teslacrypt | 33e6272f8a84de06327c40ad72efd8537c82d5f9d86b082ef1f6cfe7031f7c3b

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
Size

364KB
MD5

2b5c64d0ae335be2b30de30ed5cf9b71
SHA1

57a809107f1810a3ed01d4baf09f89a1fb562757
SHA256

33e6272f8a84de06327c40ad72efd8537c82d5f9d86b082ef1f6cfe7031f7c3b
SHA512

96ebf2562a60ef245aea06decf83298979368e4c4dabaa107068e430d7fe86af5f996cfffba95e7f1c5ef411e7d1265d24a84716be63eaedfd48ad3aac4dc4e8
SSDEEP

6144:REAU1eeD624pGSoJDZ2sqIrU5AsZBbgyg4s43yirHwlzKPm:RvU1eeD6282JtOI2D3bzsEHrQBKP

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+jqkno.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/512A8BC06C1C5BC8 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/512A8BC06C1C5BC8 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/512A8BC06C1C5BC8 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/512A8BC06C1C5BC8 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/512A8BC06C1C5BC8 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/512A8BC06C1C5BC8 http://yyre45dbvn2nhbefbmh.begumvelic.at/512A8BC06C1C5BC8 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/512A8BC06C1C5BC8

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/512A8BC06C1C5BC8

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/512A8BC06C1C5BC8

http://yyre45dbvn2nhbefbmh.begumvelic.at/512A8BC06C1C5BC8

http://xlowfznrg4wf7dli.ONION/512A8BC06C1C5BC8

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (437) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2652 cmd.exe

pid	process
2652	cmd.exe

Drops startup file 6 IoCs

Processes:

udtajmeamkwc.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+jqkno.png	udtajmeamkwc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+jqkno.txt	udtajmeamkwc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+jqkno.html	udtajmeamkwc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+jqkno.png	udtajmeamkwc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+jqkno.txt	udtajmeamkwc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+jqkno.html	udtajmeamkwc.exe

Executes dropped EXE 2 IoCs

Processes:

udtajmeamkwc.exeudtajmeamkwc.exe

pid process

2852 udtajmeamkwc.exe
624 udtajmeamkwc.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2852	udtajmeamkwc.exe
624	udtajmeamkwc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

udtajmeamkwc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\eubxylt = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\udtajmeamkwc.exe"	udtajmeamkwc.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exeudtajmeamkwc.exe

description	pid	process	target process
PID 2400 set thread context of 2868	2400	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
PID 2852 set thread context of 624	2852	udtajmeamkwc.exe	udtajmeamkwc.exe

Drops file in Program Files directory 64 IoCs

Processes:

udtajmeamkwc.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_ReCoVeRy_+jqkno.txt	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_ReCoVeRy_+jqkno.txt	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\_ReCoVeRy_+jqkno.html	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\_ReCoVeRy_+jqkno.html	udtajmeamkwc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\_ReCoVeRy_+jqkno.html	udtajmeamkwc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\_ReCoVeRy_+jqkno.txt	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\_ReCoVeRy_+jqkno.html	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\_ReCoVeRy_+jqkno.html	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\ehshellLogo.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_ReCoVeRy_+jqkno.txt	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\_ReCoVeRy_+jqkno.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt	udtajmeamkwc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\_ReCoVeRy_+jqkno.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\_ReCoVeRy_+jqkno.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_over.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_foggy.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_ReCoVeRy_+jqkno.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Microsoft Games\_ReCoVeRy_+jqkno.txt	udtajmeamkwc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_ReCoVeRy_+jqkno.html	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_ReCoVeRy_+jqkno.txt	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter_partly-cloudy.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\_ReCoVeRy_+jqkno.html	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Common Files\_ReCoVeRy_+jqkno.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_ReCoVeRy_+jqkno.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_ReCoVeRy_+jqkno.html	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\_ReCoVeRy_+jqkno.html	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Uninstall Information\_ReCoVeRy_+jqkno.html	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\_ReCoVeRy_+jqkno.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\_ReCoVeRy_+jqkno.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\it-IT\_ReCoVeRy_+jqkno.txt	udtajmeamkwc.exe
File opened for modification	C:\Program Files\VideoLAN\_ReCoVeRy_+jqkno.txt	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\9.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_ReCoVeRy_+jqkno.html	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_settings.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\SelectCompress.zip	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_ReCoVeRy_+jqkno.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_ReCoVeRy_+jqkno.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_ReCoVeRy_+jqkno.html	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_ReCoVeRy_+jqkno.html	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\_ReCoVeRy_+jqkno.html	udtajmeamkwc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\_ReCoVeRy_+jqkno.txt	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\_ReCoVeRy_+jqkno.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\en-US\_ReCoVeRy_+jqkno.txt	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\cpu.js	udtajmeamkwc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_ReCoVeRy_+jqkno.html	udtajmeamkwc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\_ReCoVeRy_+jqkno.txt	udtajmeamkwc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_ReCoVeRy_+jqkno.txt	udtajmeamkwc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_ReCoVeRy_+jqkno.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_ReCoVeRy_+jqkno.html	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\_ReCoVeRy_+jqkno.png	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\_ReCoVeRy_+jqkno.txt	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\_ReCoVeRy_+jqkno.txt	udtajmeamkwc.exe
File opened for modification	C:\Program Files\Java\_ReCoVeRy_+jqkno.html	udtajmeamkwc.exe

