mafiaware666 | 613bfc0cb68ebda81470975ec0c9ee04f93e86f7981ef52cf7adaa9c07bfc1ba

Analysis

max time kernel
285s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ransomware.rar
Size

1.3MB
MD5

772a5166cba8d08dd969ba5594038522
SHA1

0e6cfffeacfe6d684e5263bd0c2e91e7d83bb116
SHA256

613bfc0cb68ebda81470975ec0c9ee04f93e86f7981ef52cf7adaa9c07bfc1ba
SHA512

3675f882425934e69cc7a22c9d29465ded5006f73a38675b86c569bcf09e4e4f2d48e9b856bf675c7d7eedd8a9d7191fd8f29a7606448880810b8aa2904f8123
SSDEEP

24576:3vuG8CYh3RHD58zSmHeGG7EjzbrAXkf3/KJeqvkgVCSuTp2VsdzspJFe:/eCaj5iHeG0Ynf3EsWCzTs2zspre

Score

10^/10

mafiaware666 defense_evasion discovery ransomware

Malware Config

Signatures

Detect MafiaWare666 ransomware 2 IoCs

resource	yara_rule
behavioral1/files/0x0005000000016976-6.dat	family_mafiaware666
behavioral1/memory/2848-8-0x0000000000C70000-0x0000000000DC2000-memory.dmp	family_mafiaware666

MafiaWare666 Ransomware
MafiaWare666 is ransomware written in C# with multiple variants.
ransomware mafiaware666
Renames multiple (124) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
2848	WindowsFormsApp1.exe
5096	DecrypterPOC.exe
3992	DecrypterPOC.exe
3452	DecrypterPOC.exe
2684	DecrypterPOC.exe

Drops desktop.ini file(s) 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	WindowsFormsApp1.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	WindowsFormsApp1.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	WindowsFormsApp1.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	WindowsFormsApp1.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	WindowsFormsApp1.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	WindowsFormsApp1.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\DecrypterPOC.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsFormsApp1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\DecrypterPOC.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DecrypterPOC.dll:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1444	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2856	7zG.exe
4536	7zG.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeRestorePrivilege	1676	7zG.exe
Token: 35	1676	7zG.exe
Token: SeSecurityPrivilege	1676	7zG.exe
Token: SeSecurityPrivilege	1676	7zG.exe
Token: SeRestorePrivilege	2856	7zG.exe
Token: 35	2856	7zG.exe
Token: SeSecurityPrivilege	2856	7zG.exe
Token: SeSecurityPrivilege	2856	7zG.exe
Token: SeRestorePrivilege	4536	7zG.exe
Token: 35	4536	7zG.exe
Token: SeSecurityPrivilege	4536	7zG.exe
Token: SeSecurityPrivilege	4536	7zG.exe
Token: SeDebugPrivilege	4056	firefox.exe
Token: SeDebugPrivilege	4056	firefox.exe
Token: SeDebugPrivilege	4056	firefox.exe
Token: SeDebugPrivilege	3916	taskmgr.exe
Token: SeSystemProfilePrivilege	3916	taskmgr.exe
Token: SeCreateGlobalPrivilege	3916	taskmgr.exe
Token: 33	3916	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3916	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1676	7zG.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe
2848	WindowsFormsApp1.exe

