teslacrypt | 6f7c7b4f3bd9e6ce0dc0d4dd7662e35d8a2079dfe61b2febf2645b68fe11ee3f

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
Size

388KB
MD5

40707cdcd4220213b9ef2545043d6c99
SHA1

7f9d3ad1125de47368644e29b5d5cd515c6497e8
SHA256

6f7c7b4f3bd9e6ce0dc0d4dd7662e35d8a2079dfe61b2febf2645b68fe11ee3f
SHA512

0a3cda582f1a444ad78d5f09d4e204a753c74863bcbbbdf5c6ffcafa523b195ac4c6aa7922973cf2687b673e4e346f94b6525402db7380a4e53c3f8855480088
SSDEEP

6144:tYMk7V7PQkaYO0iNq/PimTBQNEETJYOo0DldfrvwmjcMVW5OouUI5KtrQ8POyU:tnSdO0iNEPn+TGOoYzwscMSOXUIJ

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+aetij.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6E3182D2DDCA1126 2. http://kkd47eh4hdjshb5t.angortra.at/6E3182D2DDCA1126 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/6E3182D2DDCA1126 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/6E3182D2DDCA1126 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6E3182D2DDCA1126 http://kkd47eh4hdjshb5t.angortra.at/6E3182D2DDCA1126 http://ytrest84y5i456hghadefdsd.pontogrot.com/6E3182D2DDCA1126 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/6E3182D2DDCA1126

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6E3182D2DDCA1126

http://kkd47eh4hdjshb5t.angortra.at/6E3182D2DDCA1126

http://ytrest84y5i456hghadefdsd.pontogrot.com/6E3182D2DDCA1126

http://xlowfznrg4wf7dli.ONION/6E3182D2DDCA1126

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (423) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2164 cmd.exe

pid	process
2164	cmd.exe

Drops startup file 6 IoCs

Processes:

pjgkqcsdvcay.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+aetij.txt	pjgkqcsdvcay.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+aetij.png	pjgkqcsdvcay.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+aetij.txt	pjgkqcsdvcay.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+aetij.png	pjgkqcsdvcay.exe

Executes dropped EXE 2 IoCs

Processes:

pjgkqcsdvcay.exepjgkqcsdvcay.exe

pid process

2032 pjgkqcsdvcay.exe
272 pjgkqcsdvcay.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2032	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pjgkqcsdvcay.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\dhhdihrwkagb = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\pjgkqcsdvcay.exe\""	pjgkqcsdvcay.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exepjgkqcsdvcay.exe

description	pid	process	target process
PID 2644 set thread context of 2828	2644	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 2032 set thread context of 272	2032	pjgkqcsdvcay.exe	pjgkqcsdvcay.exe

Drops file in Program Files directory 64 IoCs

Processes:

pjgkqcsdvcay.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\Recovery+aetij.txt	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_s.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\Recovery+aetij.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\Recovery+aetij.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\Recovery+aetij.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\Recovery+aetij.txt	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\Recovery+aetij.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\Recovery+aetij.txt	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\Recovery+aetij.txt	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\Recovery+aetij.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\Recovery+aetij.txt	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Recovery+aetij.txt	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\calendar.css	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\Recovery+aetij.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\settings.css	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\Recovery+aetij.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\Recovery+aetij.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kab\Recovery+aetij.txt	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\localizedStrings.js	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\Recovery+aetij.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tt\Recovery+aetij.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\icon.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\Recovery+aetij.txt	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\Recovery+aetij.txt	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\Recovery+aetij.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\Recovery+aetij.txt	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\3.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\Recovery+aetij.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\Recovery+aetij.txt	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\7-Zip\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\Recovery+aetij.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Recovery+aetij.html	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\Recovery+aetij.txt	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\slideShow.js	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Common Files\System\ado\Recovery+aetij.txt	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png	pjgkqcsdvcay.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\Recovery+aetij.html	pjgkqcsdvcay.exe

Drops file in Windows directory 2 IoCs

Processes:

40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\pjgkqcsdvcay.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
File opened for modification	C:\Windows\pjgkqcsdvcay.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exeDllHost.exe40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exepjgkqcsdvcay.execmd.exepjgkqcsdvcay.exeNOTEPAD.EXEIEXPLORE.EXEcmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pjgkqcsdvcay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pjgkqcsdvcay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dd51a97342801945b136bf1c521e8b07000000000200000000001066000000010000200000004d278c987b4a4f54e5bd18d9997482b27717619f713982a51dc520b6b9e8f553000000000e8000000002000020000000c771f76db6c349617455c02377de1280a92c0feb87875882d28786ff2f66ff1a90000000f742c46e992f261931164cdff80ea2b2543b75a295480c2762de241d5dbbdd056bf448aa9346b10440d7a05cc9b9bf8a7aee404b62a112af8e872af478a1c1cfb806e10ce3932fb2e5bac46faca12a1d960d310e35a4a15d8204f1143d67a3cc09c6fa93aab8474c3f6ad03051a55b8f36c112f840dc33b7e04add288fcc471630298d8055bcb54834775502e8aaa8a2400000004e12e357aba7264f8ceaa2dcb792d15802d7f31eb556412b3744123be206fd9d938d51e7a3d7ad31e4f5a8f526b2a290b63c5759e921c6ccd67a5637c42ef1e3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7054efb47e1ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dd51a97342801945b136bf1c521e8b070000000002000000000010660000000100002000000007e2230d1d4a25f9b041ffd7892d91c74744ea82681f6682c24143107fcaf9be000000000e80000000020000200000003bc7b53271b14343809e6cd030baaecb08c20b70debb014f7865a152a3d555db2000000010866540cf34ab6c80e50bf920618d784be70e8e5b4962a9a0986862f5a56a0640000000e7a0de269d5fe24db7fc94665bb9a75e976578db44e0dc983ae7623281340b0a66f9ab739ff745e466534a9b6c07c56859ddd09d43eed62aca30fe08d4e9e8c6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E07572F1-8971-11EF-8AE7-D6CBE06212A9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

pjgkqcsdvcay.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	pjgkqcsdvcay.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	pjgkqcsdvcay.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1812 NOTEPAD.EXE

pid	process
1812	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pjgkqcsdvcay.exe

pid	process
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe
272	pjgkqcsdvcay.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exepjgkqcsdvcay.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2828	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
Token: SeDebugPrivilege	272	pjgkqcsdvcay.exe
Token: SeIncreaseQuotaPrivilege	2012	WMIC.exe
Token: SeSecurityPrivilege	2012	WMIC.exe
Token: SeTakeOwnershipPrivilege	2012	WMIC.exe
Token: SeLoadDriverPrivilege	2012	WMIC.exe
Token: SeSystemProfilePrivilege	2012	WMIC.exe
Token: SeSystemtimePrivilege	2012	WMIC.exe
Token: SeProfSingleProcessPrivilege	2012	WMIC.exe
Token: SeIncBasePriorityPrivilege	2012	WMIC.exe
Token: SeCreatePagefilePrivilege	2012	WMIC.exe
Token: SeBackupPrivilege	2012	WMIC.exe
Token: SeRestorePrivilege	2012	WMIC.exe
Token: SeShutdownPrivilege	2012	WMIC.exe
Token: SeDebugPrivilege	2012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2012	WMIC.exe
Token: SeRemoteShutdownPrivilege	2012	WMIC.exe
Token: SeUndockPrivilege	2012	WMIC.exe
Token: SeManageVolumePrivilege	2012	WMIC.exe
Token: 33	2012	WMIC.exe
Token: 34	2012	WMIC.exe
Token: 35	2012	WMIC.exe
Token: SeIncreaseQuotaPrivilege	572	WMIC.exe
Token: SeSecurityPrivilege	572	WMIC.exe
Token: SeTakeOwnershipPrivilege	572	WMIC.exe
Token: SeLoadDriverPrivilege	572	WMIC.exe
Token: SeSystemProfilePrivilege	572	WMIC.exe
Token: SeSystemtimePrivilege	572	WMIC.exe
Token: SeProfSingleProcessPrivilege	572	WMIC.exe
Token: SeIncBasePriorityPrivilege	572	WMIC.exe
Token: SeCreatePagefilePrivilege	572	WMIC.exe
Token: SeBackupPrivilege	572	WMIC.exe
Token: SeRestorePrivilege	572	WMIC.exe
Token: SeShutdownPrivilege	572	WMIC.exe
Token: SeDebugPrivilege	572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	572	WMIC.exe
Token: SeRemoteShutdownPrivilege	572	WMIC.exe
Token: SeUndockPrivilege	572	WMIC.exe
Token: SeManageVolumePrivilege	572	WMIC.exe
Token: 33	572	WMIC.exe
Token: 34	572	WMIC.exe
Token: 35	572	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