Drops file in Windows directory 2 IoCs

Processes:

2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\udtajmeamkwc.exe	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
File created	C:\Windows\udtajmeamkwc.exe	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exeIEXPLORE.EXEDllHost.execmd.exe2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exeudtajmeamkwc.execmd.exeudtajmeamkwc.exeNOTEPAD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	udtajmeamkwc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	udtajmeamkwc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000d1107b353f91f50f3107a96bb7dad5dd96fdc051aa3a41eff54f6319c0f0e870000000000e8000000002000020000000c321db26cfc2940d0a18d3f334f719d911f86af3b3bac156547c80937933963c2000000041ccce4698e841e009289706b891367e0000cab9ee699c3a5248f37af334e56f400000003030f20c39b2be4e1647f367d6d13a441b61988deae2f56f9017a06a0e714285cd46da5175864e5b797e3028676209c97f1416a993eba8e9d7189ce2e0527106	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90fdec315c1adb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000ac1a17cb4606a0beae4fe3dc10242d6d397066ac70f4c168fc7fb1c6bc0d7507000000000e80000000020000200000001704895b1c35170ba8d32721d5d6d6d706abeaf4a01be544d48d8313466a35a2900000003afe43a519493adfa514bcebec0a3b88b1be8ff897cbf3871c974c3e653c765bc7e2feec12e0bc0e2910f2d7f5bc487cf87ec2240ef7418da60ff0cf339dea680c76d74e1bb226bf1cbd838fad7d63ae7a588630e80078f126f45ea3ee575550677bccdcba4e2531e98fb2514952c8283d3bcc997b6752aeee0f755ac3790d71c935a54128aa7ce40d14142b6ae584b24000000098f01ebdf32566d89e3c336fd7088d51f0e0f3101798531e61bf5ac1d585c0da4771c1904b2bb3f64a63b1b4a95e33fb843ae68ff7eb0382e54c9b93c64f688e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5D7A4801-864F-11EF-8320-E61828AB23DD} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

