Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-10-2024 21:33
Static task
static1
Behavioral task
behavioral1
Sample
1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe
-
Size
356KB
-
MD5
1e096e7c6ffb32332933f693d00c6795
-
SHA1
28e7f909cbc28ca3af8af503111c5fc9f42502b7
-
SHA256
963aafe897132f8bd0fb1ce4beca2c4c2c04d8699a9e2612106c762cccca6256
-
SHA512
8c26ddc0f8a3da79646851fc39f57d44a654e3967dad708239f882ed273fd14522d771087b0ff0d688fbb15392145e176be519ada7fd94103a05b90aaab6141c
-
SSDEEP
6144:C94ZeMgE+D+G+33DpgPgRArNZltP8aLK9cdfdCWJATnKH92tIrWuZ/kE7eVmhgst:C94ZeMgE+D+G+33DpgPqArrltP839Yfj
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+twvcj.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/31AA1B2BB87F998D
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/31AA1B2BB87F998D
http://yyre45dbvn2nhbefbmh.begumvelic.at/31AA1B2BB87F998D
http://xlowfznrg4wf7dli.ONION/31AA1B2BB87F998D
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (872) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cknnxfusdluq.exe1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation cknnxfusdluq.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe -
Drops startup file 6 IoCs
Processes:
cknnxfusdluq.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+twvcj.html cknnxfusdluq.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+twvcj.png cknnxfusdluq.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+twvcj.txt cknnxfusdluq.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+twvcj.html cknnxfusdluq.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+twvcj.png cknnxfusdluq.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+twvcj.txt cknnxfusdluq.exe -
Executes dropped EXE 2 IoCs
Processes:
cknnxfusdluq.execknnxfusdluq.exepid process 5004 cknnxfusdluq.exe 1180 cknnxfusdluq.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cknnxfusdluq.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tkfybjr = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\cknnxfusdluq.exe" cknnxfusdluq.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.execknnxfusdluq.exedescription pid process target process PID 1008 set thread context of 3216 1008 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe PID 5004 set thread context of 1180 5004 cknnxfusdluq.exe cknnxfusdluq.exe -
Drops file in Program Files directory 64 IoCs
Processes:
cknnxfusdluq.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\_ReCoVeRy_+twvcj.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\_ReCoVeRy_+twvcj.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\_ReCoVeRy_+twvcj.txt cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\SmallTile.scale-125_contrast-black.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\thumb_animation.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-125.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\HoloAssets\_ReCoVeRy_+twvcj.txt cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupLargeTile.scale-100.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsStoreLogo.contrast-black_scale-100.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-20_contrast-black.png cknnxfusdluq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\_ReCoVeRy_+twvcj.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\_ReCoVeRy_+twvcj.txt cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\MilitaryLeft.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashWideTile.scale-125_contrast-black.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-BR\View3d\_ReCoVeRy_+twvcj.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-60.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\WinMetadata\_ReCoVeRy_+twvcj.png cknnxfusdluq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\_ReCoVeRy_+twvcj.html cknnxfusdluq.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\_ReCoVeRy_+twvcj.txt cknnxfusdluq.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\_ReCoVeRy_+twvcj.txt cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256_altform-fullcolor.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-200_contrast-black.