teslacrypt | c1f58f6b35fba846df52983a880afa4aea441e19b446c753eff7da1a942c09ca

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe
Size

356KB
MD5

96c53da97c6cf0c79d278f0f69609ed6
SHA1

c57ae0b44b2feea3e4722c672e4d2c20aaa4d2de
SHA256

c1f58f6b35fba846df52983a880afa4aea441e19b446c753eff7da1a942c09ca
SHA512

08e04cecef4b1e4d6fc710115c1065de2d0e4ff358046ac5d00920a66814905af51f5859e4dbe92a7d2744fba092cb4addb96f349caaf608177de1766330bf44
SSDEEP

6144:rnuEzhHd/Opk3p1JWsjCLmwRHbN4mjc5SWH6NJBZwb9:rth9NJWsjDwR7NvjcSdNJBZw

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\PerfLogs\_RECoVERY_+dhjme.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/636B101C708ADF6A 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/636B101C708ADF6A 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/636B101C708ADF6A If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/636B101C708ADF6A 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/636B101C708ADF6A http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/636B101C708ADF6A http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/636B101C708ADF6A *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/636B101C708ADF6A

URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/636B101C708ADF6A

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/636B101C708ADF6A

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/636B101C708ADF6A

http://xlowfznrg4wf7dli.ONION/636B101C708ADF6A

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (875) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exexwcequbppado.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	xwcequbppado.exe

Drops startup file 6 IoCs

Processes:

xwcequbppado.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+dhjme.png	xwcequbppado.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+dhjme.txt	xwcequbppado.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+dhjme.html	xwcequbppado.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+dhjme.png	xwcequbppado.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+dhjme.txt	xwcequbppado.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+dhjme.html	xwcequbppado.exe

Executes dropped EXE 1 IoCs

Processes:

xwcequbppado.exe

pid process

3160 xwcequbppado.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

xwcequbppado.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lspqgwgihlut = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\xwcequbppado.exe\""	xwcequbppado.exe

Drops file in Program Files directory 64 IoCs

Processes:

xwcequbppado.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-30_altform-lightunplated.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_RECoVERY_+dhjme.png	xwcequbppado.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\_RECoVERY_+dhjme.txt	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-300.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_play_nor.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\_RECoVERY_+dhjme.txt	xwcequbppado.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\_RECoVERY_+dhjme.txt	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\FlatFreehand3D.mp4	xwcequbppado.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\_RECoVERY_+dhjme.txt	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_RECoVERY_+dhjme.html	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-256_altform-unplated_contrast-black.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\calls_emptystate_v3.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-125.png	xwcequbppado.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\_RECoVERY_+dhjme.png	xwcequbppado.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\_RECoVERY_+dhjme.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+dhjme.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\_RECoVERY_+dhjme.txt	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_RECoVERY_+dhjme.txt	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png	xwcequbppado.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-white\_RECoVERY_+dhjme.html	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-96_altform-lightunplated.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-400.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Lollipop.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_RECoVERY_+dhjme.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\MedTile.scale-125.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\_RECoVERY_+dhjme.html	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\6.jpg	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageMedTile.scale-100_contrast-black.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\eu-ES\View3d\_RECoVERY_+dhjme.txt	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\_RECoVERY_+dhjme.html	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\_RECoVERY_+dhjme.html	xwcequbppado.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\_RECoVERY_+dhjme.png	xwcequbppado.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\_RECoVERY_+dhjme.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxAccountsSplashLogo.scale-180.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSquare150x150Logo.scale-125_contrast-black.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorStoreLogo.contrast-black_scale-100.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupLargeTile.scale-150.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-400.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare71x71Logo.scale-200_contrast-black.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\WideTile.scale-200.png	xwcequbppado.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\_RECoVERY_+dhjme.txt	xwcequbppado.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\_RECoVERY_+dhjme.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-32_altform-unplated.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-200.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_Flight.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\_RECoVERY_+dhjme.txt	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lo-LA\_RECoVERY_+dhjme.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\_RECoVERY_+dhjme.html	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer10Sec.targetsize-20.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+dhjme.png	xwcequbppado.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\_RECoVERY_+dhjme.html	xwcequbppado.exe
File opened for modification	C:\Program Files\Common Files\System\uk-UA\_RECoVERY_+dhjme.txt	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-100_contrast-white.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64_altform-unplated.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\SmallTile.scale-200.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionMedTile.scale-125.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteWideTile.scale-200.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MediumTile.scale-100_contrast-white.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-36_contrast-black.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\_RECoVERY_+dhjme.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\DeleteToastQuickAction.scale-80.png	xwcequbppado.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\_RECoVERY_+dhjme.png	xwcequbppado.exe

Drops file in Windows directory 2 IoCs

Processes:

96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\xwcequbppado.exe	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe
File opened for modification	C:\Windows\xwcequbppado.exe	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

xwcequbppado.exe

pid	process
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe
3160	xwcequbppado.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exexwcequbppado.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3844	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe
Token: SeDebugPrivilege	3160	xwcequbppado.exe
Token: SeIncreaseQuotaPrivilege	4740	WMIC.exe
Token: SeSecurityPrivilege	4740	WMIC.exe
Token: SeTakeOwnershipPrivilege	4740	WMIC.exe
Token: SeLoadDriverPrivilege	4740	WMIC.exe
Token: SeSystemProfilePrivilege	4740	WMIC.exe
Token: SeSystemtimePrivilege	4740	WMIC.exe
Token: SeProfSingleProcessPrivilege	4740	WMIC.exe
Token: SeIncBasePriorityPrivilege	4740	WMIC.exe
Token: SeCreatePagefilePrivilege	4740	WMIC.exe
Token: SeBackupPrivilege	4740	WMIC.exe
Token: SeRestorePrivilege	4740	WMIC.exe
Token: SeShutdownPrivilege	4740	WMIC.exe
Token: SeDebugPrivilege	4740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4740	WMIC.exe
Token: SeRemoteShutdownPrivilege	4740	WMIC.exe
Token: SeUndockPrivilege	4740	WMIC.exe
Token: SeManageVolumePrivilege	4740	WMIC.exe
Token: 33	4740	WMIC.exe
Token: 34	4740	WMIC.exe
Token: 35	4740	WMIC.exe
Token: 36	4740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4740	WMIC.exe
Token: SeSecurityPrivilege	4740	WMIC.exe
Token: SeTakeOwnershipPrivilege	4740	WMIC.exe
Token: SeLoadDriverPrivilege	4740	WMIC.exe
Token: SeSystemProfilePrivilege	4740	WMIC.exe
Token: SeSystemtimePrivilege	4740	WMIC.exe
Token: SeProfSingleProcessPrivilege	4740	WMIC.exe
Token: SeIncBasePriorityPrivilege	4740	WMIC.exe
Token: SeCreatePagefilePrivilege	4740	WMIC.exe
Token: SeBackupPrivilege	4740	WMIC.exe
Token: SeRestorePrivilege	4740	WMIC.exe
Token: SeShutdownPrivilege	4740	WMIC.exe
Token: SeDebugPrivilege	4740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4740	WMIC.exe
Token: SeRemoteShutdownPrivilege	4740	WMIC.exe
Token: SeUndockPrivilege	4740	WMIC.exe
Token: SeManageVolumePrivilege	4740	WMIC.exe
Token: 33	4740	WMIC.exe
Token: 34	4740	WMIC.exe
Token: 35	4740	WMIC.exe
Token: 36	4740	WMIC.exe
Token: SeBackupPrivilege	2356	vssvc.exe
Token: SeRestorePrivilege	2356	vssvc.exe
Token: SeAuditPrivilege	2356	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exexwcequbppado.exe

description	pid	process	target process
PID 3844 wrote to memory of 3160	3844	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe	xwcequbppado.exe
PID 3844 wrote to memory of 3160	3844	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe	xwcequbppado.exe
PID 3844 wrote to memory of 3160	3844	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe	xwcequbppado.exe
PID 3844 wrote to memory of 2948	3844	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe	cmd.exe
PID 3844 wrote to memory of 2948	3844	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe	cmd.exe
PID 3844 wrote to memory of 2948	3844	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe	cmd.exe
PID 3160 wrote to memory of 4740	3160	xwcequbppado.exe	WMIC.exe
PID 3160 wrote to memory of 4740	3160	xwcequbppado.exe	WMIC.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

xwcequbppado.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xwcequbppado.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	xwcequbppado.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Windows\xwcequbppado.exe
  C:\Windows\xwcequbppado.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3160
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\96C53D~1.EXE
  2⤵
  PID:2948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\_RECoVERY_+dhjme.html

Filesize
11KB

MD5
5402d2b55d082919cd11252633e05e3c

SHA1
a6f528a688004e253987309249f57d6d0f4c474c

SHA256
1f220d3c871658da7514ab86a87cf2f2cc3c76ac316994265446105a8b650e10

SHA512
914dcdc29e67f12754ea9b26c188522ec0610986eaffcfd02cc557919c4511d735a40c500c9581e40139f05f56237f563d7d9fc653dd9d7551b1c60f726d8c69