324 NOTEPAD.EXE

pid	process
324	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

udtajmeamkwc.exe

pid	process
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe
624	udtajmeamkwc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exeudtajmeamkwc.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2868	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
Token: SeDebugPrivilege	624	udtajmeamkwc.exe
Token: SeIncreaseQuotaPrivilege	2056	WMIC.exe
Token: SeSecurityPrivilege	2056	WMIC.exe
Token: SeTakeOwnershipPrivilege	2056	WMIC.exe
Token: SeLoadDriverPrivilege	2056	WMIC.exe
Token: SeSystemProfilePrivilege	2056	WMIC.exe
Token: SeSystemtimePrivilege	2056	WMIC.exe
Token: SeProfSingleProcessPrivilege	2056	WMIC.exe
Token: SeIncBasePriorityPrivilege	2056	WMIC.exe
Token: SeCreatePagefilePrivilege	2056	WMIC.exe
Token: SeBackupPrivilege	2056	WMIC.exe
Token: SeRestorePrivilege	2056	WMIC.exe
Token: SeShutdownPrivilege	2056	WMIC.exe
Token: SeDebugPrivilege	2056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2056	WMIC.exe
Token: SeRemoteShutdownPrivilege	2056	WMIC.exe
Token: SeUndockPrivilege	2056	WMIC.exe
Token: SeManageVolumePrivilege	2056	WMIC.exe
Token: 33	2056	WMIC.exe
Token: 34	2056	WMIC.exe
Token: 35	2056	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2056	WMIC.exe
Token: SeSecurityPrivilege	2056	WMIC.exe
Token: SeTakeOwnershipPrivilege	2056	WMIC.exe
Token: SeLoadDriverPrivilege	2056	WMIC.exe
Token: SeSystemProfilePrivilege	2056	WMIC.exe
Token: SeSystemtimePrivilege	2056	WMIC.exe
Token: SeProfSingleProcessPrivilege	2056	WMIC.exe
Token: SeIncBasePriorityPrivilege	2056	WMIC.exe
Token: SeCreatePagefilePrivilege	2056	WMIC.exe
Token: SeBackupPrivilege	2056	WMIC.exe
Token: SeRestorePrivilege	2056	WMIC.exe
Token: SeShutdownPrivilege	2056	WMIC.exe
Token: SeDebugPrivilege	2056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2056	WMIC.exe
Token: SeRemoteShutdownPrivilege	2056	WMIC.exe
Token: SeUndockPrivilege	2056	WMIC.exe
Token: SeManageVolumePrivilege	2056	WMIC.exe
Token: 33	2056	WMIC.exe
Token: 34	2056	WMIC.exe
Token: 35	2056	WMIC.exe
Token: SeBackupPrivilege	3028	vssvc.exe
Token: SeRestorePrivilege	3028	vssvc.exe
Token: SeAuditPrivilege	3028	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1256	WMIC.exe
Token: SeSecurityPrivilege	1256	WMIC.exe
Token: SeTakeOwnershipPrivilege	1256	WMIC.exe
Token: SeLoadDriverPrivilege	1256	WMIC.exe
Token: SeSystemProfilePrivilege	1256	WMIC.exe
Token: SeSystemtimePrivilege	1256	WMIC.exe
Token: SeProfSingleProcessPrivilege	1256	WMIC.exe
Token: SeIncBasePriorityPrivilege	1256	WMIC.exe
Token: SeCreatePagefilePrivilege	1256	WMIC.exe
Token: SeBackupPrivilege	1256	WMIC.exe
Token: SeRestorePrivilege	1256	WMIC.exe
Token: SeShutdownPrivilege	1256	WMIC.exe
Token: SeDebugPrivilege	1256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1256	WMIC.exe
Token: SeRemoteShutdownPrivilege	1256	WMIC.exe
Token: SeUndockPrivilege	1256	WMIC.exe
Token: SeManageVolumePrivilege	1256	WMIC.exe
Token: 33	1256	WMIC.exe
Token: 34	1256	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

908 iexplore.exe
1972 DllHost.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXEDllHost.exe

pid process

908 iexplore.exe
908 iexplore.exe
236 IEXPLORE.EXE
236 IEXPLORE.EXE
1972 DllHost.exe
1972 DllHost.exe

pid	process
908	iexplore.exe
1972	DllHost.exe

pid	process
908	iexplore.exe
908	iexplore.exe
236	IEXPLORE.EXE
236	IEXPLORE.EXE
1972	DllHost.exe
1972	DllHost.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exeudtajmeamkwc.exeudtajmeamkwc.exeiexplore.exe