Suspicious use of SendNotifyMessage 58 IoCs

pid	Process
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe
3916	taskmgr.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3472	OpenWith.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe
4056	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 4056	2208	firefox.exe	111
PID 2208 wrote to memory of 4056	2208	firefox.exe	111
PID 2208 wrote to memory of 4056	2208	firefox.exe	111
PID 2208 wrote to memory of 4056	2208	firefox.exe	111
PID 2208 wrote to memory of 4056	2208	firefox.exe	111
PID 2208 wrote to memory of 4056	2208	firefox.exe	111
PID 2208 wrote to memory of 4056	2208	firefox.exe	111
PID 2208 wrote to memory of 4056	2208	firefox.exe	111
PID 2208 wrote to memory of 4056	2208	firefox.exe	111
PID 2208 wrote to memory of 4056	2208	firefox.exe	111
PID 2208 wrote to memory of 4056	2208	firefox.exe	111
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 2296	4056	firefox.exe	112
PID 4056 wrote to memory of 3480	4056	firefox.exe	113
PID 4056 wrote to memory of 3480	4056	firefox.exe	113
PID 4056 wrote to memory of 3480	4056	firefox.exe	113
PID 4056 wrote to memory of 3480	4056	firefox.exe	113
PID 4056 wrote to memory of 3480	4056	firefox.exe	113
PID 4056 wrote to memory of 3480	4056	firefox.exe	113
PID 4056 wrote to memory of 3480	4056	firefox.exe	113
PID 4056 wrote to memory of 3480	4056	firefox.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ransomware.rar
1⤵
- Modifies registry class
PID:1936

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3472

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4616

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap3174:100:7zEvent23566
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1676

C:\Users\Admin\Desktop\ransomware\WindowsFormsApp1.exe
"C:\Users\Admin\Desktop\ransomware\WindowsFormsApp1.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2848

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\ransomware\" -an -ai#7zMap32492:116:7zEvent20412
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\ransomware\" -an -ai#7zMap20747:116:7zEvent12637
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0eb5b4f1-8984-41a3-848d-790f80c456e2} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" gpu
    3⤵
    PID:2296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5eef6604-6c2e-4f9b-86f0-d2ba9868ce70} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" socket
    3⤵
    PID:3480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2868 -childID 1 -isForBrowser -prefsHandle 3240 -prefMapHandle 2988 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6b67cd8-8425-41ac-abd9-5ce4e76d45a2} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" tab
    3⤵
    PID:1780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3876 -childID 2 -isForBrowser -prefsHandle 3868 -prefMapHandle 3864 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6da449c8-ca09-47cc-809c-b4f23f108747} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" tab
    3⤵
    PID:2372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4788 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4888 -prefMapHandle 4884 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e920f80-ac01-4e18-8150-4355cae59f0f} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" utility
    3⤵
    - Checks processor information in registry
    PID:544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 5300 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dde38450-856f-4572-a198-d3dbb8fb7ee3} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" tab
    3⤵
    PID:4124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 4 -isForBrowser -prefsHandle 5544 -prefMapHandle 5540 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f9beac0-8ebc-457a-8779-7dd351c3c7fa} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" tab
    3⤵
    PID:2736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 5 -isForBrowser -prefsHandle 5656 -prefMapHandle 5664 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e31b1ce9-4f42-4301-9c45-a254ee10e8a8} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" tab
    3⤵
    PID:408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5212 -childID 6 -isForBrowser -prefsHandle 1412 -prefMapHandle 3672 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60a16745-ccad-43d2-9fbf-2e78002b7894} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" tab
    3⤵
    PID:4836

C:\Users\Admin\Downloads\DecrypterPOC.exe
"C:\Users\Admin\Downloads\DecrypterPOC.exe"
1⤵
- Executes dropped EXE
PID:5096

C:\Users\Admin\Downloads\DecrypterPOC.exe
"C:\Users\Admin\Downloads\DecrypterPOC.exe"
1⤵
- Executes dropped EXE
PID:3992

C:\Users\Admin\Downloads\DecrypterPOC.exe
"C:\Users\Admin\Downloads\DecrypterPOC.exe"
1⤵
- Executes dropped EXE
PID:3452

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3916

C:\Users\Admin\Downloads\DecrypterPOC.exe
"C:\Users\Admin\Downloads\DecrypterPOC.exe"
1⤵
- Executes dropped EXE
PID:2684

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\___RECOVER__FILES__.musky.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\activity-stream.discovery_stream.json

