mafiaware666 | hxxps://github[.]com/LJ9859/Malware-Database/raw/refs/heads/main/Ransomware/RIP%20LMAO[.]zip

Analysis

max time kernel
205s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/LJ9859/Malware-Database/raw/refs/heads/main/Ransomware/RIP%20LMAO.zip

Score

10^/10

mafiaware666 discovery ransomware

Malware Config

Signatures

Detect MafiaWare666 ransomware 2 IoCs

resource	yara_rule
behavioral2/files/0x0005000000000739-133.dat	family_mafiaware666
behavioral2/memory/4416-135-0x0000000000BA0000-0x0000000000CF2000-memory.dmp	family_mafiaware666

MafiaWare666 Ransomware
MafiaWare666 is ransomware written in C# with multiple variants.
ransomware mafiaware666
Renames multiple (76) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
4416	WindowsFormsApp1.exe
1408	WindowsFormsApp1.exe

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	WindowsFormsApp1.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	WindowsFormsApp1.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	WindowsFormsApp1.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	WindowsFormsApp1.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	WindowsFormsApp1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsFormsApp1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsFormsApp1.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
396	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1248	msedge.exe
1248	msedge.exe
4032	msedge.exe
4032	msedge.exe
1504	identity_helper.exe
1504	identity_helper.exe
1424	msedge.exe
1424	msedge.exe
1664	msedge.exe
1664	msedge.exe
1664	msedge.exe
1664	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeRestorePrivilege	2896	7zG.exe
Token: 35	2896	7zG.exe
Token: SeSecurityPrivilege	2896	7zG.exe
Token: SeSecurityPrivilege	2896	7zG.exe
Token: SeRestorePrivilege	1096	7zG.exe
Token: 35	1096	7zG.exe
Token: SeSecurityPrivilege	1096	7zG.exe
Token: SeSecurityPrivilege	1096	7zG.exe
Token: SeBackupPrivilege	628	svchost.exe
Token: SeRestorePrivilege	628	svchost.exe
Token: SeSecurityPrivilege	628	svchost.exe
Token: SeTakeOwnershipPrivilege	628	svchost.exe
Token: 35	628	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
2896	7zG.exe
1096	7zG.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe
4416	WindowsFormsApp1.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 1992	4032	msedge.exe	82
PID 4032 wrote to memory of 1992	4032	msedge.exe	82
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 3744	4032	msedge.exe	83
PID 4032 wrote to memory of 1248	4032	msedge.exe	84
PID 4032 wrote to memory of 1248	4032	msedge.exe	84
PID 4032 wrote to memory of 3552	4032	msedge.exe	85
PID 4032 wrote to memory of 3552	4032	msedge.exe	85
PID 4032 wrote to memory of 3552	4032	msedge.exe	85
PID 4032 wrote to memory of 3552	4032	msedge.exe	85
PID 4032 wrote to memory of 3552	4032	msedge.exe	85
PID 4032 wrote to memory of 3552	4032	msedge.exe	85
PID 4032 wrote to memory of 3552	4032	msedge.exe	85
PID 4032 wrote to memory of 3552	4032	msedge.exe	85
PID 4032 wrote to memory of 3552	4032	msedge.exe	85
PID 4032 wrote to memory of 3552	4032	msedge.exe	85
PID 4032 wrote to memory of 3552	4032	msedge.exe	85
PID 4032 wrote to memory of 3552	4032	msedge.exe	85
PID 4032 wrote to memory of 3552	4032	msedge.exe	85
PID 4032 wrote to memory of 3552	4032	msedge.exe	85
PID 4032 wrote to memory of 3552	4032	msedge.exe	85
PID 4032 wrote to memory of 3552	4032	msedge.exe	85
PID 4032 wrote to memory of 3552	4032	msedge.exe	85
PID 4032 wrote to memory of 3552	4032	msedge.exe	85
PID 4032 wrote to memory of 3552	4032	msedge.exe	85
PID 4032 wrote to memory of 3552	4032	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/LJ9859/Malware-Database/raw/refs/heads/main/Ransomware/RIP%20LMAO.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe26cb46f8,0x7ffe26cb4708,0x7ffe26cb4718
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,14067133083522662192,13235224419051821175,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,14067133083522662192,13235224419051821175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,14067133083522662192,13235224419051821175,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14067133083522662192,13235224419051821175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14067133083522662192,13235224419051821175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,14067133083522662192,13235224419051821175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,14067133083522662192,13235224419051821175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14067133083522662192,13235224419051821175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14067133083522662192,13235224419051821175,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,14067133083522662192,13235224419051821175,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14067133083522662192,13235224419051821175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,14067133083522662192,13235224419051821175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14067133083522662192,13235224419051821175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14067133083522662192,13235224419051821175,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,14067133083522662192,13235224419051821175,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1260 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:956

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" t -an -ai#7zMap20470:78:7zEvent2411
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2896