description	pid	process	target process
PID 2400 wrote to memory of 2868	2400	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
PID 2400 wrote to memory of 2868	2400	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
PID 2400 wrote to memory of 2868	2400	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
PID 2400 wrote to memory of 2868	2400	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
PID 2400 wrote to memory of 2868	2400	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
PID 2400 wrote to memory of 2868	2400	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
PID 2400 wrote to memory of 2868	2400	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
PID 2400 wrote to memory of 2868	2400	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
PID 2400 wrote to memory of 2868	2400	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
PID 2400 wrote to memory of 2868	2400	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
PID 2400 wrote to memory of 2868	2400	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
PID 2868 wrote to memory of 2852	2868	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe	udtajmeamkwc.exe
PID 2868 wrote to memory of 2852	2868	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe	udtajmeamkwc.exe
PID 2868 wrote to memory of 2852	2868	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe	udtajmeamkwc.exe
PID 2868 wrote to memory of 2852	2868	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe	udtajmeamkwc.exe
PID 2868 wrote to memory of 2652	2868	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe	cmd.exe
PID 2868 wrote to memory of 2652	2868	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe	cmd.exe
PID 2868 wrote to memory of 2652	2868	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe	cmd.exe
PID 2868 wrote to memory of 2652	2868	2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe	cmd.exe
PID 2852 wrote to memory of 624	2852	udtajmeamkwc.exe	udtajmeamkwc.exe
PID 2852 wrote to memory of 624	2852	udtajmeamkwc.exe	udtajmeamkwc.exe
PID 2852 wrote to memory of 624	2852	udtajmeamkwc.exe	udtajmeamkwc.exe
PID 2852 wrote to memory of 624	2852	udtajmeamkwc.exe	udtajmeamkwc.exe
PID 2852 wrote to memory of 624	2852	udtajmeamkwc.exe	udtajmeamkwc.exe
PID 2852 wrote to memory of 624	2852	udtajmeamkwc.exe	udtajmeamkwc.exe
PID 2852 wrote to memory of 624	2852	udtajmeamkwc.exe	udtajmeamkwc.exe
PID 2852 wrote to memory of 624	2852	udtajmeamkwc.exe	udtajmeamkwc.exe
PID 2852 wrote to memory of 624	2852	udtajmeamkwc.exe	udtajmeamkwc.exe
PID 2852 wrote to memory of 624	2852	udtajmeamkwc.exe	udtajmeamkwc.exe
PID 2852 wrote to memory of 624	2852	udtajmeamkwc.exe	udtajmeamkwc.exe
PID 624 wrote to memory of 2056	624	udtajmeamkwc.exe	WMIC.exe
PID 624 wrote to memory of 2056	624	udtajmeamkwc.exe	WMIC.exe
PID 624 wrote to memory of 2056	624	udtajmeamkwc.exe	WMIC.exe
PID 624 wrote to memory of 2056	624	udtajmeamkwc.exe	WMIC.exe
PID 624 wrote to memory of 324	624	udtajmeamkwc.exe	NOTEPAD.EXE
PID 624 wrote to memory of 324	624	udtajmeamkwc.exe	NOTEPAD.EXE
PID 624 wrote to memory of 324	624	udtajmeamkwc.exe	NOTEPAD.EXE
PID 624 wrote to memory of 324	624	udtajmeamkwc.exe	NOTEPAD.EXE
PID 624 wrote to memory of 908	624	udtajmeamkwc.exe	iexplore.exe
PID 624 wrote to memory of 908	624	udtajmeamkwc.exe	iexplore.exe
PID 624 wrote to memory of 908	624	udtajmeamkwc.exe	iexplore.exe
PID 624 wrote to memory of 908	624	udtajmeamkwc.exe	iexplore.exe
PID 908 wrote to memory of 236	908	iexplore.exe	IEXPLORE.EXE
PID 908 wrote to memory of 236	908	iexplore.exe	IEXPLORE.EXE
PID 908 wrote to memory of 236	908	iexplore.exe	IEXPLORE.EXE
PID 908 wrote to memory of 236	908	iexplore.exe	IEXPLORE.EXE
PID 624 wrote to memory of 1256	624	udtajmeamkwc.exe	WMIC.exe
PID 624 wrote to memory of 1256	624	udtajmeamkwc.exe	WMIC.exe
PID 624 wrote to memory of 1256	624	udtajmeamkwc.exe	WMIC.exe
PID 624 wrote to memory of 1256	624	udtajmeamkwc.exe	WMIC.exe
PID 624 wrote to memory of 2564	624	udtajmeamkwc.exe	cmd.exe
PID 624 wrote to memory of 2564	624	udtajmeamkwc.exe	cmd.exe
PID 624 wrote to memory of 2564	624	udtajmeamkwc.exe	cmd.exe
PID 624 wrote to memory of 2564	624	udtajmeamkwc.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

udtajmeamkwc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	udtajmeamkwc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	udtajmeamkwc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\udtajmeamkwc.exe
    C:\Windows\udtajmeamkwc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\udtajmeamkwc.exe
      C:\Windows\udtajmeamkwc.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:624
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:324
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:908
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:908 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:236
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\UDTAJM~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2B5C64~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+jqkno.html