Filesize
33KB

MD5
e57a76bf1caa5bcc33a37d5764ccf6f3

SHA1
771c5e06a3ee274444aff27e76a26a6eedee45bd

SHA256
345c1f49e706c167cdaa03e2725dc12c2eaa5083289e95eeb2c398b471260f65

SHA512
3789546066bcdf5d6778a71182fd7ae989ad6642f3d5ebfb099673f4d4d64980cc5a6f5fca1fa9a3fa2cae146495ac6dd7b72208532aa7f269844d1091cd1605

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin

Filesize
11KB

MD5
95ac400826c38b7dc2f19cbfd94cd26f

SHA1
893349846a22b2a1db4809607a99dff82971da20

SHA256
cc11bcc7c79965c4a507e876fc962416dc1b0c603eb281ba0c9bc2dbaa4d7621

SHA512
0b0f7e1a9e1db3533ae9ae41f482141ee6540818fb74c4412bd24c04214d0024df2f57186ac378d357bcf03a69b65dc66e11cfad227eb0adcfd9dca837152a31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
67a02370b2ce3aade35cece0d68247be

SHA1
c873f48a86075b36855ed0419228b6eafe9c7e4f

SHA256
5a2be90abef20f8f039aca8ea50273fca34436103127adfcf2d347214dfca9b2

SHA512
1ea5f6d9563ab4e6fcc2c07b1a9143e7113cd2938cd2e7b39e94ac5c7f9182e0e66b4945dec86a59b6dc19efe335a68db4c48ef12a2693b170307c24a6e9fa7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
c89a61aef65bc0243537794206b7391e

SHA1
3ddfdac21064d79b9d9679d17f37f3067db91cd7

SHA256
a6d3585ca92b79b658bd9f1d0a48d5b1ffcf8fd10a72905dde78eacb5f85a02a

SHA512
3c45a09341068d6d045fc556c388ebacf2184112864877c78a7ca27080df2e3a4c3d71c2c28a876a6fcae59d8b6957dd10813c5bb6e65b45745b155ae1815b5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
1df233c19011eff567a22a313bdb6364

SHA1
140aaf9642a401b4190059fb4c0b242f392c25c7

SHA256
6cd2757b84569640117923e7092ce470d7a1efa1ca02a31657397271fb84e89d

SHA512
e1ba09b7634ed555c8a6eca43ef76a373b201c8d47b8facf582d9d6921a2bfde75639750bc25cab8f2bfcf2e190f782461a5b5418f6212b4d5de5410de14f197

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\54e94991-8bed-4422-bf0b-4c6747ddaaa7

Filesize
982B

MD5
3f41e3bd359b4ccab129123f0782569f

SHA1
86af8b27ee85035b365ed9b396286db51c066559

SHA256
8b86de2894b43b3469d5609d5f3319693a90173dc0a2d594746b549c524a3801

SHA512
7f1cb10b16eaea4a47ca4786af6a4dc4847d8a74bf4658310e838d3fe2df5118bb42e3c9537f3d8051a939dd6bff6060b51be0463412526014917830eed7b71c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\e0faee8a-a396-48ce-b8e6-3094a116e266

Filesize
659B

MD5
97e0e9f782ddaf4a2e16501c82479f9a

SHA1
010164c953c37b33ea8c4e6a9f8893c9afeb2416

SHA256
246f6d9a8d58cdb37a077ce2f65e2ef2b395ca269c2af7cb7d34fd02c32f4868

SHA512
673968b0dc728cbdab61bcd66c611be6c9d6763b246c31e1c62763700727e7829627fba60582bfdb882c836bddd983bf0bc859726e12a006765d4184a151bebd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

Filesize
11KB

MD5
e82d72beb65a152bf4badfdc6c5c4c21

SHA1
ce91ab707cbffb5d6eb3b2204c1bd18f7a8f5060

SHA256
71b2de4b9f8edd5e781a5baa43c4eb96118506099d9807bc4720db1618ca9807

SHA512
fd9a53ec35b93aafdf3294753c7eb159b9b34d73f5c469c8682ec3068ad4ae1ec7a1a162ad0f7e93ab3a59a6ab3feb9fcffa9ad4c17d0d410980ae2241e55ebe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

