44810512af577ca70b3269b8570b10825ec2ace2b86e4297e767a0f4c0ee8bfd

Analysis

max time kernel
314s
max time network
376s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
28/08/2024, 01:26 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

python-3.12.5-amd64.exe
Size

25.3MB
MD5

bbcb2fcf9d739f776fb6414afc12c80d
SHA1

2d78877db5a8da134ab54ed952b961a7e750ec7d
SHA256

44810512af577ca70b3269b8570b10825ec2ace2b86e4297e767a0f4c0ee8bfd
SHA512

0572c6345f6a4f7f3e5c2ff858e3ca7ca54ae4478f3d59d8e18cb0f596e61dcf12aef579db229e83d63b30f15d6684ee6bb3feaea9413e5e636a503933057678
SSDEEP

786432:jKEO2c6viGKJXI95MB6K3qtY9a3YiVTfwtzWo2CB8:XHiRuVKCY9a3YiRws6B8

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 1 IoCs

pid	Process
5044	python-3.12.5-amd64.exe

Loads dropped DLL 1 IoCs

pid	Process
5044	python-3.12.5-amd64.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.12.5-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.12.5-amd64.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	632	firefox.exe
Token: SeDebugPrivilege	632	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
632	firefox.exe
632	firefox.exe
632	firefox.exe
632	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
632	firefox.exe
632	firefox.exe
632	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
632	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 500 wrote to memory of 5044	500	python-3.12.5-amd64.exe	72
PID 500 wrote to memory of 5044	500	python-3.12.5-amd64.exe	72
PID 500 wrote to memory of 5044	500	python-3.12.5-amd64.exe	72
PID 4584 wrote to memory of 632	4584	firefox.exe	75
PID 4584 wrote to memory of 632	4584	firefox.exe	75
PID 4584 wrote to memory of 632	4584	firefox.exe	75
PID 4584 wrote to memory of 632	4584	firefox.exe	75
PID 4584 wrote to memory of 632	4584	firefox.exe	75
PID 4584 wrote to memory of 632	4584	firefox.exe	75
PID 4584 wrote to memory of 632	4584	firefox.exe	75
PID 4584 wrote to memory of 632	4584	firefox.exe	75
PID 4584 wrote to memory of 632	4584	firefox.exe	75
PID 4584 wrote to memory of 632	4584	firefox.exe	75
PID 4584 wrote to memory of 632	4584	firefox.exe	75
PID 632 wrote to memory of 1356	632	firefox.exe	76
PID 632 wrote to memory of 1356	632	firefox.exe	76
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77
PID 632 wrote to memory of 204	632	firefox.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\python-3.12.5-amd64.exe
"C:\Users\Admin\AppData\Local\Temp\python-3.12.5-amd64.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:500
- C:\Windows\Temp\{F71AB88E-09C4-4812-8037-B890D3B0DEA6}\.cr\python-3.12.5-amd64.exe
  "C:\Windows\Temp\{F71AB88E-09C4-4812-8037-B890D3B0DEA6}\.cr\python-3.12.5-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-3.12.5-amd64.exe" -burn.filehandle.attached=524 -burn.filehandle.self=532
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.0.1633449770\1227205992" -parentBuildID 20221007134813 -prefsHandle 1728 -prefMapHandle 1704 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fda71460-7427-4f88-a59b-99571a65558c} 632 "\\.\pipe\gecko-crash-server-pipe.632" 1808 205a2fd6158 gpu
    3⤵
    PID:1356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.1.1982920495\715932537" -parentBuildID 20221007134813 -prefsHandle 2152 -prefMapHandle 2148 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ebdca97-3e95-4de4-9cff-ef8f8b7f5613} 632 "\\.\pipe\gecko-crash-server-pipe.632" 2164 205a2efad58 socket
    3⤵
    - Checks processor information in registry
    PID:204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.2.895387021\1758922731" -childID 1 -isForBrowser -prefsHandle 2880 -prefMapHandle 2680 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2309f49c-d12b-4101-ad06-2b27923e7415} 632 "\\.\pipe\gecko-crash-server-pipe.632" 2856 205a2f5b458 tab
    3⤵
    PID:3308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.3.986054480\574663988" -childID 2 -isForBrowser -prefsHandle 3512 -prefMapHandle 3508 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ebc2023-94b3-42b2-b3b4-1e3ae82a1e18} 632 "\\.\pipe\gecko-crash-server-pipe.632" 3524 20590d62558 tab
    3⤵
    PID:3796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.4.1626208219\1617274761" -childID 3 -isForBrowser -prefsHandle 4208 -prefMapHandle 4204 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {355b8ef5-60dd-44e6-88f2-854a60f82557} 632 "\\.\pipe\gecko-crash-server-pipe.632" 4220 205a8ff6958 tab
    3⤵
    PID:748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.5.1358584345\1201355811" -childID 4 -isForBrowser -prefsHandle 4620 -prefMapHandle 4672 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ef9f517-4ede-4485-9ca2-f9b489517310} 632 "\\.\pipe\gecko-crash-server-pipe.632" 4680 20590d62858 tab
    3⤵
    PID:1600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.6.748108104\198678381" -childID 5 -isForBrowser -prefsHandle 4816 -prefMapHandle 4820 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a418f7d-db6c-4029-8bfc-6106a57f1e7e} 632 "\\.\pipe\gecko-crash-server-pipe.632" 4900 205a9332358 tab
    3⤵
    PID:3448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.7.476163657\1604442667" -childID 6 -isForBrowser -prefsHandle 5008 -prefMapHandle 5012 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb9115e3-eda2-4aac-a76a-567957f7b743} 632 "\\.\pipe\gecko-crash-server-pipe.632" 5092 205a9bd3c58 tab
    3⤵
    PID:4568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.8.884026708\24423689" -childID 7 -isForBrowser -prefsHandle 5484 -prefMapHandle 5488 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcd1b85b-ff45-41b5-b2aa-892e36494168} 632 "\\.\pipe\gecko-crash-server-pipe.632" 3444 205a9331d58 tab
    3⤵
    PID:2256

