teslacrypt | 91a23ebd232c1d96458e3b0870ec5507e547e6763bf99c5c7ca69a89e2a51267

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
Size

388KB
MD5

27e887aa14f3890a72f06ec5d0759f20
SHA1

8bacf22533725fd98c254c8eb6852edbe225a0ef
SHA256

91a23ebd232c1d96458e3b0870ec5507e547e6763bf99c5c7ca69a89e2a51267
SHA512

56f420069c68e971069ef6d25a5944d50901d8c9de84f57a1bdb49371cfca117855afd4a6aecf1c6df96369ca3d19fe655c5a939a8b66d6fff6341de97259089
SSDEEP

12288:LhTjRwlkwFrnAEryLFcG3yBrZTRDgZ8zOhG6:F4DRw7325gPh

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kvroe.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E28EB396F85EF8A3 2. http://kkd47eh4hdjshb5t.angortra.at/E28EB396F85EF8A3 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/E28EB396F85EF8A3 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/E28EB396F85EF8A3 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E28EB396F85EF8A3 http://kkd47eh4hdjshb5t.angortra.at/E28EB396F85EF8A3 http://ytrest84y5i456hghadefdsd.pontogrot.com/E28EB396F85EF8A3 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/E28EB396F85EF8A3

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E28EB396F85EF8A3

http://kkd47eh4hdjshb5t.angortra.at/E28EB396F85EF8A3

http://ytrest84y5i456hghadefdsd.pontogrot.com/E28EB396F85EF8A3

http://xlowfznrg4wf7dli.ONION/E28EB396F85EF8A3

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (426) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2200 cmd.exe

pid	process
2200	cmd.exe

Drops startup file 6 IoCs

Processes:

jyidguupnjpt.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+kvroe.png	jyidguupnjpt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+kvroe.txt	jyidguupnjpt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+kvroe.html	jyidguupnjpt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+kvroe.png	jyidguupnjpt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+kvroe.txt	jyidguupnjpt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+kvroe.html	jyidguupnjpt.exe

Executes dropped EXE 2 IoCs

Processes:

jyidguupnjpt.exejyidguupnjpt.exe

pid process

2684 jyidguupnjpt.exe
1664 jyidguupnjpt.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2684	jyidguupnjpt.exe
1664	jyidguupnjpt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

jyidguupnjpt.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\kcwopqnsgihy = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\jyidguupnjpt.exe\""	jyidguupnjpt.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exejyidguupnjpt.exe

description	pid	process	target process
PID 2272 set thread context of 1752	2272	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
PID 2684 set thread context of 1664	2684	jyidguupnjpt.exe	jyidguupnjpt.exe

Drops file in Program Files directory 64 IoCs

Processes:

jyidguupnjpt.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\Recovery+kvroe.html	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\spacer_highlights.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\Recovery+kvroe.txt	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\28.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\Recovery+kvroe.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\fr-FR\Recovery+kvroe.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\Recovery+kvroe.txt	jyidguupnjpt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\Recovery+kvroe.html	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\Recovery+kvroe.txt	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\settings.js	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\slideShow.css	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\Recovery+kvroe.txt	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\42.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\Recovery+kvroe.txt	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Uninstall Information\Recovery+kvroe.html	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Recovery+kvroe.txt	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\Recovery+kvroe.html	jyidguupnjpt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\Recovery+kvroe.txt	jyidguupnjpt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\Recovery+kvroe.html	jyidguupnjpt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\Recovery+kvroe.txt	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\fr-FR\Recovery+kvroe.txt	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Recovery+kvroe.txt	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\Recovery+kvroe.txt	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\Recovery+kvroe.html	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\Recovery+kvroe.html	jyidguupnjpt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\Recovery+kvroe.txt	jyidguupnjpt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\Recovery+kvroe.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\Recovery+kvroe.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\service.js	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mouseover.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\Recovery+kvroe.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\Recovery+kvroe.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\clock.js	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\Recovery+kvroe.txt	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Recovery+kvroe.txt	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\es-ES\Recovery+kvroe.html	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\Recovery+kvroe.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\Recovery+kvroe.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\Recovery+kvroe.html	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\Recovery+kvroe.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\Recovery+kvroe.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\Recovery+kvroe.html	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\picturePuzzle.css	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\40.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\Recovery+kvroe.html	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Recovery+kvroe.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\Recovery+kvroe.html	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\Recovery+kvroe.html	jyidguupnjpt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\Recovery+kvroe.txt	jyidguupnjpt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\Recovery+kvroe.txt	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\Recovery+kvroe.html	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\Recovery+kvroe.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.jpg	jyidguupnjpt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\Recovery+kvroe.png	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\Recovery+kvroe.html	jyidguupnjpt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png	jyidguupnjpt.exe

