djvu | 5f65dd6a74baf05274208c326335057572519cc8d6cb468b8cb168dad3c2f1e6

Analysis

max time kernel
161s
max time network
190s
platform
windows10_x64
resource
win10-en-20211014
submitted
07-12-2021 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vaccine.exe
Size

7.6MB
MD5

51036ffd690fc0b4c9d32a7f014e2225
SHA1

1a51a798ac54a271bdef2b15f2fbfec80299128b
SHA256

70732fc71c82134f96999b191de22feba361d1f3f4050a22f2160273fd1d316a
SHA512

927863d1e53b1b73a1a0773029593943ee90ccb2810c52fa15841bc5569ac8171efc218dd866d55847381fc573dc8c356d8282c16fc1b764b75481d6f1556f62

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://tzgl.org/fhsgtsspen6/get.php

Attributes

extension
.wnlu
offline_id
gYuqQ5GsAaJom08TivUVhlPzZDKd916x4NcXrWt1
payload_url
http://kotob.top/dl/build2.exe
http://tzgl.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-m8LBBi8x8F Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0357Sigrj

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3776-137-0x00000000022B0000-0x00000000023CB000-memory.dmp	family_djvu
behavioral1/memory/1748-138-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1748-139-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1748-140-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2864-146-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/2864-147-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2120-164-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/2120-166-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Executes dropped EXE 2 IoCs

Processes:

4DB3.bin.exe4DB3.bin.exe

pid process

3316 4DB3.bin.exe
2120 4DB3.bin.exe
Loads dropped DLL 9 IoCs

Processes:

vaccine.exe

pid process

872 vaccine.exe
872 vaccine.exe
872 vaccine.exe
872 vaccine.exe
872 vaccine.exe
872 vaccine.exe
872 vaccine.exe
872 vaccine.exe
872 vaccine.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3656 icacls.exe

pid	process
3316	4DB3.bin.exe
2120	4DB3.bin.exe

pid	process
872	vaccine.exe
872	vaccine.exe
872	vaccine.exe
872	vaccine.exe
872	vaccine.exe
872	vaccine.exe
872	vaccine.exe
872	vaccine.exe
872	vaccine.exe

pid	process
3656	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4DB3.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\513b8a35-fb49-4f26-ad22-01723969190a\\4DB3.bin.exe\" --AutoStart"	4DB3.bin.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

38 api.2ip.ua
25 api.2ip.ua
26 api.2ip.ua
32 api.2ip.ua
Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\system32\taskschd.msc mmc.exe

flow	ioc
38	api.2ip.ua
25	api.2ip.ua
26	api.2ip.ua
32	api.2ip.ua

description	ioc	process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

4DB3.bin.exe4DB3.bin.exe4DB3.bin.exe

description	pid	process	target process
PID 3776 set thread context of 1748	3776	4DB3.bin.exe	4DB3.bin.exe
PID 3180 set thread context of 2864	3180	4DB3.bin.exe	4DB3.bin.exe
PID 3316 set thread context of 2120	3316	4DB3.bin.exe	4DB3.bin.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings firefox.exe
Opens file in notepad (likely ransom note) 3 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXE

pid process

4016 NOTEPAD.EXE
2960 NOTEPAD.EXE
4248 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

4DB3.bin.exe4DB3.bin.exe4DB3.bin.exe

pid process

1748 4DB3.bin.exe
1748 4DB3.bin.exe
2864 4DB3.bin.exe
2864 4DB3.bin.exe
2120 4DB3.bin.exe
2120 4DB3.bin.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mmc.exe

pid process

588 mmc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	firefox.exe

pid	process
4016	NOTEPAD.EXE
2960	NOTEPAD.EXE
4248	NOTEPAD.EXE

pid	process
1748	4DB3.bin.exe
1748	4DB3.bin.exe
2864	4DB3.bin.exe
2864	4DB3.bin.exe
2120	4DB3.bin.exe
2120	4DB3.bin.exe

pid	process
588	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

mmc.exe

description	pid	process
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe
Token: 33	588	mmc.exe
Token: SeIncBasePriorityPrivilege	588	mmc.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

396 firefox.exe
396 firefox.exe
396 firefox.exe
396 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