Network

DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

34.160.144.191
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

2600:1901:0:92a9::
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN A

Response

shavar.prod.mozaws.net

IN A

44.226.249.47

shavar.prod.mozaws.net

IN A

44.239.24.213

shavar.prod.mozaws.net

IN A

54.71.162.254
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN AAAA

Response
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN AAAA
DNS

254.162.71.54.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.162.71.54.in-addr.arpa

IN PTR

Response

254.162.71.54.in-addr.arpa

IN PTR

ec2-54-71-162-254 us-west-2compute amazonawscom
DNS

254.162.71.54.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.162.71.54.in-addr.arpa

IN PTR
DNS

166.188.117.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

166.188.117.34.in-addr.arpa

IN PTR

Response

166.188.117.34.in-addr.arpa

IN PTR

16618811734bcgoogleusercontentcom
DNS

166.188.117.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

166.188.117.34.in-addr.arpa

IN PTR
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.149.100.209
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

www.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.179.228
GET

https://www.google.com/search?client=firefox-b-d&q=wanacry+ransowmare+odwnload

firefox.exe

Remote address:

142.250.179.228:443

Request

GET /search?client=firefox-b-d&q=wanacry+ransowmare+odwnload HTTP/2.0
host: www.google.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers

Response

HTTP/2.0 429

date: Wed, 28 Aug 2024 01:27:36 GMT
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
cache-control: no-store, no-cache, must-revalidate
content-type: text/html
server: HTTP server (unknown)
content-length: 3232
content-type: text/html
content-length: 3232
GET

https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fclient%3Dfirefox-b-d%26q%3Dwanacry%2Bransowmare%2Bodwnload&q=EgTCbg1GGP_5ubYGIjBkAR_4f5j7SEs4PW4L7al-0KgzDXDQxJbr4Ky80xScmwa20BWZlr7J2d0qBxpIpz8yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

firefox.exe

Remote address:

142.250.179.228:443

Request

GET /sorry/index?continue=https://www.google.com/search%3Fclient%3Dfirefox-b-d%26q%3Dwanacry%2Bransowmare%2Bodwnload&q=EgTCbg1GGP_5ubYGIjBkAR_4f5j7SEs4PW4L7al-0KgzDXDQxJbr4Ky80xScmwa20BWZlr7J2d0qBxpIpz8yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/2.0
host: www.google.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
cookie: AEC=AVYB7crQbMxEqmsJEPabBfLwcjHEYVi9xi_Aegkm7SZXwOrHJ21vtxnVYg
cookie: __Secure-ENID=21.SE=ED5N2NDfWqzQACPDRUklqKP485SkpgCjcEFt1XvHN4doxJdGX3AKgOwhlj-V-v6ZKOVNA47DGh8itTRXrwOlquFKSiw1x4tHAqAZysKETrYIZqqbUO6KBk66tm5ExvZ0aGR8BEAMxNaL5NvgpqIWKo-YK_wt4c1IaRovBehUbyyR808tf-wkfp9-ED2R
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers
DNS

www.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.179.228
DNS

www.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN AAAA

Response

www.google.com

IN AAAA

2a00:1450:4009:81d::2004
DNS

www.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN AAAA
DNS

228.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.179.250.142.in-addr.arpa

