Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2024 05:11
Static task
static1
Behavioral task
behavioral1
Sample
2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
-
Size
368KB
-
MD5
2b70ed1d47f2a5d626d16ab5f355c34b
-
SHA1
cc903de26a6f4dccfb7e216e84c79c0039ea7492
-
SHA256
055f455f632bf72f2694befec51708ebfb909f25d59c388e0775af15e86459d1
-
SHA512
696fdbe87bc478cf85717c4952787a1c4ea0302fd8270b5f04167fed9dcc9c81dc967422c8093870a67ff1ec69ae5bd3506573e1ea680930ec0d165117ef70db
-
SSDEEP
6144:q/VDu6UsyDUOxfDiyQhbw4tRN7eD7Lct/jG2kOREwMunfHAbxwcLNT:6Du6UsibiPbNt370Lcta9OSCnfPuNT
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xxexf.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/7069B3352A0BFCA
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/7069B3352A0BFCA
http://yyre45dbvn2nhbefbmh.begumvelic.at/7069B3352A0BFCA
http://xlowfznrg4wf7dli.ONION/7069B3352A0BFCA
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (876) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exemdokemaxugas.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation mdokemaxugas.exe -
Drops startup file 6 IoCs
Processes:
mdokemaxugas.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xxexf.txt mdokemaxugas.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xxexf.html mdokemaxugas.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xxexf.png mdokemaxugas.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xxexf.txt mdokemaxugas.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xxexf.html mdokemaxugas.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xxexf.png mdokemaxugas.exe -
Executes dropped EXE 2 IoCs
Processes:
mdokemaxugas.exemdokemaxugas.exepid process 4228 mdokemaxugas.exe 1136 mdokemaxugas.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
mdokemaxugas.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yvekuhr = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\mdokemaxugas.exe" mdokemaxugas.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exemdokemaxugas.exedescription pid process target process PID 3164 set thread context of 3228 3164 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe PID 4228 set thread context of 1136 4228 mdokemaxugas.exe mdokemaxugas.exe -
Drops file in Program Files directory 64 IoCs
Processes:
mdokemaxugas.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyCalendarSearch.scale-150.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_ReCoVeRy_+xxexf.txt mdokemaxugas.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_ReCoVeRy_+xxexf.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.scale-125.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_ReCoVeRy_+xxexf.html mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\_ReCoVeRy_+xxexf.png mdokemaxugas.exe File opened for modification C:\Program Files\Windows Defender\de-DE\_ReCoVeRy_+xxexf.html mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-200.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\Retail_Feedback_icon.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationSensorCalibrationFigure.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\foreca.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-125.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\_ReCoVeRy_+xxexf.txt mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-48_altform-unplated.png mdokemaxugas.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\_ReCoVeRy_+xxexf.html mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ms-MY\_ReCoVeRy_+xxexf.html mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32_contrast-white.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-72_altform-unplated.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\LargeTile.scale-200.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+xxexf.txt mdokemaxugas.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_ReCoVeRy_+xxexf.txt mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-white_scale-100.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_ReCoVeRy_+xxexf.html mdokemaxugas.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\_ReCoVeRy_+xxexf.png mdokemaxugas.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_ReCoVeRy_+xxexf.html mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\SmallTile.scale-100.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24.png mdokemaxugas.exe File opened for modification C:\Program Files\Common Files\System\de-DE\_ReCoVeRy_+xxexf.txt mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyCalendarSearch.scale-100.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+xxexf.html mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupSmallTile.scale-200.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-125.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\_ReCoVeRy_+xxexf.txt mdokemaxugas.exe File opened for modification C:\Program Files\Microsoft Office\Updates\_ReCoVeRy_+xxexf.html mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookMedTile.scale-400.