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_ReCoVeRy_+twvcj.png cknnxfusdluq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\_ReCoVeRy_+twvcj.txt cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Images\_ReCoVeRy_+twvcj.txt cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireSmallTile.scale-100.jpg cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-24_altform-lightunplated.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\microsoft.system.package.metadata\_ReCoVeRy_+twvcj.html cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\_ReCoVeRy_+twvcj.txt cknnxfusdluq.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-US.pak cknnxfusdluq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\_ReCoVeRy_+twvcj.txt cknnxfusdluq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_ReCoVeRy_+twvcj.html cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCache.scale-200.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\_ReCoVeRy_+twvcj.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_ReCoVeRy_+twvcj.html cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\LockScreenBadgeLogo.scale-100.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_ReCoVeRy_+twvcj.png cknnxfusdluq.exe File opened for modification C:\Program Files\_ReCoVeRy_+twvcj.html cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-100_contrast-black.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_NinjaCat.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreLargeTile.scale-200.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_ReCoVeRy_+twvcj.html cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\_ReCoVeRy_+twvcj.txt cknnxfusdluq.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\_ReCoVeRy_+twvcj.png cknnxfusdluq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_ReCoVeRy_+twvcj.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png cknnxfusdluq.exe File opened for modification C:\Program Files\Windows Photo Viewer\en-US\_ReCoVeRy_+twvcj.txt cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-256_altform-unplated.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-125_contrast-high.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_WideTile.scale-100.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+twvcj.html cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Controls\_ReCoVeRy_+twvcj.html cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupWideTile.scale-125.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-400_contrast-white.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\_ReCoVeRy_+twvcj.txt cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-400.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-20_altform-lightunplated.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\LoadedModelShaders\_ReCoVeRy_+twvcj.html cknnxfusdluq.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\_ReCoVeRy_+twvcj.png cknnxfusdluq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\_ReCoVeRy_+twvcj.html cknnxfusdluq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\_ReCoVeRy_+twvcj.png cknnxfusdluq.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-125.png cknnxfusdluq.exe -
Drops file in Windows directory 2 IoCs
Processes:
1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exedescription ioc process File created C:\Windows\cknnxfusdluq.exe 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe File opened for modification C:\Windows\cknnxfusdluq.exe 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.execknnxfusdluq.execmd.execknnxfusdluq.exeNOTEPAD.EXEcmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cknnxfusdluq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cknnxfusdluq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
Processes:
cknnxfusdluq.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings cknnxfusdluq.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1524 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cknnxfusdluq.exepid process 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe 1180 cknnxfusdluq.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.execknnxfusdluq.exeWMIC.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3216 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe Token: SeDebugPrivilege 1180 cknnxfusdluq.exe Token: SeIncreaseQuotaPrivilege 3944 WMIC.exe Token: SeSecurityPrivilege 3944 WMIC.exe Token: SeTakeOwnershipPrivilege 3944 WMIC.exe Token: SeLoadDriverPrivilege 3944 WMIC.exe Token: SeSystemProfilePrivilege 3944 WMIC.exe Token: SeSystemtimePrivilege 3944 WMIC.exe Token: SeProfSingleProcessPrivilege 3944 WMIC.exe Token: SeIncBasePriorityPrivilege 3944 WMIC.exe Token: SeCreatePagefilePrivilege 3944 WMIC.exe Token: SeBackupPrivilege 3944 WMIC.exe Token: SeRestorePrivilege 3944 WMIC.exe Token: SeShutdownPrivilege 3944 WMIC.exe Token: SeDebugPrivilege 3944 WMIC.exe Token: SeSystemEnvironmentPrivilege 3944 WMIC.exe Token: SeRemoteShutdownPrivilege 3944 WMIC.exe Token: SeUndockPrivilege 3944 WMIC.exe Token: SeManageVolumePrivilege 3944 WMIC.exe Token: 33 3944 WMIC.exe Token: 34 3944 WMIC.exe Token: 35 3944 WMIC.exe Token: 36 3944 WMIC.exe Token: SeIncreaseQuotaPrivilege 3944 WMIC.exe Token: SeSecurityPrivilege 3944 WMIC.exe Token: SeTakeOwnershipPrivilege 3944 WMIC.exe Token: SeLoadDriverPrivilege 3944 WMIC.exe Token: SeSystemProfilePrivilege 3944 WMIC.exe Token: SeSystemtimePrivilege 3944 WMIC.exe Token: SeProfSingleProcessPrivilege 3944 WMIC.exe Token: SeIncBasePriorityPrivilege 3944 WMIC.exe Token: SeCreatePagefilePrivilege 3944 WMIC.exe Token: SeBackupPrivilege 3944 WMIC.exe Token: SeRestorePrivilege 3944 WMIC.exe Token: SeShutdownPrivilege 3944 WMIC.exe Token: SeDebugPrivilege 3944 WMIC.exe Token: SeSystemEnvironmentPrivilege 3944 WMIC.exe Token: SeRemoteShutdownPrivilege 3944 WMIC.exe Token: SeUndockPrivilege 3944 WMIC.exe Token: SeManageVolumePrivilege 3944 WMIC.exe Token: 33 3944 WMIC.exe Token: 34 3944 WMIC.exe Token: 35 3944 WMIC.exe Token: 36 3944 WMIC.exe Token: SeBackupPrivilege 4868 vssvc.exe Token: SeRestorePrivilege 4868 vssvc.exe Token: SeAuditPrivilege 4868 vssvc.exe Token: SeIncreaseQuotaPrivilege 720 WMIC.exe Token: SeSecurityPrivilege 720 WMIC.exe Token: SeTakeOwnershipPrivilege 720 WMIC.exe Token: SeLoadDriverPrivilege 720 WMIC.exe Token: SeSystemProfilePrivilege 720 WMIC.exe Token: SeSystemtimePrivilege 720 WMIC.exe Token: SeProfSingleProcessPrivilege 720 WMIC.exe Token: SeIncBasePriorityPrivilege 720 WMIC.exe Token: SeCreatePagefilePrivilege 720 WMIC.exe Token: SeBackupPrivilege 720 WMIC.exe Token: SeRestorePrivilege 720 WMIC.exe Token: SeShutdownPrivilege 720 WMIC.exe Token: SeDebugPrivilege 720 WMIC.exe Token: SeSystemEnvironmentPrivilege 720 WMIC.exe Token: SeRemoteShutdownPrivilege 720 WMIC.exe Token: SeUndockPrivilege 720 WMIC.exe Token: SeManageVolumePrivilege 720 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.execknnxfusdluq.execknnxfusdluq.exemsedge.exedescription pid process target process PID 1008 wrote to memory of 3216 1008 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe PID 1008 wrote to memory of 3216 1008 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe PID 1008 wrote to memory of 3216 1008 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe PID 1008 wrote to memory of 3216 1008 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe PID 1008 wrote to memory of 3216 1008 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe PID 1008 wrote to memory of 3216 1008 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe PID 1008 wrote to memory of 3216 1008 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe PID 1008 wrote to memory of 3216 1008 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe PID 1008 wrote to memory of 3216 1008 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe PID 1008 wrote to memory of 3216 1008 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe PID 3216 wrote to memory of 5004 3216 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe cknnxfusdluq.exe PID 3216 wrote to memory of 5004 3216 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe cknnxfusdluq.exe PID 3216 wrote to