Drops file in Windows directory 2 IoCs

Processes:

27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\jyidguupnjpt.exe	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
File opened for modification	C:\Windows\jyidguupnjpt.exe	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

jyidguupnjpt.exejyidguupnjpt.exeDllHost.exeIEXPLORE.EXE27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.execmd.exeNOTEPAD.EXEcmd.exe27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jyidguupnjpt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jyidguupnjpt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000762b1acf936c3c4fa8988255befb19bb00000000020000000000106600000001000020000000786280ffb3cf15ee7dfb9be7c970271ed87e88aa99284db78da556f7d82fa2fc000000000e80000000020000200000000d683fd5ec25a84e6f57d06c4eaab018a3a97c970ee76dca0cb821812b29a2472000000011420f5b28e373dd916886ef47bdfab5c5fff9e6c4d089c8b6bdf0639b9fbb65400000006ed09f7c0a1a1b8dabaf7076c2911a2257a663b9864295eb0d5a80bc7848282ab9c438e450985e42aa0a23720fa674f5b8450a42c6d251ae02ea199808ca4442	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000762b1acf936c3c4fa8988255befb19bb00000000020000000000106600000001000020000000a85c94fe12ef3bfac1408c4041eed9954614b73251afaf4cfa2579f8b6859b88000000000e80000000020000200000007d475d9d49927da2ba63cf556a4efee62c5b657684d7d99500fb9087aedc4fde900000002c2a1bcf1e5d767b71d94960ae6b83548adf84ae61c150f9653f9b5d497d8963825b2d4218f494671f6cd602745c4130c35668fbe90cc7d3fb0fb73b553cb7ff63651fbe3e4fd23a44bd7244e6ed840fa9ce80430bbde6059928b5504ba93fc564ceb0a8bc9cabea4e21785fb181759ecabf76520e1b7e31d99d948b494e6dd35e28eb4156614e92628052a8f3bd11b840000000eecac1bf961f1d81ec144863abe533f728ea45007f1392fa4cdb3be3f6e694780edc7a2392cb54f263f6ce711f9e413d9974488a700d7ecf3bae0fcd579d30a9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00ea8861201adb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8D1D6061-8613-11EF-8BBB-46D787DB8171} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

jyidguupnjpt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	jyidguupnjpt.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	jyidguupnjpt.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2324 NOTEPAD.EXE

pid	process
2324	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

jyidguupnjpt.exe

pid	process
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe
1664	jyidguupnjpt.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exejyidguupnjpt.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1752	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
Token: SeDebugPrivilege	1664	jyidguupnjpt.exe
Token: SeIncreaseQuotaPrivilege	2360	WMIC.exe
Token: SeSecurityPrivilege	2360	WMIC.exe
Token: SeTakeOwnershipPrivilege	2360	WMIC.exe
Token: SeLoadDriverPrivilege	2360	WMIC.exe
Token: SeSystemProfilePrivilege	2360	WMIC.exe
Token: SeSystemtimePrivilege	2360	WMIC.exe
Token: SeProfSingleProcessPrivilege	2360	WMIC.exe
Token: SeIncBasePriorityPrivilege	2360	WMIC.exe
Token: SeCreatePagefilePrivilege	2360	WMIC.exe
Token: SeBackupPrivilege	2360	WMIC.exe
Token: SeRestorePrivilege	2360	WMIC.exe
Token: SeShutdownPrivilege	2360	WMIC.exe
Token: SeDebugPrivilege	2360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2360	WMIC.exe
Token: SeRemoteShutdownPrivilege	2360	WMIC.exe
Token: SeUndockPrivilege	2360	WMIC.exe
Token: SeManageVolumePrivilege	2360	WMIC.exe
Token: 33	2360	WMIC.exe
Token: 34	2360	WMIC.exe
Token: 35	2360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2556	WMIC.exe
Token: SeSecurityPrivilege	2556	WMIC.exe
Token: SeTakeOwnershipPrivilege	2556	WMIC.exe
Token: SeLoadDriverPrivilege	2556	WMIC.exe
Token: SeSystemProfilePrivilege	2556	WMIC.exe
Token: SeSystemtimePrivilege	2556	WMIC.exe
Token: SeProfSingleProcessPrivilege	2556	WMIC.exe
Token: SeIncBasePriorityPrivilege	2556	WMIC.exe
Token: SeCreatePagefilePrivilege	2556	WMIC.exe
Token: SeBackupPrivilege	2556	WMIC.exe
Token: SeRestorePrivilege	2556	WMIC.exe
Token: SeShutdownPrivilege	2556	WMIC.exe
Token: SeDebugPrivilege	2556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2556	WMIC.exe
Token: SeRemoteShutdownPrivilege	2556	WMIC.exe
Token: SeUndockPrivilege	2556	WMIC.exe
Token: SeManageVolumePrivilege	2556	WMIC.exe
Token: 33	2556	WMIC.exe
Token: 34	2556	WMIC.exe
Token: 35	2556	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1396 iexplore.exe
2756 DllHost.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXEDllHost.exe