396 firefox.exe
396 firefox.exe
396 firefox.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

mmc.exefirefox.exe

pid process

588 mmc.exe
588 mmc.exe
396 firefox.exe

pid	process
396	firefox.exe
396	firefox.exe
396	firefox.exe
396	firefox.exe

pid	process
396	firefox.exe
396	firefox.exe
396	firefox.exe

pid	process
588	mmc.exe
588	mmc.exe
396	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

vaccine.exe4DB3.bin.exe4DB3.bin.exe4DB3.bin.exe4DB3.bin.exefirefox.exefirefox.exe

description	pid	process	target process
PID 1920 wrote to memory of 872	1920	vaccine.exe	vaccine.exe
PID 1920 wrote to memory of 872	1920	vaccine.exe	vaccine.exe
PID 3776 wrote to memory of 1748	3776	4DB3.bin.exe	4DB3.bin.exe
PID 3776 wrote to memory of 1748	3776	4DB3.bin.exe	4DB3.bin.exe
PID 3776 wrote to memory of 1748	3776	4DB3.bin.exe	4DB3.bin.exe
PID 3776 wrote to memory of 1748	3776	4DB3.bin.exe	4DB3.bin.exe
PID 3776 wrote to memory of 1748	3776	4DB3.bin.exe	4DB3.bin.exe
PID 3776 wrote to memory of 1748	3776	4DB3.bin.exe	4DB3.bin.exe
PID 3776 wrote to memory of 1748	3776	4DB3.bin.exe	4DB3.bin.exe
PID 3776 wrote to memory of 1748	3776	4DB3.bin.exe	4DB3.bin.exe
PID 3776 wrote to memory of 1748	3776	4DB3.bin.exe	4DB3.bin.exe
PID 3776 wrote to memory of 1748	3776	4DB3.bin.exe	4DB3.bin.exe
PID 1748 wrote to memory of 3656	1748	4DB3.bin.exe	icacls.exe
PID 1748 wrote to memory of 3656	1748	4DB3.bin.exe	icacls.exe
PID 1748 wrote to memory of 3656	1748	4DB3.bin.exe	icacls.exe
PID 1748 wrote to memory of 3180	1748	4DB3.bin.exe	4DB3.bin.exe
PID 1748 wrote to memory of 3180	1748	4DB3.bin.exe	4DB3.bin.exe
PID 1748 wrote to memory of 3180	1748	4DB3.bin.exe	4DB3.bin.exe
PID 3180 wrote to memory of 2864	3180	4DB3.bin.exe	4DB3.bin.exe
PID 3180 wrote to memory of 2864	3180	4DB3.bin.exe	4DB3.bin.exe
PID 3180 wrote to memory of 2864	3180	4DB3.bin.exe	4DB3.bin.exe
PID 3180 wrote to memory of 2864	3180	4DB3.bin.exe	4DB3.bin.exe
PID 3180 wrote to memory of 2864	3180	4DB3.bin.exe	4DB3.bin.exe
PID 3180 wrote to memory of 2864	3180	4DB3.bin.exe	4DB3.bin.exe
PID 3180 wrote to memory of 2864	3180	4DB3.bin.exe	4DB3.bin.exe
PID 3180 wrote to memory of 2864	3180	4DB3.bin.exe	4DB3.bin.exe
PID 3180 wrote to memory of 2864	3180	4DB3.bin.exe	4DB3.bin.exe
PID 3180 wrote to memory of 2864	3180	4DB3.bin.exe	4DB3.bin.exe
PID 3316 wrote to memory of 2120	3316	4DB3.bin.exe	4DB3.bin.exe
PID 3316 wrote to memory of 2120	3316	4DB3.bin.exe	4DB3.bin.exe
PID 3316 wrote to memory of 2120	3316	4DB3.bin.exe	4DB3.bin.exe
PID 3316 wrote to memory of 2120	3316	4DB3.bin.exe	4DB3.bin.exe
PID 3316 wrote to memory of 2120	3316	4DB3.bin.exe	4DB3.bin.exe
PID 3316 wrote to memory of 2120	3316	4DB3.bin.exe	4DB3.bin.exe
PID 3316 wrote to memory of 2120	3316	4DB3.bin.exe	4DB3.bin.exe
PID 3316 wrote to memory of 2120	3316	4DB3.bin.exe	4DB3.bin.exe
PID 3316 wrote to memory of 2120	3316	4DB3.bin.exe	4DB3.bin.exe
PID 3316 wrote to memory of 2120	3316	4DB3.bin.exe	4DB3.bin.exe
PID 1708 wrote to memory of 396	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 396	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 396	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 396	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 396	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 396	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 396	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 396	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 396	1708	firefox.exe	firefox.exe
PID 396 wrote to memory of 4020	396	firefox.exe	firefox.exe
PID 396 wrote to memory of 4020	396	firefox.exe	firefox.exe
PID 396 wrote to memory of 3624	396	firefox.exe	firefox.exe
PID 396 wrote to memory of 3624	396	firefox.exe	firefox.exe
PID 396 wrote to memory of 3624	396	firefox.exe	firefox.exe
PID 396 wrote to memory of 3624	396	firefox.exe	firefox.exe
PID 396 wrote to memory of 3624	396	firefox.exe	firefox.exe
PID 396 wrote to memory of 3624	396	firefox.exe	firefox.exe
PID 396 wrote to memory of 3624	396	firefox.exe	firefox.exe
PID 396 wrote to memory of 3624	396	firefox.exe	firefox.exe
PID 396 wrote to memory of 3624	396	firefox.exe	firefox.exe
PID 396 wrote to memory of 3624	396	firefox.exe	firefox.exe
PID 396 wrote to memory of 3624	396	firefox.exe	firefox.exe
PID 396 wrote to memory of 3624	396	firefox.exe	firefox.exe
PID 396 wrote to memory of 3624	396	firefox.exe	firefox.exe
PID 396 wrote to memory of 3624	396	firefox.exe	firefox.exe
PID 396 wrote to memory of 3624	396	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\vaccine.exe
"C:\Users\Admin\AppData\Local\Temp\vaccine.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\vaccine.exe
"C:\Users\Admin\AppData\Local\Temp\vaccine.exe"
2⤵
- Loads dropped DLL
PID:872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:612