Filesize
12KB

MD5
a35edbf24a7e43acd0b11e62b691804d

SHA1
fb995b98f91151b479708e0cf0674dc3c2e31806

SHA256
787126c089918eef3095ec979ffd26ffb51d11bf051b280e2e428bc6c0e80a81

SHA512
8b67809058db491989f5ea7fc96d99a17b2979e78355236b2212809e6c8c7882b57ccb76fa6ec2821fbde78cd0de4a52a5300fcba70ca6bba3f7dfbdb229934d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs.js

Filesize
11KB

MD5
ce2e0f0e0d50611cada47489defdac58

SHA1
118b39732ccded56de76f9ebce11c320b1eea939

SHA256
193deaa6fcc4e1b5c5585e730be72ea12b8292c73b1185503413c3ce5da840f1

SHA512
9214b409d4a65ac7d491357793b36e6ec38cea450c5f98137731e331364140741cc86513638f286b76752a2a7ec7cd0c6765a586387e164d56dc7634c1d3f63b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
493c945071eb43091f75b03a586d9435

SHA1
d8fb98489390e314ab5cc3d4c48874fa564e7e26

SHA256
c58f03bbd90b0a12ad963e6a556dfe9bee8358b60a9593e56bc4c73a838e1986

SHA512
249dc53dce2af63aa36fa0f9410ae23cea998e5518fbac8c3cc39ec1b8b9ff57cb346aa732b87ab379318dd30636c52dfedb6ef0915b41bba2120b2ffe76fce2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
082f5144768816e40d2badac0c42fb0d

SHA1
830da9fc86377df392ac3280ee1dc6ee22275aa2

SHA256
8fd2327ad547992ac9b4268cda63ca0b3bfbdadbd0a9774bafa6d43e97dec744

SHA512
87ce051a204885d70fb7c54a7d12e85c804cdc2c1816d5366c49775d8128c2a105444021450f5e5f5264ad0c982bb36d4183d396cfc763a3d5ed4be6b43c0326

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
fc1f42cba93a1cb4968544b50b816069

SHA1
9134995d7c8d8937190aba2d2fb1324ddba877e4

SHA256
073c3fd9904f9adda870d2de31fa55ca9e4cd731579d67873053783eb09f42d6

SHA512
f7fac0487be749f91bda8f638ad13bfbf37e5e6b4eb77397545fd2d0a291ac8fa1bcb1255af5bf72c5b49d10bfec7852634a2157dfeaff7c8395f4addb4afb0f

Download Submit
C:\Users\Admin\Desktop\___RECOVER__FILES__.musky.txt

Filesize
5KB

MD5
6b39e4a5ece9d2a8d122311d2671e2b1

SHA1
c6ffc813b3f7cdc56d851b179aae8c99000d103b

SHA256
0b62aba239e2164c7c4fa627e4d1182bf6d9fd4c7dd9ea86638d0219b98aba5e

SHA512
4704359adb99fe60a10b45450cd7fb261d12633078d674446a856a50540924e203c635a0508fe99c6bfa8e10e6c24e90ca53369ca8a5bdd9bdbe1a0e3ee91d8c

Download Submit
C:\Users\Admin\Desktop\ransomware\DecrypterPOC.dll

Filesize
7KB

MD5
f9041d6bbdc073623b4d863b82ddf857

SHA1
d9126ac71bdb2a12bbb011a5bf76ac80939cf37a

SHA256
abad3fb6df9a99ea3f534511d7d347c16c5b2f52ecb23b3e3c76741c447953c3

SHA512
916798651e8c382ab10ba24076f9b22a9683b8e0cb1146042384b5f6ce9e4d31dac2fc6d6b5703d12746839a64c823344a4c84671692420c5488329957fed1e7