pid process

1396 iexplore.exe
1396 iexplore.exe
2696 IEXPLORE.EXE
2696 IEXPLORE.EXE
2756 DllHost.exe
2756 DllHost.exe

pid	process
1396	iexplore.exe
2756	DllHost.exe

pid	process
1396	iexplore.exe
1396	iexplore.exe
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2756	DllHost.exe
2756	DllHost.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exejyidguupnjpt.exejyidguupnjpt.exeiexplore.exe

description	pid	process	target process
PID 2272 wrote to memory of 1752	2272	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
PID 2272 wrote to memory of 1752	2272	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
PID 2272 wrote to memory of 1752	2272	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
PID 2272 wrote to memory of 1752	2272	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
PID 2272 wrote to memory of 1752	2272	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
PID 2272 wrote to memory of 1752	2272	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
PID 2272 wrote to memory of 1752	2272	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
PID 2272 wrote to memory of 1752	2272	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
PID 2272 wrote to memory of 1752	2272	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
PID 2272 wrote to memory of 1752	2272	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
PID 2272 wrote to memory of 1752	2272	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
PID 1752 wrote to memory of 2684	1752	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe	jyidguupnjpt.exe
PID 1752 wrote to memory of 2684	1752	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe	jyidguupnjpt.exe
PID 1752 wrote to memory of 2684	1752	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe	jyidguupnjpt.exe
PID 1752 wrote to memory of 2684	1752	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe	jyidguupnjpt.exe
PID 1752 wrote to memory of 2200	1752	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe	cmd.exe
PID 1752 wrote to memory of 2200	1752	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe	cmd.exe
PID 1752 wrote to memory of 2200	1752	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe	cmd.exe
PID 1752 wrote to memory of 2200	1752	27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe	cmd.exe
PID 2684 wrote to memory of 1664	2684	jyidguupnjpt.exe	jyidguupnjpt.exe
PID 2684 wrote to memory of 1664	2684	jyidguupnjpt.exe	jyidguupnjpt.exe
PID 2684 wrote to memory of 1664	2684	jyidguupnjpt.exe	jyidguupnjpt.exe
PID 2684 wrote to memory of 1664	2684	jyidguupnjpt.exe	jyidguupnjpt.exe
PID 2684 wrote to memory of 1664	2684	jyidguupnjpt.exe	jyidguupnjpt.exe
PID 2684 wrote to memory of 1664	2684	jyidguupnjpt.exe	jyidguupnjpt.exe
PID 2684 wrote to memory of 1664	2684	jyidguupnjpt.exe	jyidguupnjpt.exe
PID 2684 wrote to memory of 1664	2684	jyidguupnjpt.exe	jyidguupnjpt.exe
PID 2684 wrote to memory of 1664	2684	jyidguupnjpt.exe	jyidguupnjpt.exe
PID 2684 wrote to memory of 1664	2684	jyidguupnjpt.exe	jyidguupnjpt.exe
PID 2684 wrote to memory of 1664	2684	jyidguupnjpt.exe	jyidguupnjpt.exe
PID 1664 wrote to memory of 2360	1664	jyidguupnjpt.exe	WMIC.exe
PID 1664 wrote to memory of 2360	1664	jyidguupnjpt.exe	WMIC.exe
PID 1664 wrote to memory of 2360	1664	jyidguupnjpt.exe	WMIC.exe
PID 1664 wrote to memory of 2360	1664	jyidguupnjpt.exe	WMIC.exe
PID 1664 wrote to memory of 2324	1664	jyidguupnjpt.exe	NOTEPAD.EXE
PID 1664 wrote to memory of 2324	1664	jyidguupnjpt.exe	NOTEPAD.EXE
PID 1664 wrote to memory of 2324	1664	jyidguupnjpt.exe	NOTEPAD.EXE
PID 1664 wrote to memory of 2324	1664	jyidguupnjpt.exe	NOTEPAD.EXE
PID 1664 wrote to memory of 1396	1664	jyidguupnjpt.exe	iexplore.exe
PID 1664 wrote to memory of 1396	1664	jyidguupnjpt.exe	iexplore.exe
PID 1664 wrote to memory of 1396	1664	jyidguupnjpt.exe	iexplore.exe
PID 1664 wrote to memory of 1396	1664	jyidguupnjpt.exe	iexplore.exe
PID 1396 wrote to memory of 2696	1396	iexplore.exe	IEXPLORE.EXE
PID 1396 wrote to memory of 2696	1396	iexplore.exe	IEXPLORE.EXE
PID 1396 wrote to memory of 2696	1396	iexplore.exe	IEXPLORE.EXE
PID 1396 wrote to memory of 2696	1396	iexplore.exe	IEXPLORE.EXE
PID 1664 wrote to memory of 2556	1664	jyidguupnjpt.exe	WMIC.exe
PID 1664 wrote to memory of 2556	1664	jyidguupnjpt.exe	WMIC.exe
PID 1664 wrote to memory of 2556	1664	jyidguupnjpt.exe	WMIC.exe
PID 1664 wrote to memory of 2556	1664	jyidguupnjpt.exe	WMIC.exe
PID 1664 wrote to memory of 1008	1664	jyidguupnjpt.exe	cmd.exe
PID 1664 wrote to memory of 1008	1664	jyidguupnjpt.exe	cmd.exe
PID 1664 wrote to memory of 1008	1664	jyidguupnjpt.exe	cmd.exe
PID 1664 wrote to memory of 1008	1664	jyidguupnjpt.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

