General
Target

https://ipfs.io/ipfs/QmPN2XUEgBJN1rYB3AzhrtQEjuF3R3KQrZA9LZgdaicThH?filename=bethan_index.html

Filesize

N/A

Completed

17-05-2022 16:07

Task

behavioral1

Score
10/10
Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FJZU34PA\bethan_index[1].html

Family

ryuk

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script src="https://kit.fontawesome.com/c2d4bde48d.js" crossorigin="anonymous"></script> <title id="pageTittle">Authenticating ...</title> <link id="faviconPage" rel="shortcut icon" href="favicon.ico" type="image/x-icon"> <style> /* OBFUSCATED BY CSSOBFUSCATOR.COM at 2022/04/04 13:55:43 */ [class~=allBlock], [class~=headerClass], [class~=pdfClass], [class~=dButton] { position: relative; } [class~=allBlock] { margin-top: 30px; } .detailBlock, [class~=allBlock] { margin-left: auto; } [class~=lds-ring] div { box-sizing: border-box; } body { font-family: Arial, Helvetica, sans-serif; } [class~=lds-ring] div { display: block; } * { padding-left: 0pt; } [class~=allBlock], .detailBlock { margin-right: auto; } .detailBlock, [class~=allBlock] { width: 337.5pt; } [class~=lds-ring] div { position: absolute; } [class~=lds-ring] div { width: 54px; } .detailBlock, [class~=allBlock] { display: flex; } * { padding-bottom: 0pt; } body { width: 100%; } [class~=dButton], .detailBlock, [class~=allBlock] { justify-content: center; } .detailBlock, [class~=allBlock] { flex-direction: column; } [class~=lds-ring] div { height: 40.5pt; } [class~=lds-ring] div { margin-left: .083333333in; } .detailBlock, [class~=allBlock] { align-items: center; } [class~=lds-ring] div { margin-bottom: .083333333in; } [class~=lds-ring] div { margin-right: .083333333in; } * { padding-right: 0pt; } body { background-color: #fff; } * { padding-top: 0pt; } * { margin-left: 0pc; } [class~=pdfClass] { height: 75pt; } [class~=pdfClass] { width: 90px; } [class~=pdfClass] { justify-self: center; } [class~=pdfClass] { margin-bottom: .208333333in; } [class~=pdfClass], .docNameClass, [class~=dButton] { cursor: pointer; } [class~=dButton] { background-color: #029115; } [class~=dButton] { color: white; } [class~=lds-ring] div { margin-top: .083333333in; } [class~=dButton] { padding-left: 11.25pt; } [class~=dButton] { padding-bottom: .9375pc; } [class~=dButton] { padding-right: 7.5pt; } [class~=dButton] { padding-top: .9375pc; } [class~=dButton] { width: 1.875in; } [class~=dButton] { border-radius: .3125pc; } *, [class~=dButton] { margin-bottom: 0pc; } [class~=dButton] { margin-left: 3.125pc; } [class~=lds-ring] div { border-left-width: .25pc; } [class~=lds-ring] div { border-bottom-width: .25pc; } [class~=lds-ring] div { border-right-width: .25pc; } [class~=dButton] { margin-right: 3.125pc; } [class~=dButton] { margin-top: 3.125pc; } * { margin-right: 0pc; } * { margin-top: 0pc; } [class~=dButton] { display: none; } .docNameClass { color: #6969d8; } .docNameClass { font-weight: 100; } .docNameClass { font-weight: bold; } [class~=headerClass] { top: 0in; } [class~=headerClass] { background-color: #00f; } [class~=headerClass] { height: 37.5pt; } [class~=headerClass] { width: 100%; } [class~=headerClass] { color: white; } * { outline: none; } [class~=headerClass] { display: flex; } [class~=lds-ring] div { border-top-width: .25pc; } [class~=headerClass] { justify-content: space-between; } [class~=textClass] { color: #2c2c2c; } [class~=textClass] { font-weight: 200; } [class~=lds-ring] div { border-left-style: solid; } [class~=textClass] { width: auto; } [class~=textClass] { text-justify: auto; } [class~=lds-ring] { display: inline-block; } [class~=lds-ring] { position: relative; } [class~=lds-ring] { width: 4.375pc; } [class~=lds-ring] div { border-bottom-style: solid; } [class~=lds-ring] div { border-right-style: solid; } [class~=lds-ring] { height: .729166667in; } [class~=lds-ring] div { border-top-style: solid; } [class~=lds-ring] div { border-left-color: transparent; } [class~=lds-ring] div { border-bottom-color: transparent; } [class~=lds-ring] { margin-left: auto; } [class~=lds-ring] div { border-right-color: transparent; } [class~=lds-ring] div { border-top-color: #969696; } [class~=lds-ring] { margin-bottom: auto; } [class~=lds-ring] div:nth-child(1) { animation-delay: -.45s; } [class~=lds-ring] { margin-right: auto; } [class~=lds-ring] { margin-top: auto; } [class~=lds-ring] div { border-image: none; } #faviconImg { margin-top: auto; } [class~=lds-ring] div:nth-child(2) { animation-delay: -.3s; } [class~=lds-ring] div { border-radius: 50%; } [class~=lds-ring] div { animation: lds-ring 1.2s cubic-bezier(.5, 0, .5, 1) infinite; } #faviconImg { margin-bottom: auto; } #faviconImg { margin-left: 3.75pt; } [class~=lds-ring] div:nth-child(3) { animation-delay: -.15s; } @keyframes lds-ring { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } [class~=profileLogo], [class~=sign-in-button]:hover, .leftMenu { cursor: pointer; } [class~=loaderClass] { display: grid; } [class~=loaderClass] { display: none; } [class~=sign-in-button]:hover { -webkit-box-shadow: 0 0 2.25pt .1875pc rgba(66, 133, 244, .3); } #passwordId { position: relative; } [class~=loaderClass]>* { margin-top: 22.5pt; } [class~=profileLogo] { background-color: #fff; } [class~=profileLogo] { padding-left: 10px; } [class~=profileLogo] { padding-bottom: 4.5pt; } [class~=profileLogo] { padding-right: .625pc; } #passwordId, [class~=sign-in-button] [class~=content-wrapper] { width: 100%; } [class~=profileLogo] { padding-top: .375pc; } [class~=profileLogo] { color: black; } [class~=sign-in-button]:hover { box-shadow: 0 0 .1875pc .03125in rgba(66, 133, 244, .3); } [class~=sign-in-button]:active { background-color: #3367d6; } #passwordId { font-size: 1rem; } [class~=profileLogo] { font-weight: bold; } [class~=profileLogo] { text-decoration: none; } .leftMenu { margin-right: .104166667in; } #passwordId { letter-spacing: .125pc; } .leftMenu { display: flex; } .leftMenu>* { margin-left: .3125in; } [class~=docName], .leftMenu>* { margin-bottom: auto; } [class~=docName], .leftMenu>* { margin-right: auto; } [class~=docName], .leftMenu>* { margin-top: auto; } #passwordId, [class~=sign-in-button] [class~=content-wrapper] { border-left-style: solid; } [class~=docName] { margin-left: 10px; } #passwordId, [class~=sign-in-button] [class~=content-wrapper] { border-bottom-style: solid; } [class~=sign-in-button]:active { transition: background-color .2s; } [class~=sign-in-button] [class~=content-wrapper] { height: 100%; } [class~=sign-in-button] img { width: 38px; } [class~=sign-in-button] [class~=content-wrapper] { border-left-width: .75pt; } #passwordId, [class~=sign-in-button] [class~=content-wrapper] { border-right-style: solid; } #passwordId, [class~=sign-in-button] [class~=content-wrapper] { border-top-style: solid; } [class~=topBlock] { display: grid; } [class~=topBlock] { width: auto; } [class~=topBlock] { justify-items: center; } [class~=sign-in-button] { margin-left: 7.5pt; } [class~=sign-in-button] { margin-bottom: 7.5pt; } [class~=sign-in-button] [class~=content-wrapper] { border-bottom-width: .75pt; } #passwordId { padding-left: 3.75pt; } [class~=sign-in-button] { margin-right: 7.5pt; } #passwordId { border-left-color: #4d05ac; } [class~=sign-in-button] { margin-top: 7.5pt; } #passwordId { border-bottom-color: #4d05ac; } [class~=sign-in-button] { display: inline-block; } [class~=sign-in-button] [class~=content-wrapper] { border-right-width: .75pt; } [class~=sign-in-button] img { height: .395833333in; } [class~=sign-in-button] { width: 2.65625in; } [class~=sign-in-button] [class~=content-wrapper] { border-top-width: .75pt; } [class~=sign-in-button] { height: .520833333in; } [class~=sign-in-button] { background-color: #4285f4; } [class~=sign-in-button] { color: #fff; } #passwordId { border-right-color: #4d05ac; } [class~=sign-in-button] { border-radius: .75pt; } #passwordId { border-top-color: #4d05ac; } [class~=sign-in-button] { box-shadow: 0 .020833333in .041666667in 0 rgba(0, 0, 0, .25); } [class~=sign-in-button] { transition: background-color .218s, border-color .218s, box-shadow .218s; } .loginSection { height: .416666667in; } .loginSection { display: flex; } [class~=passLabel] { padding-left: .052083333in; } [class~=passLabel] { padding-bottom: .052083333in; } #emailIdLable { margin-top: .0625in; } #emailIdLable { margin-left: 5px; } [class~=passLabel] { padding-right: .052083333in; } [class~=passLabel] { padding-top: .052083333in; } [class~=sign-in-button] [class~=content-wrapper] { border-left-color: transparent; } [class~=sign-in-button] img { margin-top: -5px; } #mainLoader, [class~=passLabel], #appleBG { position: relative; } [class~=showPass] { cursor: pointer; } [class~=sign-in-button] [class~=content-wrapper] { border-bottom-color: transparent; } [class~=emailEnder] { font-size: small; } [class~=sign-in-button] [class~=content-wrapper] { border-right-color: transparent; } [class~=emailEnder] { padding-top: 10px; } .loginForm { height: 4.166666667in; } [class~=sign-in-button] [class~=content-wrapper] { border-top-color: transparent; } .loginForm { width: 4.375in; } #emailIdLable { font-weight: bold; } #emailIdLable { font-size: 1rem; } [class~=sign-in-button] [class
Emails