808 iexplore.exe
592 DllHost.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXEDllHost.exe

pid process

808 iexplore.exe
808 iexplore.exe
1660 IEXPLORE.EXE
1660 IEXPLORE.EXE
592 DllHost.exe
592 DllHost.exe

pid	process
808	iexplore.exe
592	DllHost.exe

pid	process
808	iexplore.exe
808	iexplore.exe
1660	IEXPLORE.EXE
1660	IEXPLORE.EXE
592	DllHost.exe
592	DllHost.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exepjgkqcsdvcay.exepjgkqcsdvcay.exeiexplore.exe

description	pid	process	target process
PID 2644 wrote to memory of 2828	2644	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 2644 wrote to memory of 2828	2644	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 2644 wrote to memory of 2828	2644	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 2644 wrote to memory of 2828	2644	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 2644 wrote to memory of 2828	2644	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 2644 wrote to memory of 2828	2644	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 2644 wrote to memory of 2828	2644	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 2644 wrote to memory of 2828	2644	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 2644 wrote to memory of 2828	2644	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 2644 wrote to memory of 2828	2644	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 2644 wrote to memory of 2828	2644	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
PID 2828 wrote to memory of 2032	2828	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	pjgkqcsdvcay.exe
PID 2828 wrote to memory of 2032	2828	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	pjgkqcsdvcay.exe
PID 2828 wrote to memory of 2032	2828	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	pjgkqcsdvcay.exe
PID 2828 wrote to memory of 2032	2828	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	pjgkqcsdvcay.exe
PID 2828 wrote to memory of 2164	2828	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	cmd.exe
PID 2828 wrote to memory of 2164	2828	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	cmd.exe
PID 2828 wrote to memory of 2164	2828	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	cmd.exe
PID 2828 wrote to memory of 2164	2828	40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe	cmd.exe
PID 2032 wrote to memory of 272	2032	pjgkqcsdvcay.exe	pjgkqcsdvcay.exe
PID 2032 wrote to memory of 272	2032	pjgkqcsdvcay.exe	pjgkqcsdvcay.exe
PID 2032 wrote to memory of 272	2032	pjgkqcsdvcay.exe	pjgkqcsdvcay.exe
PID 2032 wrote to memory of 272	2032	pjgkqcsdvcay.exe	pjgkqcsdvcay.exe
PID 2032 wrote to memory of 272	2032	pjgkqcsdvcay.exe	pjgkqcsdvcay.exe
PID 2032 wrote to memory of 272	2032	pjgkqcsdvcay.exe	pjgkqcsdvcay.exe
PID 2032 wrote to memory of 272	2032	pjgkqcsdvcay.exe	pjgkqcsdvcay.exe
PID 2032 wrote to memory of 272	2032	pjgkqcsdvcay.exe	pjgkqcsdvcay.exe
PID 2032 wrote to memory of 272	2032	pjgkqcsdvcay.exe	pjgkqcsdvcay.exe
PID 2032 wrote to memory of 272	2032	pjgkqcsdvcay.exe	pjgkqcsdvcay.exe
PID 2032 wrote to memory of 272	2032	pjgkqcsdvcay.exe	pjgkqcsdvcay.exe
PID 272 wrote to memory of 2012	272	pjgkqcsdvcay.exe	WMIC.exe
PID 272 wrote to memory of 2012	272	pjgkqcsdvcay.exe	WMIC.exe
PID 272 wrote to memory of 2012	272	pjgkqcsdvcay.exe	WMIC.exe
PID 272 wrote to memory of 2012	272	pjgkqcsdvcay.exe	WMIC.exe
PID 272 wrote to memory of 1812	272	pjgkqcsdvcay.exe	NOTEPAD.EXE
PID 272 wrote to memory of 1812	272	pjgkqcsdvcay.exe	NOTEPAD.EXE
PID 272 wrote to memory of 1812	272	pjgkqcsdvcay.exe	NOTEPAD.EXE
PID 272 wrote to memory of 1812	272	pjgkqcsdvcay.exe	NOTEPAD.EXE
PID 272 wrote to memory of 808	272	pjgkqcsdvcay.exe	iexplore.exe
PID 272 wrote to memory of 808	272	pjgkqcsdvcay.exe	iexplore.exe
PID 272 wrote to memory of 808	272	pjgkqcsdvcay.exe	iexplore.exe
PID 272 wrote to memory of 808	272	pjgkqcsdvcay.exe	iexplore.exe
PID 808 wrote to memory of 1660	808	iexplore.exe	IEXPLORE.EXE
PID 808 wrote to memory of 1660	808	iexplore.exe	IEXPLORE.EXE
PID 808 wrote to memory of 1660	808	iexplore.exe	IEXPLORE.EXE
PID 808 wrote to memory of 1660	808	iexplore.exe	IEXPLORE.EXE
PID 272 wrote to memory of 572	272	pjgkqcsdvcay.exe	WMIC.exe
PID 272 wrote to memory of 572	272	pjgkqcsdvcay.exe	WMIC.exe
PID 272 wrote to memory of 572	272	pjgkqcsdvcay.exe	WMIC.exe
PID 272 wrote to memory of 572	272	pjgkqcsdvcay.exe	WMIC.exe
PID 272 wrote to memory of 2296	272	pjgkqcsdvcay.exe	cmd.exe
PID 272 wrote to memory of 2296	272	pjgkqcsdvcay.exe	cmd.exe
PID 272 wrote to memory of 2296	272	pjgkqcsdvcay.exe	cmd.exe
PID 272 wrote to memory of 2296	272	pjgkqcsdvcay.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