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\bowsakkdestx.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\4DB3.bin.exe
"C:\Users\Admin\AppData\Local\Temp\4DB3.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3776

C:\Users\Admin\AppData\Local\Temp\4DB3.bin.exe
"C:\Users\Admin\AppData\Local\Temp\4DB3.bin.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\513b8a35-fb49-4f26-ad22-01723969190a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3656

C:\Users\Admin\AppData\Local\Temp\4DB3.bin.exe
"C:\Users\Admin\AppData\Local\Temp\4DB3.bin.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3180

C:\Users\Admin\AppData\Local\Temp\4DB3.bin.exe
"C:\Users\Admin\AppData\Local\Temp\4DB3.bin.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2864

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:588

C:\Users\Admin\AppData\Local\513b8a35-fb49-4f26-ad22-01723969190a\4DB3.bin.exe
C:\Users\Admin\AppData\Local\513b8a35-fb49-4f26-ad22-01723969190a\4DB3.bin.exe --Task
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3316

C:\Users\Admin\AppData\Local\513b8a35-fb49-4f26-ad22-01723969190a\4DB3.bin.exe
C:\Users\Admin\AppData\Local\513b8a35-fb49-4f26-ad22-01723969190a\4DB3.bin.exe --Task
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2120

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\SystemID\PersonalID.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:396

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="396.0.1054563617\796533176" -parentBuildID 20200403170909 -prefsHandle 1524 -prefMapHandle 1516 -prefsLen 1 -prefMapSize 219631 -appdir "C:\Program Files\Mozilla Firefox\browser" - 396 "\\.\pipe\gecko-crash-server-pipe.396" 1604 gpu
3⤵
PID:4020

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="396.3.2105440387\1649840980" -childID 1 -isForBrowser -prefsHandle 2248 -prefMapHandle 2244 -prefsLen 156 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 396 "\\.\pipe\gecko-crash-server-pipe.396" 2124 tab
3⤵
PID:3624

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="396.13.1729195623\1005489675" -childID 2 -isForBrowser -prefsHandle 3344 -prefMapHandle 3100 -prefsLen 7013 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 396 "\\.\pipe\gecko-crash-server-pipe.396" 3360 tab
3⤵
PID:956

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="396.20.289056338\70033390" -childID 3 -isForBrowser -prefsHandle 3956 -prefMapHandle 3932 -prefsLen 7718 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 396 "\\.\pipe\gecko-crash-server-pipe.396" 4320 tab
3⤵
PID:4124

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\bowsakkdestx.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SystemID\PersonalID.txt
MD5
47f4765154cf29db1151e031ec30c7be

SHA1
2ea01d44388a1618aab334346eace27d137ae870

SHA256
99e78dcc99f522bf13c5ae6cbd55c2eaa23dd1cca29dde4402f5b86b8bf811c6

SHA512
b896a7049c771ebc0b6553ea050ae66f4ca5903592a4039287aba2f61f0e976f8ae7afd5efdaa3b29bc8dd8e2977804c0b50e43ee02898a7853508c94391b4bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
dfd1d8c11c8e104d9ca31b6b589fb717