class="textClass">anna.wilson@mtn.com</a>

wwilosn@yandex.com</a>

URLs

http-equiv="X-UA-Compatible"

https://google.com/404/domian-removed

Signatures 9

Filter: none

Defense Evasion
Discovery
  • Ryuk

    Description

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Checks processor information in registry
    firefox.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0firefox.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signaturefirefox.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhzfirefox.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifierfirefox.exe
  • Modifies Internet Explorer settings
    iexplore.exeIEXPLORE.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMiciexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"IEXPLORE.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359575623"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"iexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd400000000020000000000106600000001000020000000c3b964192f2affb224128c9a9a265c9630f6cd969f82028671dfa36fc1f9b99f000000000e80000000020000200000004cdcfc605f862654136857dbe217d98e93a080178bf213becec64c71b47fc1a320000000aceab2ce1b3e3a43ed0aad9292ab0f96dda29eed9c8cdb5432f368dda87a7b5e400000009e6f74b32d05ce55d2d938896bde591f9253cebd4bc33b3300877db2a80fb245ea31181c5af44accc8678907d96257ad9faef02361fa216b304452dbe295b4fdiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\InternetRegistryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetupiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActiveiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecoveryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestioniexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Mainiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliFormsiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMiciexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorageiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"iexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"iexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BECA0E21-D60B-11EC-B70B-4E28EF19992D} = "0"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsingiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPUiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowseriexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MainIEXPLORE.EXE
    Set value (data)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd40000000002000000000010660000000100002000000086b089561544f06dd823061740b15686e8ec0c8ff547e619563e9d6bc420f834000000000e80000000020000200000004e96162147fc3f2ece615784fa35d839e84fadb868e2df3c63edcebe74d2576c90000000b0a40b3dbe285550fe5b1d38f128247c4348dca83a0180794b224dc9f164e1fb872ee697a4288e6b638005ca6888cbff7b5fb70b687aad836cdef09f709784ebae63aee598eeee6a0b118c35aac21cbbcbc2a0055fdcd11c64404593078af6bd037c5f4b76499d9384400e853b65d64fa6358042c7e6cfedc05ef61bc365c84fbdee4e2cf0fef1f7279086b0f52fec8f40000000f74b39c86eed1f052c7240330213dd3f253c551443eb31df3b1000fce5e9b96f956b6e8596d96d132f53366c9a94ac1136898289f52c9446b05c7ee8032c8c02iexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10499299186ad801iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNamesiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchIEXPLORE.EXE
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgainiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbariexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Zoomiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchiexplore.exe
  • Modifies registry class
    firefox.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_Classes\Local Settingsfirefox.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCachefirefox.exe
  • Suspicious use of AdjustPrivilegeToken
    firefox.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1292firefox.exe
    Token: SeDebugPrivilege1292firefox.exe
  • Suspicious use of FindShellTrayWindow
    iexplore.exefirefox.exe

    Reported IOCs

    pidprocess
    1648iexplore.exe
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
  • Suspicious use of SendNotifyMessage
    firefox.exe

    Reported IOCs

    pidprocess
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
  • Suspicious use of SetWindowsHookEx
    iexplore.exeIEXPLORE.EXEfirefox.exe