Filesize
12KB

MD5
627b96f22a8b34236c1247849cbf9d3e

SHA1
c54e1c955189e89a12f03f052d306fa2dbb23337

SHA256
9e85f1d1711fa3bf6b7da3bb98eb427c530da4c291edb960648d18d99bb8cb26

SHA512
cce02c99d9e9c2277ef02e1c54b9bb87d6fe0bfa37ca209839320b7829ab8b6cadaecdb3b060d77cbf96abe5e89d1ad9faae0ad8816a5a139034dcbeff1aa864

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+jqkno.png

Filesize
64KB

MD5
c39e45b3b3ba32157c18e26cc41dc310

SHA1
c631d62f809ee4cf35c76d246f0202ad9741b945

SHA256
52a04d88bd32c858445e7ff7a8bc4181b45384f4fd898deb9fccab8c81162c78

SHA512
49cee5866260684a5df81fdc1959910edd74718d28e29d60323234b142674adddb1edc100057ae729f5b6668bf2d027592466946112b7272ba216af97d329fdb

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+jqkno.txt

Filesize
1KB

MD5
de6178ef3c9f4e69870bd0cec21b9dbe

SHA1
cf1728de6778b1623390fd629e15373451105fa4

SHA256
0e7ba4b3e3c862808e12e1a2f0b898bca73d7f65fb4291abdbb2801eb727bb0d

SHA512
8f3accf391aac101c00db6dcebb2fedbcf412e36b103bcb37bea58d5f096ac191605306a9a19a7faf20f0d341abf7391ee658aa237d90b42c70a69476886589f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
ee9052782b869ed5019066e28bd8dc2b

SHA1
67bbd080e65175f335f634d50cad1619f6fcd7f1

SHA256
1700041b8b51b6098c6e13ab8e90bbbb1634d9da0bb8122686ac3d980feb5c7d

SHA512
372ad0aa350ee28d39380865ab115a341d24acd0fcad5001dd61f8fdbd80c417fd1885f54ebc8234b6190471f21635e191ea1cbe822aec5d9729d12fc1fe729c

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
ca1d087e5b444c7d91bac250b4d0613a

SHA1
3b89d056c3f4a1cb4c9cb5958928874cdb85b55f

SHA256
577382f14d7871adeac0f07936a267aa11eef3c037ea3f46d37fb4ddb8043fe5

SHA512
d5873e9ed859da6ed0fb93954194c4f7e348f77ead18edd7ecc7d0d88a0cf3159ed3cad9b2e34d46164a563794340a156518119b2afb2f25f811a0978c3d7d46

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
b15d8e8b690c4bb6d4d467ad666dfdf8

SHA1
06ec74faf73d019d2f3371d4ff83bfab6a8bca07

SHA256
a2332a568527228fba05e299729e480709dbbf3a408b3f4a02e07c58b17144fb

SHA512
7e24c3aa524c3060e6c032fdee8a676d04723c4791fda5bc2548f5db70a2dcfd99bb42fc27a121fc8e74fd91432ef88a4a08f344fae25c88e8cf728dd755da96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3db2a18e17e7f1f7776965a8e9f2cf7b

SHA1
8e2ca944a72e758b4722c3d68a2e7eff3e5d9baa

SHA256
4ec86f7898f36773466ad8ac3a4bb1ca5b297d47f0eda932b95a4cea1c8a24a1

SHA512
4b1e538f1c57a7412310d30f1ba90f0db838883e18f32f3a22a87bf171a092b9190f1da7f3f88ee26bd6c8e8a22f692827ec983d315a3d7ae1592636654ace1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdd72faf10376b8df826dde108d2abfa

SHA1
7bb66a96ebacfdfdbe429d590d989b3d6479cbbc

SHA256
f7e83a5229a3ca4962691ad4116312deec88f7ab95e4b1b35795e7b7751bc7bb

SHA512
83a285a72e8bed6eb00f6e68550a82fe531ba75b86d1af44acd32b49e457a5bd2ef77a914c35923e0f9dc3c51505262941192a838960821deba03be81872a1da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48756734bec758711d9d7bd9950c9d15

SHA1
7d8e39a9ffa046d310b1e257df93db62a9093573

SHA256
7eafb603292c73c57d5cc341fdb78bd1af7f1dacba9f3cd93831e1dfc69a9fa1

SHA512
c327723a8abf36ac8ecb6ddf95001bdb0c4346b199aecbe2d70c1d9b7cbee9338b863c8075ae6a3298f99e69c78019e1a1a4b70ebc6b4eb87cf8f173f50ee70d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1248232133eb176533efa60b1dd6cd46