SHA1
50e4a082219aa5c4e2376f1e9910a748287bef36

SHA256
7e5518f47ccc38390147991b40a3addde74cb52264f8808cf1088f5f711e2345

SHA512
31fea2c3cd0ad810a7a298251571ef14ac2445f8fe1fc5e806f26378a9397c47a04790b9a3c5a02af83c0e572878e7d6c59c7751a8be012902c1c86b699dd216

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
0ffb91dc0ac91e9630245216a5677aff

SHA1
d861ae5652a25d5f0396178818058150adf00273

SHA256
b88d9ca03ea0f1c5900d203f3e416f0fa159823801358261823b5898cd97fe6b

SHA512
063f2bce3ead49f7bd9a7c8aa21161f78a25362034c2973f4d4721001f475296b7aee221801b7dc28a342bb5f4688be58c999ff13e777a19d8eb8147a75bcbc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
774d0b3923673e3625696675075617b5

SHA1
3404e701510a43cb9f8d5f858069e135a7b34381

SHA256
17d9b584889159e6561ac1cc2802145b7df73de5b5e89aa1571daba34a8f7fd9

SHA512
293224af129d5449f6e4d202afade72050b37a258cee34c6a47d51d739ba339bd749e1fdb4cca7d0fa06922653cb29aaa6b3c18185f24eff533caa84cdca30e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
ae7c1a624aa7175aac9b337826638354

SHA1
e7b9435a1bc24fe99cbdde1bec26fa24cca57814

SHA256
8e6e084651e7b4c33a934d2c4829dc9a0e553c516f412dee917a7d673aafa390

SHA512
a9961787d8694b9f88d5639e99fc758b63e25b796d1094a0a53db5bc6bbc9a3646f6449c91d8b347232f9aa1eb815daaebe140ffdd2d1056d2b68478ce6526b6

Download Submit
C:\Users\Admin\AppData\Local\513b8a35-fb49-4f26-ad22-01723969190a\4DB3.bin.exe
MD5
ce492cc2d9bff6b9c1455b1d68776e77

SHA1
fd40c16d8de20f934e2f39cb12a6f5e30e859606

SHA256
234bb5fec4db69b563c807f168bfb48e37abde49e9ae5d4a7ee4cb90e552fa1e

SHA512
a1365398ba4f261f565b0365ddaa586f0a0eb51e86ccc831aba5e6a5dddf166e2c94e92d3fef0cbb897a0ae710328aef23730b59ab307cb0d58cc250df6e4243

Download Submit
C:\Users\Admin\AppData\Local\513b8a35-fb49-4f26-ad22-01723969190a\4DB3.bin.exe
MD5
ce492cc2d9bff6b9c1455b1d68776e77

SHA1
fd40c16d8de20f934e2f39cb12a6f5e30e859606

SHA256
234bb5fec4db69b563c807f168bfb48e37abde49e9ae5d4a7ee4cb90e552fa1e

SHA512
a1365398ba4f261f565b0365ddaa586f0a0eb51e86ccc831aba5e6a5dddf166e2c94e92d3fef0cbb897a0ae710328aef23730b59ab307cb0d58cc250df6e4243

Download Submit
C:\Users\Admin\AppData\Local\513b8a35-fb49-4f26-ad22-01723969190a\4DB3.bin.exe
MD5
ce492cc2d9bff6b9c1455b1d68776e77

SHA1
fd40c16d8de20f934e2f39cb12a6f5e30e859606

SHA256
234bb5fec4db69b563c807f168bfb48e37abde49e9ae5d4a7ee4cb90e552fa1e

SHA512
a1365398ba4f261f565b0365ddaa586f0a0eb51e86ccc831aba5e6a5dddf166e2c94e92d3fef0cbb897a0ae710328aef23730b59ab307cb0d58cc250df6e4243

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19202\VCRUNTIME140.dll
MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19202\_ctypes.pyd
MD5
7ab242d7c026dad5e5837b4579bd4eda

SHA1
b3ff01b8b3da2b3a9c37bfffafc4fb9ee957cc0f

SHA256
1548506345d220d68e9089b9a68b42a9d796141eb6236e600283951cb206eaa1

SHA512
1dd09cf14c87f60b42e5e56d0104154513902c9bfa23eef76a92f4a96c2356b2812dd6eee5e9a74d5ed078ade5f8f6d1f1b01961d7efadfebb543d71c2d31a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19202\_socket.pyd
MD5
4b2f1faab9e55a65afa05f407c92cab4