jyidguupnjpt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jyidguupnjpt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	jyidguupnjpt.exe

C:\Users\Admin\AppData\Local\Temp\27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\jyidguupnjpt.exe
    C:\Windows\jyidguupnjpt.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\jyidguupnjpt.exe
      C:\Windows\jyidguupnjpt.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1664
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:2324
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1396 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2696
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\JYIDGU~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\27E887~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2200

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kvroe.html

Filesize
9KB

MD5
71600f1d3f4a70fdf11c3085f73dfd66

SHA1
f3fee4dc472b39d850e43064b33411c0cfd537e0

SHA256
1a985bd853126e4d6a8ae84f6948965d2594c741cc84cd669358b140546771a9

SHA512
832a9b506ca6626c3045f173a2510728ddd0793d4912d1a354f5d166f26c00027e5afd9cfd712f4cfd2d9c1255b1111e43a8386cf0951abe49899b7540287d54

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kvroe.png

Filesize
63KB

MD5
fc4ed43e3c8c7fd4efc44f7a8d01b914

SHA1
b559e3bd4d75a9a6661b4243f79d6b7fa7499ee7

SHA256
05a4a9d21d0d745cc8c83001b6d8658c46056a0431c5a6a62a436ae273532c9e

SHA512
77f90fad37c6f8eb7d8a592f4217dc05e07041ee8bce3e8338cb769f4a471d0483f96825d818fe7eb05ced4eb176e861a2d61022bbdce37124af90cbb865d542

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kvroe.txt

Filesize
1KB

MD5
01184afac9e1528ed3bd7b9f8c85c2d1

SHA1
fe06e6a4f250f6e55fc052dc9541f5e3e115021e

SHA256
4a1fe91e41f16355ac83686f08f3b42abefc1603cca6ce014af659c5444b9152

SHA512
7d3e18b8035b2dd7b752101e6c5be0e521b53473713c9e7bd8da6edbd944c286a146868c6e6d1bf1b052c64c19b31941563c198983ccfe5aa111de84645f7e84

