440 svchost.exe cmd.exe PID 1440 wrote to memory of 360 1440 svchost.exe cmd.exe PID 1440 wrote to memory of 748 1440 svchost.exe cmd.exe PID 1440 wrote to memory of 748 1440 svchost.exe cmd.exe PID 1440 wrote to memory of 748 1440 svchost.exe cmd.exe PID 1440 wrote to memory of 748 1440 svchost.exe cmd.exe PID 748 wrote to memory of 1048 748 cmd.exe vssadmin.exe PID 748 wrote to memory of 1048 748 cmd.exe vssadmin.exe PID 748 wrote to memory of 1048 748 cmd.exe vssadmin.exe PID 748 wrote to memory of 1048 748 cmd.exe vssadmin.exe PID 360 wrote to memory of 1072 360 cmd.exe sc.exe PID 360 wrote to memory of 1072 360 cmd.exe sc.exe PID 360 wrote to memory of 1072 360 cmd.exe sc.exe PID 360 wrote to memory of 1072 360 cmd.exe sc.exe PID 1440 wrote to memory of 1500 1440 svchost.exe powershell.exe PID 1440 wrote to memory of 1500 1440 svchost.exe powershell.exe PID 1440 wrote to memory of 1500 1440 svchost.exe powershell.exe PID 1440 wrote to memory of 1500 1440 svchost.exe powershell.exe PID 748 wrote to memory of 1776 748 cmd.exe WMIC.exe PID 748 wrote to memory of 1776 748 cmd.exe WMIC.exe PID 748 wrote to memory of 1776 748 cmd.exe WMIC.exe PID 748 wrote to memory of 1776 748 cmd.exe WMIC.exe PID 1440 wrote to memory of 1564 1440 svchost.exe NOTEPAD.EXE PID 1440 wrote to memory of 1564 1440 svchost.exe NOTEPAD.EXE PID 1440 wrote to memory of 1564 1440 svchost.exe NOTEPAD.EXE PID 1440 wrote to memory of 1564 1440 svchost.exe NOTEPAD.EXE -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1440 svchost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
svchost.exepowershell.exepid process 1440 svchost.exe 1440 svchost.exe 1440 svchost.exe 1440 svchost.exe 1500 powershell.exe 1500 powershell.exe -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
System policy modification 1 TTPs 17 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\dontdisplaylastusername = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\scforceoption = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "5" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\undockwithoutlogon = "1" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
MaMoCrypter.bin.exepid process 1304 MaMoCrypter.bin.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
vssvc.exeWMIC.exepowershell.exedescription pid process Token: SeBackupPrivilege 1812 vssvc.exe Token: SeRestorePrivilege 1812 vssvc.exe Token: SeAuditPrivilege 1812 vssvc.exe Token: SeIncreaseQuotaPrivilege 1776 WMIC.exe Token: SeSecurityPrivilege 1776 WMIC.exe Token: SeTakeOwnershipPrivilege 1776 WMIC.exe Token: SeLoadDriverPrivilege 1776 WMIC.exe Token: SeSystemProfilePrivilege 1776 WMIC.exe Token: SeSystemtimePrivilege 1776 WMIC.exe Token: SeProfSingleProcessPrivilege 1776 WMIC.exe Token: SeIncBasePriorityPrivilege 1776 WMIC.exe Token: SeCreatePagefilePrivilege 1776 WMIC.exe Token: SeBackupPrivilege 1776 WMIC.exe Token: SeRestorePrivilege 1776 WMIC.exe Token: SeShutdownPrivilege 1776 WMIC.exe Token: SeDebugPrivilege 1776 WMIC.exe Token: SeSystemEnvironmentPrivilege 1776 WMIC.exe Token: SeRemoteShutdownPrivilege 1776 WMIC.exe Token: SeUndockPrivilege 1776 WMIC.exe Token: SeManageVolumePrivilege 1776 WMIC.exe Token: 33 1776 WMIC.exe Token: 34 1776 WMIC.exe Token: 35 1776 WMIC.exe Token: SeIncreaseQuotaPrivilege 1776 WMIC.exe Token: SeSecurityPrivilege 1776 WMIC.exe Token: SeTakeOwnershipPrivilege 1776 WMIC.exe Token: SeLoadDriverPrivilege 1776 WMIC.exe Token: SeSystemProfilePrivilege 1776 WMIC.exe Token: SeSystemtimePrivilege 1776 WMIC.exe Token: SeProfSingleProcessPrivilege 1776 WMIC.exe Token: SeIncBasePriorityPrivilege 1776 WMIC.exe Token: SeCreatePagefilePrivilege 1776 WMIC.exe Token: SeBackupPrivilege 1776 WMIC.exe Token: SeRestorePrivilege 1776 WMIC.exe Token: SeShutdownPrivilege 1776 WMIC.exe Token: SeDebugPrivilege 1776 WMIC.exe Token: SeSystemEnvironmentPrivilege 1776 WMIC.exe Token: SeRemoteShutdownPrivilege 1776 WMIC.exe Token: SeUndockPrivilege 1776 WMIC.exe Token: SeManageVolumePrivilege 1776 WMIC.exe Token: 33 1776 WMIC.exe Token: 34 1776 WMIC.exe Token: 35 1776 WMIC.exe Token: SeDebugPrivilege 1500 powershell.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1048 vssadmin.exe -
Drops file in Drivers directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\System32\drivers\etc\host svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MaMoCrypter.bin.exe"C:\Users\Admin\AppData\Local\Temp\MaMoCrypter.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Checks whether UAC is enabled
- System policy modification
- Drops file in Drivers directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config "AppCheck" start=disabled3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc config "AppCheck" start=disabled4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\How Do I Recover My Files (Readme).txt3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\How Do I Recover My Files (Readme).txt
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe
-
\Users\Admin\AppData\Local\Temp\svchost.exe
-
memory/360-3-0x0000000000000000-mapping.dmp
-
memory/748-4-0x0000000000000000-mapping.dmp
-
memory/1048-5-0x0000000000000000-mapping.dmp
-
memory/1072-6-0x0000000000000000-mapping.dmp
-
memory/1440-1-0x0000000000000000-mapping.dmp
-
memory/1500-7-0x0000000000000000-mapping.dmp
-
memory/1564-11-0x0000000000000000-mapping.dmp
-
memory/1776-8-0x0000000000000000-mapping.dmp