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Landing.svg mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\69.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\DialRotation.mp4 mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\SmallTile.scale-100.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\avatar_128x.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-16_altform-unplated_contrast-white.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_ReCoVeRy_+xxexf.html mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-16.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextLight.scale-125.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-100_contrast-black.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-400.png mdokemaxugas.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\_ReCoVeRy_+xxexf.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\_ReCoVeRy_+xxexf.html mdokemaxugas.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_ReCoVeRy_+xxexf.html mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-200.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-64.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png mdokemaxugas.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt mdokemaxugas.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.map mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72_altform-unplated_contrast-white.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-125_contrast-white.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-256_altform-unplated_contrast-white.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-400.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\_ReCoVeRy_+xxexf.txt mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\162.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\thumb_stats_render_sm.png mdokemaxugas.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+xxexf.png mdokemaxugas.exe -
Drops file in Windows directory 2 IoCs
Processes:
2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\mdokemaxugas.exe 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe File created C:\Windows\mdokemaxugas.exe 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exemdokemaxugas.execmd.exemdokemaxugas.exeNOTEPAD.EXEcmd.exe2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mdokemaxugas.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mdokemaxugas.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
Processes:
mdokemaxugas.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings mdokemaxugas.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 764 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
mdokemaxugas.exepid process 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe 1136 mdokemaxugas.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exemdokemaxugas.exeWMIC.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3228 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe Token: SeDebugPrivilege 1136 mdokemaxugas.exe Token: SeIncreaseQuotaPrivilege 3596 WMIC.exe Token: SeSecurityPrivilege 3596 WMIC.exe Token: SeTakeOwnershipPrivilege 3596 WMIC.exe Token: SeLoadDriverPrivilege 3596 WMIC.exe Token: SeSystemProfilePrivilege 3596 WMIC.exe Token: SeSystemtimePrivilege 3596 WMIC.exe Token: SeProfSingleProcessPrivilege 3596 WMIC.exe Token: SeIncBasePriorityPrivilege 3596 WMIC.exe Token: SeCreatePagefilePrivilege 3596 WMIC.exe Token: SeBackupPrivilege 3596 WMIC.exe Token: SeRestorePrivilege 3596 WMIC.exe Token: SeShutdownPrivilege 3596 WMIC.exe Token: SeDebugPrivilege 3596 WMIC.exe Token: SeSystemEnvironmentPrivilege 3596 WMIC.exe Token: SeRemoteShutdownPrivilege 3596 WMIC.exe Token: SeUndockPrivilege 3596 WMIC.exe Token: SeManageVolumePrivilege 3596 WMIC.exe Token: 33 3596 WMIC.exe Token: 34 3596 WMIC.exe Token: 35 3596 WMIC.exe Token: 36 3596 WMIC.exe Token: SeIncreaseQuotaPrivilege 3596 WMIC.exe Token: SeSecurityPrivilege 3596 WMIC.exe Token: SeTakeOwnershipPrivilege 3596 WMIC.exe Token: SeLoadDriverPrivilege 3596 WMIC.exe Token: SeSystemProfilePrivilege 3596 WMIC.exe Token: SeSystemtimePrivilege 3596 WMIC.exe Token: SeProfSingleProcessPrivilege 3596 WMIC.exe Token: SeIncBasePriorityPrivilege 3596 WMIC.exe Token: SeCreatePagefilePrivilege 3596 WMIC.exe Token: SeBackupPrivilege 3596 WMIC.exe Token: SeRestorePrivilege 3596 WMIC.exe Token: SeShutdownPrivilege 3596 WMIC.exe Token: SeDebugPrivilege 3596 WMIC.exe Token: SeSystemEnvironmentPrivilege 3596 WMIC.exe Token: SeRemoteShutdownPrivilege 3596 WMIC.exe Token: SeUndockPrivilege 3596 WMIC.exe Token: SeManageVolumePrivilege 3596 WMIC.exe Token: 33 3596 WMIC.exe Token: 34 3596 WMIC.exe Token: 35 3596 WMIC.exe Token: 36 3596 WMIC.exe Token: SeBackupPrivilege 2872 vssvc.exe Token: SeRestorePrivilege 2872 vssvc.exe Token: SeAuditPrivilege 2872 vssvc.exe Token: SeIncreaseQuotaPrivilege 2608 WMIC.exe Token: SeSecurityPrivilege 2608 WMIC.exe Token: SeTakeOwnershipPrivilege 2608 WMIC.exe Token: SeLoadDriverPrivilege 2608 WMIC.exe Token: SeSystemProfilePrivilege 2608 WMIC.exe Token: SeSystemtimePrivilege 2608 WMIC.exe Token: SeProfSingleProcessPrivilege 2608 WMIC.exe Token: SeIncBasePriorityPrivilege 2608 WMIC.exe Token: SeCreatePagefilePrivilege 2608 WMIC.exe Token: SeBackupPrivilege 2608 WMIC.exe Token: SeRestorePrivilege 2608 WMIC.exe Token: SeShutdownPrivilege 2608 WMIC.exe Token: SeDebugPrivilege 2608 WMIC.exe Token: SeSystemEnvironmentPrivilege 2608 WMIC.exe Token: SeRemoteShutdownPrivilege 2608 WMIC.exe Token: SeUndockPrivilege 2608 WMIC.exe Token: SeManageVolumePrivilege 2608 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exemdokemaxugas.exemdokemaxugas.exemsedge.exedescription pid process target process PID 3164 wrote to memory of 3228 3164 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe PID 3164 wrote to memory of 3228 3164 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe PID 3164 wrote to memory of 3228 3164 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe PID 3164 wrote to memory of 3228 3164 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe PID 3164 wrote to memory of 3228 3164 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe PID 3164 wrote to memory of 3228 3164 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe PID 3164 wrote to memory of 3228 3164 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe PID 3164 wrote to memory of 3228 3164 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe PID 3164 wrote to memory of 3228 3164 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe PID 3164 wrote to memory of 3228 3164 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe PID 3228 wrote to memory of 4228 3228 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe mdokemaxugas.exe PID 3228 wrote to memory of 4228 3228 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe mdokemaxugas.exe PID 3228 wrote to memory of 4228 3228 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe mdokemaxugas.exe PID 3228 wrote to memory of 4008 3228 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe cmd.exe PID 3228 wrote to memory of 4008 3228 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe cmd.exe PID 3228 wrote to memory of 4008 3228 2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe cmd.exe PID 4228 wrote to memory of 1136 4228 mdokemaxugas.exe mdokemaxugas.exe PID 4228 wrote to memory of 1136 4228 mdokemaxugas.exe mdokemaxugas.exe PID 4228 wrote to memory of 1136 4228 mdokemaxugas.exe mdokemaxugas.exe PID 4228 wrote to memory of 1136 4228 mdokemaxugas.exe mdokemaxugas.exe PID 4228 wrote to memory of 1136 4228 mdokemaxugas.exe mdokemaxugas.exe PID 4228 wrote to memory of 1136 4228 mdokemaxugas.exe mdokemaxugas.exe PID 4228 wrote to memory of 1136 4228 mdokemaxugas.exe mdokemaxugas.exe PID 4228 wrote to memory of 1136 4228 mdokemaxugas.exe mdokemaxugas.exe PID 4228 wrote to memory of 1136 4228 mdokemaxugas.exe mdokemaxugas.exe PID 4228 wrote to memory of 1136 4228 mdokemaxugas.exe mdokemaxugas.exe PID 1136 wrote to memory of 3596 1136 mdokemaxugas.exe WMIC.exe PID 1136 wrote to memory of 3596 1136 mdokemaxugas.exe WMIC.exe PID 1136 wrote to memory of 764 1136 mdokemaxugas.exe NOTEPAD.EXE PID 1136 wrote to memory of 764 1136 mdokemaxugas.exe NOTEPAD.EXE PID 1136 wrote to memory of 764 1136 mdokemaxugas.exe NOTEPAD.EXE PID 1136 wrote to memory of 528 1136 mdokemaxugas.exe msedge.exe PID 1136 wrote to memory of 528 1136 mdokemaxugas.exe msedge.exe PID 528 wrote to memory of 2336 528 msedge.exe msedge.exe PID 528 wrote to memory of 2336 528 msedge.exe msedge.exe PID 1136 wrote to memory of 2608 1136 mdokemaxugas.exe WMIC.exe PID 1136 wrote to memory of 2608 1136 mdokemaxugas.exe WMIC.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe PID 528 wrote to memory of 804 528 msedge.exe msedge.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
mdokemaxugas.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System mdokemaxugas.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" mdokemaxugas.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\mdokemaxugas.exeC:\Windows\mdokemaxugas.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\mdokemaxugas.exeC:\Windows\mdokemaxugas.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1136 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3596 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:764 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffff93046f8,0x7ffff9304708,0x7ffff93047186⤵PID:2336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:26⤵PID:804
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:36⤵PID:1192