Download Submit
C:\Users\Admin\Desktop\ransomware\DecrypterPOC.exe

Filesize
154KB

MD5
13a41a2bf6de0803eee77582e3a4f88e

SHA1
fbec44e22820e075cf5037fc7de13a281c76b4de

SHA256
80f2e92ae725058452833e09914b83db986f9d793be210143bb88d1d5352f054

SHA512
366d6ea71db4fa97d92bc70ffa8720899b47508610059a4ad56b447038b9ff4a9364977f091e2e899a0442c2296962e37be6e9e65f4341579d5fd8f477131a84

Download Submit
C:\Users\Admin\Desktop\ransomware\DecrypterPOC.exe.musky

Filesize
154KB

MD5
688d465e7b025ac30d4f7db814e66eb9

SHA1
cbc33b33b4a8d2d5c6701723bcb59e6306375a04

SHA256
6be847042c808602674e7a8c047f50a6a93bcb28ac469eedd6b90347af3fad7a

SHA512
1ab84f1fa5342da86e998cb67ed1562d53fa420747e388b01372937598436e0e5b4ed1abb81b76e1bfb1be4cbdb875c6082477c4f75d7272edcbbbafbe307b77

Download Submit
C:\Users\Admin\Desktop\ransomware\WindowsFormsApp1.exe

Filesize
1.3MB

MD5
5d332d052aa86cb9938ca8667ff76834

SHA1
e19401f2204f8a0cdb6e490ee1f12f521194d67c

SHA256
053497fdfe74ac65e5210cf3545415fac56c6ba12d699dca79e2d5991c7051ee

SHA512
59a2b6eee9e5a8e5deda3325379a70ec26f88da7ca8266ac158b2ea69038f2163172fa3770669ac1250bcaae2d3bcf6513be6e7fa8e787f471aa6cd38ad41153

Download Submit
C:\Users\Admin\Downloads\DecrypterPOC.PCvAzcVJ.exe.part

Filesize
4KB

MD5
dfb470012eb6f771f4f46ef7ad0e3b36

SHA1
7336da8246fad0f61bbd7eb13e1f04ba57f959f6

SHA256
06e25166e323c7f73199ae624655d3e23c2aa474db83c5c6ccf2804ec516805a

SHA512
8227534774763c738397c22c91c6ab9ce8d5bed32a83b135d70fce4182151c1aec650b2f892ef80cc63bc35fc645b389426c37b5040b993b92eca20251009ed7

Download Submit
memory/2848-10-0x0000000005780000-0x0000000005812000-memory.dmp

Filesize
584KB

Download
memory/2848-8-0x0000000000C70000-0x0000000000DC2000-memory.dmp

Filesize
1.3MB

Download
memory/2848-9-0x0000000005E00000-0x00000000063A4000-memory.dmp

Filesize
5.6MB

Download
memory/2848-11-0x0000000005770000-0x000000000577A000-memory.dmp

Filesize
40KB

Download
memory/3916-649-0x0000025ED9F90000-0x0000025ED9F91000-memory.dmp

Filesize
4KB

Download
memory/3916-642-0x0000025ED9F90000-0x0000025ED9F91000-memory.dmp

Filesize
4KB

Download
memory/3916-653-0x0000025ED9F90000-0x0000025ED9F91000-memory.dmp

Filesize
4KB

Download
memory/3916-654-0x0000025ED9F90000-0x0000025ED9F91000-memory.dmp

Filesize
4KB

Download
memory/3916-652-0x0000025ED9F90000-0x0000025ED9F91000-memory.dmp

Filesize
4KB

Download
memory/3916-651-0x0000025ED9F90000-0x0000025ED9F91000-memory.dmp

Filesize
4KB

Download
memory/3916-650-0x0000025ED9F90000-0x0000025ED9F91000-memory.dmp

Filesize
4KB

Download
memory/3916-644-0x0000025ED9F90000-0x0000025ED9F91000-memory.dmp

Filesize
4KB

Download
memory/3916-648-0x0000025ED9F90000-0x0000025ED9F91000-memory.dmp

Filesize
4KB

Download
memory/3916-643-0x0000025ED9F90000-0x0000025ED9F91000-memory.dmp

Filesize
4KB

Download