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\RIP LMAO\" -spe -an -ai#7zMap1011:78:7zEvent12121
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1096

C:\Users\Admin\Downloads\RIP LMAO\WindowsFormsApp1.exe
"C:\Users\Admin\Downloads\RIP LMAO\WindowsFormsApp1.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:4416

C:\Users\Admin\Downloads\RIP LMAO\WindowsFormsApp1.exe
"C:\Users\Admin\Downloads\RIP LMAO\WindowsFormsApp1.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4388
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\EnterUninstall.eprtx
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WindowsFormsApp1.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f36c53dc4b9ce853daf89907699d49c7

SHA1
4d020082fd52b6430b1c8982dbb7902a4915456f

SHA256
858681fd6d797e05aaa3240b09d3f618836cebc48e1c40b58a20589a072a3b40

SHA512
c8025fe8f907ccb0f0d64728414d083e3375aaa4d10bc2c4af817b2cc75f8643592d337c6ea0d0c15426276ae6adc5f6499446371db490bb6a4d93ee70ac3659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a369cce058a25b6563459d9cd8009f7f

SHA1
e0cfc52f36af2dcd81443a69fbfd694ce6aea8db

SHA256
468304e8a8f110c151c7bfded95cdca0bb84a6fa817ef3082f695e8c8ee0feb6

SHA512
929f841f27993d7b57afde8b0962674c48a9d69574f324434d090aa0ab3662e41ccc91197c3c4af0765964e0b9b61f662d0147ad381cb315dd318419515f3d8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fd207637214df9db4ccc86b9d9e82042

SHA1
4684805e08bd9601bf4b003ef5ef36f8f8e096cb

SHA256
699c6594abd31f7fe474f2f35d3d6dc03cc695a95111f314e840dc9a64fc7690

SHA512
a17ff0a4fd38b7ce310d1320be16a7538db73b9fcc73b99dde33d2420c79faa4a745ff2033afb5a9e4f7b12f15fc8cd18976b03e8921f66c2ebd803230b577b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4c52f543df4fffa5eaa7c14ad88de1f6

SHA1
c659dd7b7c610fc2ef40357f09525abf723424ef

SHA256
1f2efc10b5486f64547cf66fb6a46775a325b660320f33ca3d42420c1edc9566

SHA512
faf989a7d6284717be5dccf2ec63e7c023af7f646c83d6b8f54be89702983fd4b9387f31e530efc07e7456738c4d8f34abc0cdf6d78f78aabbc51ea909ac3889

Download Submit
C:\Users\Admin\Desktop\___RECOVER__FILES__.crypted.txt

Filesize
2KB

MD5
7c4b7cb7762f508622ed970b15e4dc89

SHA1
cfe33375defeaf8ece919b6713c0cf4a70c057e7

SHA256
cebe7506463b100e0e3ba05ea5d2c5deeeefcd468dc90b4c54540cbb9932e70c

SHA512
76cee9f41c776f0454e8618345a3286bad8777492f16ac1e141f79f6543d567c6ccfa091613923ea690e7c0caf1ce1d66553f913056bdfee2041c6fd3d10966e

Download Submit
C:\Users\Admin\Downloads\RIP LMAO.zip

Filesize
1.3MB

MD5
cc17b7415ef8b6afb240325dbba61baa

SHA1
c3681a4d45a4ab10f704d193940f158cd63b41ff

SHA256
87e5b0bef97f9dc195693b5499a0e5f5d0ce7e3e5bf610cf7f2836904e1d9a62

SHA512
79c17e03333f2270ede348572bf2f231055433478d135c9c4aa3454b8c9b79bb34742f162cc6cac85da511a1ab219be75646393767388455cfcaad39b2a731c5

Download Submit
C:\Users\Admin\Downloads\RIP LMAO\WindowsFormsApp1.exe

Filesize
1.3MB

MD5
70117cfb0d652621da77c47c952fb81a

SHA1
3d841739fd18d02612851c10684631ddcdbc442c

SHA256
9e1609ab7f01b56a9476494d9b3bf5997380d466744b07ec5d9b20e416b10f08

SHA512
abaa63d29588b5fdd5fdc99b1a9eeeeb5ec32416b24054ea5111d960c483492e8b76fd5652d32d8bf6380a7a803916e3009c90ffae9988bee6c4f09b4b7a71d8

Download Submit
memory/4416-135-0x0000000000BA0000-0x0000000000CF2000-memory.dmp

Filesize
1.3MB

Download
memory/4416-136-0x0000000005C00000-0x00000000061A4000-memory.dmp

Filesize
5.6MB

Download
memory/4416-137-0x00000000056F0000-0x0000000005782000-memory.dmp

Filesize
584KB

Download
memory/4416-138-0x00000000056B0000-0x00000000056BA000-memory.dmp

Filesize
40KB

Download