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
f71101670856d4fd6b943408f66af767

SHA1
e8ccf0cbb0a37984ba34c13f5cf3291152bfd6e8

SHA256
1d4e63cad844866a5e2583930b4c4512909be7aee97cf735e403f4ebc5164aab

SHA512
6917c6c00fbf441f39af042e8682d3f0973ddd9c45a10df607cdd4b906138fef3e7f22f9104de1137865d6d66466462450115230e4782749a584d9bc85fb0daa

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
2511b598b25ffe28b085551e0eee4f3f

SHA1
48953d1c0d597e3683cc0c3116b225a5a43df05a

SHA256
be7a45f36c17ae78a12790003216019eed7dfe2a04e4d688a613e8e49665439c

SHA512
8e912a53c1fd1f59eecdad444efa69c953fd03aef2c5c4d7cf1277d19148c4cf9a52fbb278fc32c7ccbffc31aa4e8c63385c65cbceb71f2e1b28a34b0d1db346

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
82e9cdd3fe64bfcd12a1e23fccdc8033

SHA1
642dfa4f7d798cd04cf72e3310f167e1b49fbcdf

SHA256
5824bf292bc7e06176256df06018101ac3432b216dd5970f98db318ac47b276a

SHA512
e179d55246d03d84250c5e1e1689a20275880e33b72c2d14b2b9e913d927d838bf6cddb6ffc5bf506ac1659e636bcf2d26f1dfa5b676e8286abda5eba22a34e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c88c89804b9b02ef97dfa974e70bc971

SHA1
ae55e8dee38a4339b0bb3d626a7fb595486d6456

SHA256
e747fcdf8db1c8b0099ddb422a83964273f89eac88717ad941f2c376f9f59d01

SHA512
04f46c3a9e898009a57736ba3c62728a1607aea0f4964dba0b91294bf422f4c67f6ebacc8a9af919d1cc20e0e0bc4b9d4e7886c4ac448093d365e33d04f1274e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bdbfa183728138f31a7f17f9ab860b16

SHA1
a5828d36bbe6bc83b02c96a739aac36657f5ad2f

SHA256
9f990e243d67f58fb1679e8777cc9f00da2d76bd5c4403249887ca658785ee25

SHA512
cf5a91f4039d8ad52fc8bc4981d7ce30442ddb479d4f480f76467781ec7a95ac21f496aacdc112acddc1a57045e0258777e650541357e8dc09718ec8dfe587f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4270f7411af666e8fb5eb7dd0266df6

SHA1
87064b6a93005686deacf32bd2d1d5a99033776b

SHA256
bd45603c86dd1c4237633e129bb859daa69831703d9b2507dd56189a42b0f597

SHA512
cd2935ba99e807b0a52f12fba3a76969b38ffc1c3def4971dc8715760d41fc67aa683921513b7175e53beff41083e48564d6849a14018534de25a7b89d4ac392

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4C6D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4C6E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\jyidguupnjpt.exe

Filesize
388KB

MD5
27e887aa14f3890a72f06ec5d0759f20

SHA1
8bacf22533725fd98c254c8eb6852edbe225a0ef

SHA256
91a23ebd232c1d96458e3b0870ec5507e547e6763bf99c5c7ca69a89e2a51267

SHA512
56f420069c68e971069ef6d25a5944d50901d8c9de84f57a1bdb49371cfca117855afd4a6aecf1c6df96369ca3d19fe655c5a939a8b66d6fff6341de97259089

Download Submit
memory/1664-5107-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1664-1875-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1664-6573-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1664-6570-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1664-49-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1664-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1664-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1664-54-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1664-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1664-6128-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1664-6127-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1664-6124-0x00000000030B0000-0x00000000030B2000-memory.dmp

Filesize
8KB

Download
memory/1664-6118-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1664-2238-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1664-1874-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1752-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1752-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1752-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1752-29-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1752-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1752-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1752-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1752-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1752-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1752-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1752-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2272-18-0x0000000000360000-0x0000000000363000-memory.dmp

Filesize
12KB

Download
memory/2272-1-0x0000000000360000-0x0000000000363000-memory.dmp

Filesize
12KB

Download
memory/2272-0-0x0000000000360000-0x0000000000363000-memory.dmp

Filesize
12KB

Download
memory/2684-28-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/2756-6125-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download