pjgkqcsdvcay.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pjgkqcsdvcay.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	pjgkqcsdvcay.exe

C:\Users\Admin\AppData\Local\Temp\40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Local\Temp\40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe"
2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\pjgkqcsdvcay.exe
C:\Windows\pjgkqcsdvcay.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\pjgkqcsdvcay.exe
C:\Windows\pjgkqcsdvcay.exe
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:272

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1812

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:808

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:808 CREDAT:275457 /prefetch:2
6⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1660

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\PJGKQC~1.EXE
5⤵
- System Location Discovery: System Language Discovery
PID:2296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\40707C~1.EXE
3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2164

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+aetij.html

Filesize
9KB

MD5
ccf1d4c273999160bb656b825e4e39fe

SHA1
2230922134e3bfc3bf97c53097ef11a306126924

SHA256
f77fcdcbff74400668c54417f447d1a8adda77eb8e92405a566dfe1c126a841c

SHA512
4740bbca1e82cd24e26f52df90220b076c49028078e5fca68884bc23868ef227d717c7d6b75dea1d6fda64cd2b5d8d7a568d0aba2d0bf04aa02bcf485235c856

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+aetij.png

Filesize
63KB

MD5
a4461a3cac221b97f4d2c51997b8a200

SHA1
79b63d2b9847958ff316297c7be5e7e3f42984d9

SHA256
370ce233607e7344600e5c57eabea288926dd5c330b5eb020b7443852b319739

SHA512
f6606cd309bf972223ef62302b04417867846a0394f724a8dfcf502640f5a37702d97e1e637534a6a9114019ea28a792414a52e900b64ac411d5e8768a92e60d