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:86⤵PID:4140
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:16⤵PID:2320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:16⤵PID:2456
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:86⤵PID:3476
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:86⤵PID:2716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:16⤵PID:1476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:16⤵PID:2344
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:16⤵PID:1952
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:16⤵PID:3660
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MDOKEM~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:3420 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2B70ED~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:4008
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1160
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3168
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5fe0557b804c30ae74e0da398c273ef99
SHA1593aa35a3017039e0d12f128ee7ef9b4cebcd5c3
SHA256fe422dfe1b328e735858842c05249ce9316d848745c0b760f7900ccbaf9b8e0a
SHA51251b3b9653715a37a04c2dadb685e1cc5574c29cb95c75c5250255d3ff50c3f0959a359a938e37eb5862811052cdebe3ffd48539da174632ad1129320d9735ab6
-
Filesize
64KB
MD55d47a95adc3ba122ba1515dd8ec829db
SHA1fb031625e960a50c1b49f231726756be88f6213f
SHA256de36a0007fc577516175880166eb370d48bcf492b26d19f693606825662fda44
SHA512c310566dbad2ee10b3bd176b1819c169d413f72f180a73727423ae569957675c3a0486381884e79c333e6ca41f1f2baf8d50b62f6f44ff72dc1d1a05eb1509fb
-
Filesize
1KB
MD5cbf17f5270f00906b8dc02400ed1d1b7
SHA1d967ac75f75194a4a79a8e8ce4ba68cef50792e9
SHA2569e917c2ca2ae632dd3c78b020ce72a452ecc3eb5ec6c00aafee86dc0cbdcd2d4
SHA5123cca34f07472a3fe21415286dc8c21cf37854b883582cf9f724679ec78f726292d8aa867f2bc56de151cefb251175c8e46de8c1b2e4f4025cf70c301e3c366d1
-
Filesize
560B
MD51f21bf9a6607a2bfd427bf2fae603ef0
SHA1b48a189d8c63a0f5fa4e2d19c00928e88e134f69
SHA256d4707ae82c1bcdfc218691f77ca2fee4cdad27e319ac970586187951664acc7f
SHA512da18e4812aba7425bdca3257ac3786120fd86038de752028dd294fc981499a73b348415c8cba9555335dc05b201b8459f2e87cb4b8f299564f875a67f1efa095
-
Filesize
560B
MD5f0d997b32eee79011cb69c756caaabdb
SHA16b348e63bfa624c5c3c9656d8c2c94a3da3ddc00
SHA256ad75fb28fec7f702830a7854aa8e85462f38190ea26cc1a0cc7e849b00b62cef
SHA512ab586d99aafb6e1819767e9accf733ae050effe6e4441732f14eaaa879d68d90faf92cef5d8cd2eb5c231299609c301ce2b5b8e7420ec66991a68a46a9da156a
-
Filesize
416B
MD556f2e9dad2d21172782d0e65e1600670
SHA1b34551e7f2d68554dab8f646cee9abfe4ede0a33
SHA25649a06359ac9f920da3d69462fb42a81c002223be970444f0d69ba27910806dd6
SHA5120438271eff6a7a0645eb4cfc83fde3193013841d4b92350ba6baa8cd910ea93a38e5af4b413c76227fcbf3ca2060b92a5b81e7a14796a7955ee5b402f1681df2
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
Filesize
6KB
MD53fe28b95045da726ddd9b9ed4d2a9691
SHA1fc3a5157e6b920872efec1b9ddebfc40654b6c3f
SHA256cd0915a96cd0f2c9982284eea0045bbedb5e9370d0552238e32a23b1d29939ea
SHA5126c4878129439b4fe5cc506a819db848d657d53b468a4e0b25637eace3f8a04aa21ddcf46cf32ba1cb3c502ee0877af6ef17f131bc73a0d5d65821f71fc31f5c3
-
Filesize
6KB
MD55fce19b261c20aea782fd89bd1e1f301
SHA1741cc43988b75cbf22a0d0465acb4a45ade9f6b9
SHA256c1fb85dc1cfedd6b99503f4107e82809d9e318155e4c4c35adbe3e073065d3cc
SHA512a02276c11e5a0c99b4c84e60837657b0b0366152f4d3ae3808d2befa6f330eeb187f70aecfa8813cfdaef7e141129324c84a3e96519d59e9e3adc6f7809d26d4
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD57eaf175597ace8b20b6f791811429761
SHA1f8196235c3843a36a00c9ba760698deb8bc79355
SHA25652743360209c3b7d6981d6872ba0286cd7cf394ce9c4df040b174363859eb2f5
SHA512ac064c2892c07d0ee61cf74b6664010cbf132ee1f5f99d63c61ed0dc42d9e7435a639f48152189ec7bd6feaf724ce4ff30c96ed4c82a8d7ed75caa47b000bb55
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662824772148.txt
Filesize77KB
MD533eb4a0806aeb92bcf01db84c4970f89
SHA18ac16eb26666e828209ad790a9196ae68eb6e4bd
SHA25649b60f1111c45c3bffcb8691fdb4352dedd4c1eb25f9a2c317cbeb1d3b1b6eeb
SHA5127b7fd96824fd0bd26d6bd3bb0b9d2aa4024f3b17f6c89a0aa582f7e436b3d98864d61f8fbf492bbb8ef55aad88206de1558f49ce22c69b1c836f2c9d640a8823
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727671764608349.txt
Filesize74KB
MD519079ec7db523e2d57f8a71427231662
SHA1e3474beb8041f3ee2e28c0151e9bd49fee948f94
SHA256a64e28d0c82e8fc0383bf510daabedd6c80f77da02d2161e4e0b7044a94b5aa7
SHA512d011b13dc4ba503b85ded771bbc0fc8cb95288407c7ad18c2b712252e37fda4b8ddc2808c813012d770ea5bc7d6e0a6b17730a543ffe1f0251386f9616ee5ed5
-
Filesize
368KB
MD52b70ed1d47f2a5d626d16ab5f355c34b
SHA1cc903de26a6f4dccfb7e216e84c79c0039ea7492
SHA256055f455f632bf72f2694befec51708ebfb909f25d59c388e0775af15e86459d1
SHA512696fdbe87bc478cf85717c4952787a1c4ea0302fd8270b5f04167fed9dcc9c81dc967422c8093870a67ff1ec69ae5bd3506573e1ea680930ec0d165117ef70db
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e