Download Submit
C:\PerfLogs\_RECoVERY_+dhjme.png

Filesize
63KB

MD5
30fbfe280d89353060130e1bf3609cdb

SHA1
7c1aee000841a9628522461787b79a2b17c06a35

SHA256
98558147ffaadc8cf05b32029e83eb9f92a7d077ff695a2fd07c53dbb32bd9ab

SHA512
d594ac7d243f596fbffec96beca9c108c27fffd8d7a706031e85018e6bc246a47170cb061d4d4847bddcf3b085435b43c4937811dffb20354ba2288b8e6fb1a6

Download Submit
C:\PerfLogs\_RECoVERY_+dhjme.txt

Filesize
1KB

MD5
b3686b83bdcd4be8deeacc32c3d0d105

SHA1
064eae704ea2122285851a4711da2b1e78b4e7f1

SHA256
84679a70783b30966fe88dfcf9f5acb09ccc48153fa4bc622eccc39317a2e8a8

SHA512
a9513525b557eb7200f836b1550c5a848d0f45e18580668feceaea954ab3d76c7c9a72b92d9148ad2a83cb864c574b5b41565e3589a86912438b2c1d25c53660

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
0bdd8f414363964f0bd86f893cd978c1

SHA1
55856bc3734e63a569c12f761680bd076fa1cce2

SHA256
6509da77b044e84fe7c0cf8f7768799c9b0746ef11f254c3b8a512b01ec5a832

SHA512
accd4fb2017ed5fc9cfe339a320bb6b342bc04bcc98d134fef64681a64c55699a2238e94ab8bbd51860bbd6ab4047947c846d78d5b129afbae387efff4d02186

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
4ffafb2085a1441d7fa1f82e05b14a8b

SHA1
bd396c9ff58684629d0adeabddb30c2eae5f6344

SHA256
017b43e4c1e25da1d9a46a82226d890326c8a4c7d88fa951eef2c1dcbed44b80

SHA512
4326f39d01dbf7432a97ca32a536ac9ed328adb463e1824721d42e47499a57ef048f5bd35a320aa8f264ef3c7a2ecfb508c86c26c991fae1fe863b02cc4ef8a6

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
577e9b71c309029c33d8753c5363579e

SHA1
fb5f9fd9904c2059a7e4779ea7d5d0f7ba114a08

SHA256
95d59ac870754fa493fb54af20b29796ee297a764420ad0cd4423cabc31b7305

SHA512
7ba3da9f089073740eaa181d0f4858e3064d88090a87a4e813ce086623c5e06554e651f8a1e5ce0b390753286efa88fdde02bc90bca7946a11a0909d49508a67

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133534305838784240.txt

Filesize
77KB

MD5
613345f021c161638c52eb74bb62ff73

SHA1
c2db03e896b9e90292ac23680664de99fea87e23

SHA256
f15ca4133fd2c1a150480428231a77e725e9f5c42b26aa17a488432d64ca73b9

SHA512
5eea90be9737be17630fab090908078c8c44cef18963a6eec996e3e9ac5d5424f72592b5540b6460192b562b45e6f04bd67cf23cdf9416731997c6017c5151a3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133534325129811261.txt

Filesize
74KB

MD5
04669244630853db1637c930b5bcb0a1

SHA1
600bec74d58807f75e662b6d258f33a60c9a6378

SHA256
44d37e1f9f9ebd4f4b125af7e5e3f68477cdf2aed90f10fa89e158abc246748b

SHA512
eafc03c74e973d23693ff9852a579df7016de5986d645499e094ca5c4b4feabc4f5c31d314fdcbfaf2035c78cb0bffb895743a2147a4841abb5415072a5845bc

Download Submit
C:\Windows\xwcequbppado.exe

Filesize
356KB

MD5
96c53da97c6cf0c79d278f0f69609ed6

SHA1
c57ae0b44b2feea3e4722c672e4d2c20aaa4d2de

SHA256
c1f58f6b35fba846df52983a880afa4aea441e19b446c753eff7da1a942c09ca

SHA512
08e04cecef4b1e4d6fc710115c1065de2d0e4ff358046ac5d00920a66814905af51f5859e4dbe92a7d2744fba092cb4addb96f349caaf608177de1766330bf44

Download Submit
memory/3160-1457-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3160-7052-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3160-734-0x0000000002130000-0x00000000021B6000-memory.dmp

Filesize
536KB

Download
memory/3160-578-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3160-10371-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3160-9089-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3160-1137-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3160-8017-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3160-1958-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3160-2852-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3160-3791-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3160-4621-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3160-5804-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3160-617-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3160-9-0x0000000002130000-0x00000000021B6000-memory.dmp

Filesize
536KB

Download
memory/3844-14-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3844-15-0x00000000022D0000-0x0000000002356000-memory.dmp

Filesize
536KB

Download
memory/3844-0-0x00000000022D0000-0x0000000002356000-memory.dmp

Filesize
536KB

Download
memory/3844-1-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download