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+aetij.txt

Filesize
1KB

MD5
20cd6f2652839fabcff7e97b22825400

SHA1
fb320f053ec797c0e5190edbc9d0f34e54b04f2d

SHA256
a6d11a7ce1c4dd18c259b41504c3090a2f9da6b637049b2a3bdd00a9789d4a7b

SHA512
b46682e9cd1a24063d4a4bf43c6131473e33e770c2da1e48884e49677cd6ffa0a1f70975bfd8fe667a383e3a587a39a54ae44674f4eec098f45e9d2e65e0c304

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
f171cc92c469a91096f4c4ad72f3b442

SHA1
49eae13afafbf345418b8f83a88a904e7f32d62c

SHA256
3bf17ccfbab680398464dd3c4eb027a9d3052e97e59a79e8901bb066b418cd3f

SHA512
0f54098bad44af1a2ef7e2ccb5c1bfb9f795e8c4b083f44311cbe0565aa86f494b17e7efa86a8944eb3b6e5eacf89ea104cf762ec0818b95c83714ebc2f674bf

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
996358eff536fee86e1c70143fce0fe7

SHA1
f3bb63b34f678c817cbc5d7a338aee72dd3b4205

SHA256
85720cc76b97e19c18a3eb803facae6a80507d6470b7e286bd1c6db31aa06d88

SHA512
138b3aa124781976ffdd7fc7083033e4a9a378ac587c74bd73947660987276a7a4af723515040f6ff7544aa286e98b1c47b23ec1abf872763f53eb03135becfb

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
d84272c7fe99dcc5b069b3bf45e85c8b

SHA1
377327990075c89900630dabf3069f26ad7ba333

SHA256
98fea4a177c94b746e3f17aaffddf59be49cbd276a3c2dbd7e1e8d11cd3685fb

SHA512
570d59770ea614a13e5606ef6180ada43aff0c4d3657a99a69ec2b118a855f9c98594d8a2f6c7a10b5f75e7cfeaffb6676807f17e7060aaa06a35b4d44339522

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3c30c4c171f6a454bdbf6530c3461dd

SHA1
8daf5a71c8e209adbc67a060029e79822dbf5b2e

SHA256
55e04ce6e3c1019219cbfddd879989b2fa7acabc1c816b2817ea254292665bee

SHA512
2ff4ae21b0a576db7c085b685181a5c3d73326cbfc2d9d01590fe381ab09ab37ebcb7cb3ee203e6e60c52134cc1c8c9546ebe72e90d4a15828ed3abe22cc04e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df00be7afe6d93104b9cffbf07e58957

SHA1
4de2d7d5e08ec7d2efef726c3b614d1407595b28

SHA256
fdc5fb4031c81be21d6623f75039fcfb0604a81599d4f02726fe4309e1a4829d

SHA512
cd93937c9425fb2ec792b64e493a855c25065557079aa1163f9ace2a1f7da06ddc66eb18004f96e016e24db0d4e8d486a17a772f54f80f9a6f6d48eeee7fff24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b34d69a1bfdaf7765b96bb5a386dad6

SHA1
9278256ac6a06d82047059ce8e5fee4d08da9bf9

SHA256
828e7195f28ffce498043d5de7722772244784a81158cbacd65f5601b820f76e

SHA512
6bd7c6638dfac4be979679576ee908011cb4fd2f7d606ebbf9036a3e8006f7898714d4468fb8b92cbe029655c4fdbc526e2719485b8f6d6b4c494f4fd21e771d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41f04a164104335f8caca150ffd98853

SHA1
2c576ed6a8d94a7ea625b6c993a3dd0f29758ee1

SHA256
51e08ef4cb416a9a38098c88daca8e597ddda722c6d9301d5e230574e4414d56

SHA512
b0c83803ead25ed09fdf971d9a2d25ff4120809e6773c9a05420bafead63881f5a0a1759ec4b2e86e9d96c9db2c1b8a970d6585e4ef89a26582b6e55d0ed7c37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ec0a77a6661186d140d43d6593cf333

SHA1
3be2dfa7d90590a2c03383690a688f80f78206d2

SHA256
fe0772b34e3a73b93067f6497e72440d7e2b911151b5e79ae07b3db5d69f1306

SHA512
af24c788d73462ef6187ef20c227afff5889012a6d04be97c8f936fe3f90826b1cded331106434a48d170e9f5e50af0ef022d2273b9084a1301221d190fbc364