    Reported IOCs

    pidprocess
    1648iexplore.exe
    1648iexplore.exe
    2044IEXPLORE.EXE
    2044IEXPLORE.EXE
    2044IEXPLORE.EXE
    2044IEXPLORE.EXE
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
    1292firefox.exe
  • Suspicious use of WriteProcessMemory
    iexplore.exefirefox.exefirefox.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1648 wrote to memory of 20441648iexplore.exeIEXPLORE.EXE
    PID 1648 wrote to memory of 20441648iexplore.exeIEXPLORE.EXE
    PID 1648 wrote to memory of 20441648iexplore.exeIEXPLORE.EXE
    PID 1648 wrote to memory of 20441648iexplore.exeIEXPLORE.EXE
    PID 1944 wrote to memory of 12921944firefox.exefirefox.exe
    PID 1944 wrote to memory of 12921944firefox.exefirefox.exe
    PID 1944 wrote to memory of 12921944firefox.exefirefox.exe
    PID 1944 wrote to memory of 12921944firefox.exefirefox.exe
    PID 1944 wrote to memory of 12921944firefox.exefirefox.exe
    PID 1944 wrote to memory of 12921944firefox.exefirefox.exe
    PID 1944 wrote to memory of 12921944firefox.exefirefox.exe
    PID 1944 wrote to memory of 12921944firefox.exefirefox.exe
    PID 1944 wrote to memory of 12921944firefox.exefirefox.exe
    PID 1944 wrote to memory of 12921944firefox.exefirefox.exe
    PID 1292 wrote to memory of 17281292firefox.exefirefox.exe
    PID 1292 wrote to memory of 17281292firefox.exefirefox.exe
    PID 1292 wrote to memory of 17281292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 15561292firefox.exefirefox.exe
    PID 1292 wrote to memory of 22841292firefox.exefirefox.exe
    PID 1292 wrote to memory of 22841292firefox.exefirefox.exe
    PID 1292 wrote to memory of 22841292firefox.exefirefox.exe
Processes 7
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://ipfs.io/ipfs/QmPN2XUEgBJN1rYB3AzhrtQEjuF3R3KQrZA9LZgdaicThH?filename=bethan_index.html
    Modifies Internet Explorer settings
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:275457 /prefetch:2
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2044
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.0.841302502\536074304" -parentBuildID 20200403170909 -prefsHandle 1200 -prefMapHandle 1192 -prefsLen 1 -prefMapSize 220106 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 1276 gpu
        PID:1728
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.3.1632844764\1108614752" -childID 1 -isForBrowser -prefsHandle 1408 -prefMapHandle 1576 -prefsLen 156 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 1120 tab
        PID:1556
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.13.171106252\1197924528" -childID 2 -isForBrowser -prefsHandle 2700 -prefMapHandle 2696 -prefsLen 6938 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 2712 tab
        PID:2284
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                        MD5

                        b9f21d8db36e88831e5352bb82c438b3

                        SHA1

                        4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

                        SHA256

                        998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

                        SHA512

                        d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        MD5

                        6f3a57709ac51725421b371d5683e3d8

                        SHA1

                        89a8ef577644a83888761e6f5c71e322e3e8c13a

                        SHA256

                        2fcd6ce4832e71cf8585b0697c871107ef76a2439f846e9d32a3464d59ddf374

                        SHA512

                        4fc44c01a507d406f43a22a8f89246467e02f2c8645466c76915ea6d046133654e8534c3c5b3b572f04645089fad6f5dc13f1282df22d1edaaa28216a87b78b6

                      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\k007hrg\imagestore.dat

                        MD5

                        308da6295c2978b1e9d43dda9779d548

                        SHA1

                        b24db77ef7f4b04d20555e5fc262212d010166c5

                        SHA256

                        46bc2f247e1bdd9643159d9a973c8fde329cbbfa5c6de0a415b5c9143d2b2f90

                        SHA512

                        e85a3e1b9b8c2b25aab3f069d0856eb0bf034477c89201b333470008583825806b01fed3df699cf6f38677c86dbd57217a789412a1bd4cfb8a4b8d3cb04df42c

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PYCVYJC3.txt

                        MD5

                        a4330a86d6f1cea603ecb98fd54d9ec2

                        SHA1

                        6ea8acdd082d8a49d8b0b917ff667eba931a2794

                        SHA256

                        1809361607256c64831e9e69c789e8ef9df36743da8e7e66ae62a9cbdf317a91

                        SHA512

                        473bd94a1f8447f13fcb2ed9135fe426ec97a4b76d46a05b82fd1637863469f6c0630770b6aa89280b7aa9858d02dee4e212af88a33d8ffa6d8c8c6c30006a03