IN PTR

Response

228.179.250.142.in-addr.arpa

IN PTR

lhr25s31-in-f41e100net
DNS

228.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.179.250.142.in-addr.arpa

IN PTR
DNS

228.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.179.250.142.in-addr.arpa

IN PTR
DNS

3.178.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.178.250.142.in-addr.arpa

IN PTR

Response

3.178.250.142.in-addr.arpa

IN PTR

lhr48s27-in-f31e100net
DNS

195.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.187.250.142.in-addr.arpa

IN PTR

Response

195.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f31e100net
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response
DNS

136.71.105.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.71.105.51.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response

127.0.0.1:49831

firefox.exe
127.0.0.1:49837

firefox.exe
142.250.179.228:443

https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fclient%3Dfirefox-b-d%26q%3Dwanacry%2Bransowmare%2Bodwnload&q=EgTCbg1GGP_5ubYGIjBkAR_4f5j7SEs4PW4L7al-0KgzDXDQxJbr4Ky80xScmwa20BWZlr7J2d0qBxpIpz8yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

tls, http2

firefox.exe

5.3kB
12.3kB
32
29

HTTP Request

GET https://www.google.com/search?client=firefox-b-d&q=wanacry+ransowmare+odwnload

HTTP Request

GET https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fclient%3Dfirefox-b-d%26q%3Dwanacry%2Bransowmare%2Bodwnload&q=EgTCbg1GGP_5ubYGIjBkAR_4f5j7SEs4PW4L7al-0KgzDXDQxJbr4Ky80xScmwa20BWZlr7J2d0qBxpIpz8yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

HTTP Response

429

8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

firefox.exe

103 B
119 B
1
1

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

34.160.144.191
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

firefox.exe

103 B
131 B
1
1

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

2600:1901:0:92a9::
8.8.8.8:53

shavar.prod.mozaws.net

dns

firefox.exe

68 B
116 B
1
1

DNS Request

shavar.prod.mozaws.net

DNS Response

44.226.249.47

44.239.24.213

54.71.162.254
8.8.8.8:53

shavar.prod.mozaws.net

dns

firefox.exe

136 B
153 B
2
1

DNS Request

shavar.prod.mozaws.net

DNS Request

shavar.prod.mozaws.net
8.8.8.8:53

254.162.71.54.in-addr.arpa

dns

144 B
135 B
2
1

DNS Request

254.162.71.54.in-addr.arpa

DNS Request

254.162.71.54.in-addr.arpa
8.8.8.8:53

166.188.117.34.in-addr.arpa

dns

146 B
126 B
2
1

DNS Request

166.188.117.34.in-addr.arpa

DNS Request

166.188.117.34.in-addr.arpa
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
110 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.149.100.209
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
187 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net
8.8.8.8:53

www.google.com

dns

firefox.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.179.228
8.8.8.8:53

www.google.com

dns

firefox.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.179.228
8.8.8.8:53

www.google.com

dns

firefox.exe

120 B
88 B
2
1

DNS Request

www.google.com

DNS Request

www.google.com

DNS Response

2a00:1450:4009:81d::2004
8.8.8.8:53

228.179.250.142.in-addr.arpa

dns

222 B
112 B
3
1

DNS Request

228.179.250.142.in-addr.arpa

DNS Request

228.179.250.142.in-addr.arpa

DNS Request

228.179.250.142.in-addr.arpa
142.250.179.228:443

www.google.com

https

firefox.exe

21.2kB
74.4kB
43
86
8.8.8.8:53

3.178.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

3.178.250.142.in-addr.arpa
8.8.8.8:53

195.187.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

195.187.250.142.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa
8.8.8.8:53

136.71.105.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

136.71.105.51.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
1798aa60e6f29812b53f7d97ffd83690

SHA1
3b9e6c161cf3fec33ef2953fe2a3801a61309acb

SHA256
d4e1497d28b33f6c6da6ddb4857dc1be55e0beb9f819ff603920d9bae4ea73cf

SHA512
4b264483375e89a578027dde08881060b1c2a762da7fca5d1c882cce1f34f9c25c41282b8a855acb4820100b11d9b6358a1f23947f6453bd9b54281e733e13d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\3bc598a8-6933-4d96-a459-e4b67650c64e