SHA1
1e5091b09fc0305cf29ec2e715088e7f46ccbbd4

SHA256
241db349093604ab25405402ba8c4212016657c7e6a10edd3110abeb1cc2e1ba

SHA512
68070db39cd14841bcd49db1acf19806b0aa4b4ac4c56518b3a3baddaac1cd533f0b3ef70a378f53d65c0d6c0f745a6102b63303ea7978c79f688c787efe9cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19202\base_library.zip
MD5
935ecbb6c183daa81c0ac65c013afd67

SHA1
0d870c56a1a9be4ce0f2d07d5d4335e9239562d1

SHA256
7ae17d6eb5d9609dc8fc67088ab915097b4de375e286998166f931da5394d466

SHA512
a9aac82ab72c06cfff1f1e34bf0f13cbf0d7f0dc53027a9e984b551c602d58d785c374b02238e927e7b7d69c987b1e8ab34bfc734c773ef23d35b0bdb25e99cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19202\libffi-7.dll
MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19202\python39.dll
MD5
7e9d14aa762a46bb5ebac14fbaeaa238

SHA1
a5d90a7df9b90bdd8a84d7dc5066e4ea64ceb3d9

SHA256
e456ef44b261f895a01efb52d26c7a0c7d7d465b647a7b5592708ebf693f12a3

SHA512
280f16348df1c0953bbc6f37ff277485351171d0545ebe469bacd106d907917f87584154aec0f193f37322bc93ac5433cd9a5b5c7f47367176e5a8b19bbd5023

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19202\pywintypes39.dll
MD5
977f7ef232671b94251d8eaddd15390d

SHA1
97d9035a5f21df0267f4ae8cd203a92917aab970

SHA256
4ece6771f1206b99dba4e5cf988051472f530bf90bb3114d3fd7377b3f34dfa6

SHA512
1f556c661d3dd963cd563230a1ac1707905ffbfb3d76081f3dd316b40ce55ce1bfcc431f744de98ab3249760d4386cccd54a483b01f98017ff75c6603d316988

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19202\select.pyd
MD5
f8f5a047b98309d425fd06b3b41b16e4

SHA1
2a44819409199b47f11d5d022e6bb1d5d1e77aea

SHA256
5361da714a61f99136737630d50fa4e975d76f5de75e181af73c5a23a2b49012

SHA512
f0a96790fcdabf02b452f5c6b27604f5a10586b4bf759994e6d636cc55335026631fa302e209a53f5e454bea03b958b6d662e0be91fa64ce187a7dc5d35a9aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19202\ucrtbase.dll
MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19202\win32api.pyd
MD5
0afa0ac73c1659570e529f51f3a0d8c6

SHA1
f4f7d659bcac3409395aa92a72ba90d0c7db204f

SHA256
b541e3d53be2db7da8e1c16496958fc6c8034ccc8ac763fd00e4a6fbd1162944

SHA512
0bb76bd92cbbd8f1f42a309b9f17124136032a41f7e75977fff4e208794218ed01574c7253a75fa7254cfcdb5f7920ebd8847fff9e851c3a6559eb6ed80590fe

Download Submit
C:\Users\Admin\AppData\Local\bowsakkdestx.txt
MD5
06992dab50d0ce7f132ce61599b62ac6

SHA1
19b1fe7fb4ffe40db56fea6ed444687e831e7c57

SHA256
d4f3aaca71d19ce72340c6b320419d93fc6b12a0d009ffc6a88af535b5db4d91

SHA512
407a8efa93a2acff99045961c26e0a78935bc44a36bc478f6917e434e982110f426486684dd7fa9c622bcaab42c2590c6cbe077d4b124a9a9200811ffcb99310

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19202\VCRUNTIME140.dll
MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19202\_ctypes.pyd
MD5
7ab242d7c026dad5e5837b4579bd4eda

SHA1
b3ff01b8b3da2b3a9c37bfffafc4fb9ee957cc0f

SHA256
1548506345d220d68e9089b9a68b42a9d796141eb6236e600283951cb206eaa1

SHA512
1dd09cf14c87f60b42e5e56d0104154513902c9bfa23eef76a92f4a96c2356b2812dd6eee5e9a74d5ed078ade5f8f6d1f1b01961d7efadfebb543d71c2d31a30

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19202\_socket.pyd
MD5
4b2f1faab9e55a65afa05f407c92cab4