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee938da573a2cd82feafd057bacfec82

SHA1
847276b7ea0066ea8fce8a5eb2cedc16e15902b0

SHA256
0fbff6a8b931be39c2e83d4bcbde0ccb81130b3f021313673f7bf23b45986323

SHA512
0dc902c4b731c71240dcd68250830b83492178ba156a44cd6ac8c4bc7486cd79481075058206eeffaaab92a3868573ea3fa4cc544799466b75dce7ee4116ea20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
616388f2f346e05635a857a040821eb3

SHA1
030b3ccf70b27ecf38c34a79e1a34947452a8fab

SHA256
6f16b90bfc3e673a48d3ac334d9babd517f75f15fe5a3b142f1e435d0af482da

SHA512
37d5ee0da704df585b4291da6d62c84e269fad65387ec32e50d33a1e5506f8bec365b020199c99347e56d070b0a7e317e9bcc933c7d91b5b802b96f427fef3da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7367a718dc193a3ef9b5e30b3dd016ee

SHA1
eb983d370265922e91ed80aeb8aeb87359055eec

SHA256
69ad0af5eb3f3c9245159f7a857a4354720ebec630a3621ea3989092d0a339dc

SHA512
c836a278944fbcd3694e354233c0da83128aad4afe17ff9d8354a53832798fbea91013af429b557ab9f84d0131e9541a69339820ef9c5441da321dc09e429755

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85f851768cc889ee2506c7a4e3f30067

SHA1
62155ad0c617b2326c4ca07844869fc1503110c2

SHA256
94f02ca464c4a14867cc934f03b8c163446ca2e100383b395fd4b304fad22b23

SHA512
2bab1d30a5d4b620670a22e017ca739e67088615e8350c4ea224d31633ce3390e39e2923b55ecaf6257ae2503ab492dc8786a158a85875e7128fdfe87204d885

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e4f70278c8829a7022aca87815a413d3

SHA1
7cb343b0f6f0153282ffc30d9654873f3448429a

SHA256
73a77adb0ae9c1e5c26242718572338cab02a79b73b03dc9e4ffe7069f4cda90

SHA512
ef54f21cdf17a53294594aef1a788f4959f8cdc468c8cf915c8907c606027ed19acae3adcac53a097f5f7e2ac889c643862de758896158154c0bea75b5e4fd60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8152.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8153.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\pjgkqcsdvcay.exe

Filesize
388KB

MD5
40707cdcd4220213b9ef2545043d6c99

SHA1
7f9d3ad1125de47368644e29b5d5cd515c6497e8

SHA256
6f7c7b4f3bd9e6ce0dc0d4dd7662e35d8a2079dfe61b2febf2645b68fe11ee3f

SHA512
0a3cda582f1a444ad78d5f09d4e204a753c74863bcbbbdf5c6ffcafa523b195ac4c6aa7922973cf2687b673e4e346f94b6525402db7380a4e53c3f8855480088

Download Submit
memory/272-6132-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/272-1782-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/272-6130-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/272-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/272-958-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/272-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/272-52-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/272-56-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/272-1780-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/272-6169-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/272-4879-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/272-6121-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/272-6172-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/272-6127-0x00000000030C0000-0x00000000030C2000-memory.dmp

Filesize
8KB

Download
memory/272-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/592-6128-0x0000000000100000-0x0000000000102000-memory.dmp

Filesize
8KB

Download
memory/2032-28-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download
memory/2644-1-0x00000000002E0000-0x00000000002E3000-memory.dmp

Filesize
12KB

Download
memory/2644-18-0x00000000002E0000-0x00000000002E3000-memory.dmp

Filesize
12KB

Download
memory/2644-0-0x00000000002E0000-0x00000000002E3000-memory.dmp

Filesize
12KB

Download
memory/2828-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2828-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2828-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2828-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2828-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2828-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2828-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2828-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2828-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2828-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2828-31-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download