SHA1
0a3e2d1a7d35184f997cdf610b7fef47a0a42399

SHA256
ad7bd801f3c20dcce90e89e9019ebd9cc0c7f3181775dc9e4800bef5b8aa2a05

SHA512
d1fec50742e849e944936d460aebd69d2863da98f9a6dbb1876616b90c6d0ad6b3ef0a79ad2a67caf2e99564c757154d0d252115f3429d0ee7644bbc27f1de94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6e56e7cbca4ddcb5600d6889f8cfc94

SHA1
2b276bf755368f3ee9eaeca4973974ec970a8ff7

SHA256
adcb491b19cbf18b885fa26075231384389f1813c4a00147e82fa230ebccad89

SHA512
c47c0bfc7b9d2e2166d0db8fb06495502f580ccb87051a4c431af5dfb4ca2dcff96e7ddfb69f9147833256934a8013894c0e98880bbd7f77b712bde0b6036927

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3de71ea025692b5fe95ad12b2d4a937b

SHA1
663e63a7fcecd151add783475bc7cc6442ed6fa1

SHA256
a25d3b75e5d9fbf50aa01d8959db229641b1456fe0bb7c9bede93da7978aed53

SHA512
35a11009b0909b64cf42bba6ca8a7dbb5eda873008f4ab9a83353b58bec5a9cd519eaadf95b2fc9165841649ab201f69230672efc80435e1b074b41cb112435b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0661c46939f715440db27ca19468b534

SHA1
7e8aab866598c0f2bdcfd9bfccb6ab3a91cd419a

SHA256
ebbba41c479d2d7284620b6a05697bc69dffa491be703b4fec02bd2b4844a729

SHA512
5226e02642f8ee7ba1f1fa97c0036cba6eb3952ee937a50eda518a04056ed02d10a5ab9b545a9b47bffeedaa4c6a055439c0c361bf3e3d85b68f80ac272ec9a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
325505084779abe282137ff232011929

SHA1
9048ee02bc0477114213d3d96c325bc15bf2f9ae

SHA256
8b9a89115ec7d8c12117472a0ed6e2728c99ee28822377d3e88a3c0eb54d5c40

SHA512
f2ba733794abf5c83262af8e613acb6f1b3ccfbae45919cb39226e9d371bc9d6186bef1cdcb16bd1bdb2ccbf1c5b6d33a4ab3a09d3f39a8a65772a24c73a1196

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dde2936764ed1f3cd981b1c807444dde

SHA1
a4b4fb33240b3be944d10645df14a5326d2f1f05

SHA256
b62632afb7486ce96a84ad2ad61cb45962fbaf89ba6ff30f79b9073291e1e066

SHA512
24d8b2c066241a073e03a099068b2d6b40b58b4e5164b495afbe6053a3c9f9740187c73002533ff6350e25dd8a4e53abbd1c997d49e28364414923def1b2b278

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2658.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar26F7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\udtajmeamkwc.exe

Filesize
364KB

MD5
2b5c64d0ae335be2b30de30ed5cf9b71

SHA1
57a809107f1810a3ed01d4baf09f89a1fb562757

SHA256
33e6272f8a84de06327c40ad72efd8537c82d5f9d86b082ef1f6cfe7031f7c3b

SHA512
96ebf2562a60ef245aea06decf83298979368e4c4dabaa107068e430d7fe86af5f996cfffba95e7f1c5ef411e7d1265d24a84716be63eaedfd48ad3aac4dc4e8

Download Submit
memory/624-6148-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/624-1935-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/624-52-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/624-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/624-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/624-1062-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/624-6155-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/624-6149-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/624-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/624-6144-0x00000000040E0000-0x00000000040E2000-memory.dmp

Filesize
8KB

Download
memory/624-1933-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/624-5050-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/624-6138-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1972-6145-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2400-17-0x00000000003B0000-0x00000000003B4000-memory.dmp

Filesize
16KB

Download
memory/2400-0-0x00000000003B0000-0x00000000003B4000-memory.dmp

Filesize
16KB

Download
memory/2400-1-0x00000000003B0000-0x00000000003B4000-memory.dmp

Filesize
16KB

Download
memory/2852-31-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2868-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2868-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2868-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2868-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2868-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2868-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2868-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2868-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2868-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2868-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2868-30-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download