SHA1
1e5091b09fc0305cf29ec2e715088e7f46ccbbd4

SHA256
241db349093604ab25405402ba8c4212016657c7e6a10edd3110abeb1cc2e1ba

SHA512
68070db39cd14841bcd49db1acf19806b0aa4b4ac4c56518b3a3baddaac1cd533f0b3ef70a378f53d65c0d6c0f745a6102b63303ea7978c79f688c787efe9cc3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19202\libffi-7.dll
MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19202\python39.dll
MD5
7e9d14aa762a46bb5ebac14fbaeaa238

SHA1
a5d90a7df9b90bdd8a84d7dc5066e4ea64ceb3d9

SHA256
e456ef44b261f895a01efb52d26c7a0c7d7d465b647a7b5592708ebf693f12a3

SHA512
280f16348df1c0953bbc6f37ff277485351171d0545ebe469bacd106d907917f87584154aec0f193f37322bc93ac5433cd9a5b5c7f47367176e5a8b19bbd5023

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19202\pywintypes39.dll
MD5
977f7ef232671b94251d8eaddd15390d

SHA1
97d9035a5f21df0267f4ae8cd203a92917aab970

SHA256
4ece6771f1206b99dba4e5cf988051472f530bf90bb3114d3fd7377b3f34dfa6

SHA512
1f556c661d3dd963cd563230a1ac1707905ffbfb3d76081f3dd316b40ce55ce1bfcc431f744de98ab3249760d4386cccd54a483b01f98017ff75c6603d316988

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19202\select.pyd
MD5
f8f5a047b98309d425fd06b3b41b16e4

SHA1
2a44819409199b47f11d5d022e6bb1d5d1e77aea

SHA256
5361da714a61f99136737630d50fa4e975d76f5de75e181af73c5a23a2b49012

SHA512
f0a96790fcdabf02b452f5c6b27604f5a10586b4bf759994e6d636cc55335026631fa302e209a53f5e454bea03b958b6d662e0be91fa64ce187a7dc5d35a9aa9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19202\ucrtbase.dll
MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19202\win32api.pyd
MD5
0afa0ac73c1659570e529f51f3a0d8c6

SHA1
f4f7d659bcac3409395aa92a72ba90d0c7db204f

SHA256
b541e3d53be2db7da8e1c16496958fc6c8034ccc8ac763fd00e4a6fbd1162944

SHA512
0bb76bd92cbbd8f1f42a309b9f17124136032a41f7e75977fff4e208794218ed01574c7253a75fa7254cfcdb5f7920ebd8847fff9e851c3a6559eb6ed80590fe

Download Submit
memory/588-152-0x000000001C990000-0x000000001C992000-memory.dmp

Filesize
8KB

Download
memory/588-160-0x000000001C998000-0x000000001C99A000-memory.dmp

Filesize
8KB

Download
memory/588-159-0x000000001C99A000-0x000000001C99F000-memory.dmp

Filesize
20KB

Download
memory/588-158-0x00007FF6029E0000-0x00007FF6029E1000-memory.dmp

Filesize
4KB

Download
memory/588-157-0x000000001C997000-0x000000001C998000-memory.dmp

Filesize
4KB

Download
memory/588-156-0x000000001C996000-0x000000001C997000-memory.dmp

Filesize
4KB

Download
memory/588-155-0x000000001C995000-0x000000001C996000-memory.dmp

Filesize
4KB

Download
memory/588-154-0x000000001C994000-0x000000001C995000-memory.dmp

Filesize
4KB

Download
memory/588-153-0x000000001C992000-0x000000001C994000-memory.dmp

Filesize
8KB

Download
memory/872-115-0x0000000000000000-mapping.dmp

Download
memory/1748-139-0x0000000000424141-mapping.dmp

Download
memory/1748-140-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1748-138-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2120-164-0x0000000000424141-mapping.dmp

Download
memory/2120-166-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2864-147-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2864-146-0x0000000000424141-mapping.dmp

Download
memory/3180-143-0x0000000000000000-mapping.dmp

Download
memory/3180-144-0x0000000000636000-0x00000000006C8000-memory.dmp

Filesize
584KB

Download
memory/3316-162-0x000000000211C000-0x00000000021AE000-memory.dmp

Filesize
584KB

Download
memory/3656-141-0x0000000000000000-mapping.dmp

Download
memory/3776-137-0x00000000022B0000-0x00000000023CB000-memory.dmp

Filesize
1.1MB

Download
memory/3776-136-0x00000000020B2000-0x0000000002144000-memory.dmp

Filesize
584KB

Download