memory of 5004 3216 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe cknnxfusdluq.exe PID 3216 wrote to memory of 2988 3216 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe cmd.exe PID 3216 wrote to memory of 2988 3216 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe cmd.exe PID 3216 wrote to memory of 2988 3216 1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe cmd.exe PID 5004 wrote to memory of 1180 5004 cknnxfusdluq.exe cknnxfusdluq.exe PID 5004 wrote to memory of 1180 5004 cknnxfusdluq.exe cknnxfusdluq.exe PID 5004 wrote to memory of 1180 5004 cknnxfusdluq.exe cknnxfusdluq.exe PID 5004 wrote to memory of 1180 5004 cknnxfusdluq.exe cknnxfusdluq.exe PID 5004 wrote to memory of 1180 5004 cknnxfusdluq.exe cknnxfusdluq.exe PID 5004 wrote to memory of 1180 5004 cknnxfusdluq.exe cknnxfusdluq.exe PID 5004 wrote to memory of 1180 5004 cknnxfusdluq.exe cknnxfusdluq.exe PID 5004 wrote to memory of 1180 5004 cknnxfusdluq.exe cknnxfusdluq.exe PID 5004 wrote to memory of 1180 5004 cknnxfusdluq.exe cknnxfusdluq.exe PID 5004 wrote to memory of 1180 5004 cknnxfusdluq.exe cknnxfusdluq.exe PID 1180 wrote to memory of 3944 1180 cknnxfusdluq.exe WMIC.exe PID 1180 wrote to memory of 3944 1180 cknnxfusdluq.exe WMIC.exe PID 1180 wrote to memory of 1524 1180 cknnxfusdluq.exe NOTEPAD.EXE PID 1180 wrote to memory of 1524 1180 cknnxfusdluq.exe NOTEPAD.EXE PID 1180 wrote to memory of 1524 1180 cknnxfusdluq.exe NOTEPAD.EXE PID 1180 wrote to memory of 4432 1180 cknnxfusdluq.exe msedge.exe PID 1180 wrote to memory of 4432 1180 cknnxfusdluq.exe msedge.exe PID 4432 wrote to memory of 664 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 664 4432 msedge.exe msedge.exe PID 1180 wrote to memory of 720 1180 cknnxfusdluq.exe WMIC.exe PID 1180 wrote to memory of 720 1180 cknnxfusdluq.exe WMIC.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe PID 4432 wrote to memory of 2024 4432 msedge.exe msedge.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
cknnxfusdluq.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cknnxfusdluq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" cknnxfusdluq.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\cknnxfusdluq.exeC:\Windows\cknnxfusdluq.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\cknnxfusdluq.exeC:\Windows\cknnxfusdluq.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1180 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe261446f8,0x7ffe26144708,0x7ffe261447186⤵PID:664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:26⤵PID:2024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:36⤵PID:3212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:86⤵PID:3488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:16⤵PID:4488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:16⤵PID:2988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:86⤵PID:4848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:86⤵PID:4020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:16⤵PID:3196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:16⤵PID:2832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:16⤵PID:212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:16⤵PID:1228
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:720
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CKNNXF~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:1948
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\1E096E~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:2988
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4868
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3972
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3472
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD508da21c3705f679e8a03b4ac34def258
SHA125aed94c7159a206b43b17749db7e0855ec3b57a
SHA256db2509f7ebd35fadc327568329225842331f8dfe722ad7793b1688e4394eb074
SHA5122640eef5cae4489f3a97cce56f0b617d02f708919eefe8af1b46603f88a8979d00fd981ee8b18c12d6403d41e6cf0dbe4a34850e59af2a72c10b125b9603941b
-
Filesize
65KB
MD5baa00fb75d9491574bd4470833121267
SHA1a375c91092188dbc4e31ce27da86996aba3c1e88