Filesize
734B

MD5
6e37929bae6af41ea29036462bb146bb

SHA1
af1c25dc2579765a05677c1d7bfa154062c5d792

SHA256
f897c763df14277228f2f3e48f7a091b133ff6064d1e06df2a126b077a2cf5e3

SHA512
0f8236a63b58182d12f3f0087b01eaa9381e5d4de068ce73a369fbee25e4583f81f213339bd50fd7df0a782352c0f78b5ff90956da8d0328cc5bc98465b97db2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
b1af24569894aae9c91cf24c693a39af

SHA1
0e94a3ebb68472046bf1cbaa6add445eab093559

SHA256
5a0b4cfd248ea55826cfb3746474ca400d4f5883cae2bb0a5c8d452adab50fb0

SHA512
b631159ed90a964a56fe0ca3604b1b9cefdae0fc536027ec6fc68d099a61fb7feca5fac0c5689120709dc69e3db20cb92e8698abf0481372b8e53d7a78a730d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
4aaf2a9934c2fb8e9d972351a7997bdc

SHA1
8bd8a097a093ba55d402fafec9c4456c031df379

SHA256
1749962f2617c0d62d1210d27345d4280e5c194681ee5fe68ff8552487cf0896

SHA512
8605a652f28563edb240fd8d840c856105d89e940cc0249105c9e85ae4d9a8b840b384460938453a59a543a769ff9cfc562ad1af61db894521e6534030b2dad5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
83b49b2dbce57129c7f6530af1c3ddea

SHA1
2719a423ebb29a71d80c8f16105fcfb3ec235bec

SHA256
e7df7cf667ad2550d7a1558e9f7fb515c09ca233caed34ea49d3f9e73ad75a3d

SHA512
7c0ce18960070a264d92cbe9f16b4dcc8da80bf68221b44a74e03ef834722c1606a95e145773589d9ef74e58f4bc0585cf2a5d79f717ee4b27769dc5ccea9d27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
8bea8e1ad8c81311d9c0222a8762785a

SHA1
52cba260d4dfb7b6ca20fc6db2dc41d82a3c649b

SHA256
8defc0d3ecda59aca8540826c53022cd03975c9b3c434236d398a9504df69107

SHA512
40cede401fa52b9c734241b9acedba81ff49846b4f7236d3fe71379eb4a3715a61af7d7096cfcc4c7615501eb30adaf4f09eaf67d099a17c8ea2f8a97447fe6e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
16a6a9006976332cbea3ecf4d2dd56f7

SHA1
044654c2f6bce36ff0cdedee838b474637fcb89a

SHA256
ab9e07ae52862b7b4c5d53322429855682cd048b74162bbdaa25d2edc274496c

SHA512
9568e516e083a99dee1e0e1f0e7ef28661008d728bb2865d42c7fc989bc8f4ee7ebc7800ff0da51065d852c91377b5fa4d0a3581c366a16dcdf29e02ec942329

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
e7d901ad03d22078f4c42ecc83c3bd45

SHA1
13ffe2ced2026e6b99c39a96d006c7832a72ba17

SHA256
fddee54013f830a84e74dce5679f6e4c3c71b4c5c51ecdf58bcef7e27eba4f17

SHA512
8e7373116183db845f03c74e28effbe85b53c6c109f0a1a867fc4daa2944c099846644c5b6ecfa6408091d097a08b3f1b8cedcbeffbdcfaa14147f6b76663ec9

Download Submit
C:\Windows\Temp\{3BBC82BE-E4E6-4844-907A-14327358907D}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{F71AB88E-09C4-4812-8037-B890D3B0DEA6}\.cr\python-3.12.5-amd64.exe

Filesize
858KB

MD5
7d3c4418445bbdc0b7c521a747ec014c

SHA1
bff06746ba8d31cfc34637bac0b86158bc2de7ba

SHA256
f268a252ca87e394a9b653a05a9ce715e1808ccf480fb84197ebf8fbc4482146

SHA512
033ab1141c1edd39ae5b713b9b20bededf2cb9fef493d93d46c87e2f40b9f0cbe73cba7cb7c6b0f5613fa058bd67ad400aecc358bd4f544470aa8a1ca193e91a

Download Submit
\Windows\Temp\{3BBC82BE-E4E6-4844-907A-14327358907D}\.ba\PythonBA.dll

Filesize
675KB

MD5
de16adbe53c3cc500dd01a5ee9ebc813

SHA1
f4b99bd3c79bfa5c3693e37a0d649bb595422dbd

SHA256
e297b802136b33aa53b31b68183f01d421ece30dc5cc3519e45f0bcf4a47752f

SHA512
1733e6fda19be026a062585e225f4b14017fea34589e3f3fe48b0e9f69aecff772c44f4d962096b3e0c295374e79692cbc711ef3b7e4c4c4a8544c56de49c2a7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.