SHA2566a7faab97df6dd74e7ebcc74128878ab60b639c4c996ee44869b59077677b7c2
SHA51255b6784a494bfef465f83aad8ea38903c74b6e18857e44422619c692d157850db315eb46ff596b12290a333119cf6d44d81b1b1072cb914156248ebc4a3409fc
-
Filesize
1KB
MD5a50317f8f74f8897e92397fe781c6da5
SHA1913529a938c6e33dde968cf00d2234bf4ba881b6
SHA256a58e8a498a7832d47ae0fdc064fd695086829294688152f3f81b38f21461773e
SHA512e80989d6b6b0412f9dad68a0a1bc805b8d848c57cc6f6fd45cb8b6aac7c83a1c91321380c230c487006f7c39c6ed7c5d6f7d3e53f7ac2e9ade1d471c52608bac
-
Filesize
560B
MD5a5d18b6561133987b50103a1789cca6f
SHA1c8df61bc666a52c7900f34f486e00938709594db
SHA256a3e7bd5677eaab13a8877e182ee4e2bfbeac760fa856857ed82d31337d5e7dfe
SHA512b2c7189bceb7580c23edd4e98a0dc827edd3301fe7821ebe6eb65c1d66af5ed562fca0fc69baea41a4507f1732db4e7ebd94799c1f3b8bfab29aaa46cf7bfad3
-
Filesize
560B
MD50e308d6da91c8139494e0f4d7d98625f
SHA1949e7219df1a66b05551c75459a1af1623e6ff70
SHA25654dd433ca5e732d63f0b43a1abc9d11b4ef87dfc728769234729812bbfa09eee
SHA5129e82b3d8c01da653134e71d7d5b5b6695bf049b5f26261c5f812ecfc5de733bf90773825bfc031cc7dded893414b6bada26f7b6420c6c34f6b7215a5d805f965
-
Filesize
416B
MD5173e082c9ce3b9c9c2e81b3da1844f46
SHA13b73cdd3caec44af7aa862482d8918aefc5ad397
SHA256eeb4e2c9dbfdc805538baa8bcded6c7cad14c4a91e640363be83050947f969f8
SHA5121fd27f3847f548a974c7a8c099354e417418161201c970d343ba6c96dce786085b427e168d8ded57ed47ec8ae256285c6dfec79f8ecc205d01427a4f822c56c7
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
Filesize
152B
MD5d7cb450b1315c63b1d5d89d98ba22da5
SHA1694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA25638355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8
-
Filesize
6KB
MD5022085245f3c85686bf17bfc97a50464
SHA1646ac9e0d28250feccfcf609abd1b44df74d2fb5
SHA2568962d69d2205df80533c06833172e94fec5cb0a04fdf6b640487161944f94b9b
SHA51249a79cdf4b8858b2b22bf408d432db18ef1fcf1e474af0db3335359f8a03d308336bbd9c0d5dde383acbc11a84c143018e1802d47fcb13b45ebda876c661ea6a
-
Filesize
6KB
MD51477ea3b6152f6c9476b59d508cda116
SHA1c401e2aaa84d8ac2247a4ac5504b0fa69aab2254
SHA256f87d9067ee7c003114217a2cb7f91797c8de2a86c568b99a504bffc620eb4386
SHA512f014d50c64815f26d8e1da9defa35065a20e99e3c6d0517b9506d6c8e4f781eb63450035de6362e63afb60f084118c3ff10c920b4627bd4af56a802fee10d8b7
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD567ca0b4d4e80b1d556cbe31a202171c2
SHA121940dd7a087ab9ba5c33d372b69021651a56533
SHA256cb5f4c6e8ab9bbfaa593404b761c806ba111fa830921fa22dfc029686885cd43
SHA512a838267ff11d63453eccf64d8e1dcd7147d6b306e7aae7a4028e69d69c09aa0d02d691f7b749a578ced5ca14cf49e58d4043fff62c52adbbac51877e005760df
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658865736960.txt
Filesize77KB
MD5ce879ac914f9d6a416102e319db4dcc5
SHA15ee641bc21612151682a3f480cb38641bfcdab94
SHA25646d219a89e67b3d8a1d06fe788773d183d1511bdb48b0fd3894a0fcb7e3ada56
SHA5127220100d701265aec27caf71257766448e44327ccd1afc0cfaf8da2d6bac79a874ea0c7cd1fc23426e03160c35af9b2ae457f98c8b3a8b67072cf85d162718f7
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727660257997193.txt
Filesize47KB
MD58bbd94c93d47f40ade7225f396ee5c1a
SHA1f39435ae26e91d591875eccd6cffb1298dc9f134
SHA256839c5f464d01636b4fc1c83731722acd1a36ec49ad1ed3263d2d91710a013304
SHA512784cec555e95f2a9e9aa8b0e31b2d349c909047654beaf315ea58845143d5b7594f4ff07a4a46943cd2f5f873ee397f4e366356ed3fb90d0b1f91a0641ce0df8
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727667861810871.txt
Filesize74KB
MD531c713c5f882f3a6fdb25127a6ce4ffe
SHA1648941512af20e5b342507682ea161f3d50ad3ef
SHA2564791d511043ce681ffb6d33688b04e51d1f1a0047df40530b9692e055d17a381
SHA5129849bc926064149b4f8ad066c30103cf4ba3bbe17e1eee2ba6043defa08159f58f0854c8bd7b1293a214f2828fefcb01ec975cfd5aaaae3e9b0b3fab33ee0123
-
Filesize
356KB
MD51e096e7c6ffb32332933f693d00c6795
SHA128e7f909cbc28ca3af8af503111c5fc9f42502b7
SHA256963aafe897132f8bd0fb1ce4beca2c4c2c04d8699a9e2612106c762cccca6256
SHA5128c26ddc0f8a3da79646851fc39f57d44a654e3967dad708239f882ed273fd14522d771087b0ff0d688fbb15392145e176be519ada7fd94103a05b90aaab6141c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e