Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/10/2024, 02:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe
-
Size
364KB
-
MD5
4affa384ff6ab351df42fc3a02716670
-
SHA1
7bebae1ad50fd27c3df625dc3995256f7d8bb8c2
-
SHA256
4f1e783f68071d95e0b07e1f8b80ed49d0d94a089ae96016b197f846350cfe66
-
SHA512
802616cac860ed2facd74387475e45ecd5a9e00fb106db801cd0168659fcecb9bb0ca6afb4cfeeca592d24d20c07add685e9a65c3178c839d37850a324906070
-
SSDEEP
6144:rHDYm7R++Qhm/FxsB+lIB+0ODLawCi308Ki7B4iTK24D1sr:rHr2mwB+g03S5idVK24Zsr
Malware Config
Extracted
Path
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\+REcovER+yxkpp+.txt
Ransom Note
{}_~_~+
-$.-_+$|~~_||
=|_$.**+-~|
$+|=*.-=|
!!! IMPORTANT INFORMATION !!!!
All of your files are encrypted with RSA-4096.
More information about the RSA algorythm can be found here:
http://en.wikipedia.org/wiki/RSA_(cryptosystem)
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
1. http://88fga.ketteaero.com/CBD08E65A3B6D8A
2. http://2bdfb.spinakrosa.at/CBD08E65A3B6D8A
3. http://uj5nj.onanwhit.com/CBD08E65A3B6D8A
If all of the addresses are not available, follow these steps:
1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: k7tlx3ghr3m4n2tu.onion/CBD08E65A3B6D8A
4. Follow the instructions on the site.
!!! Your personal identification ID: CBD08E65A3B6D8A !!!
)(*=~_$~+$==-$*~=$$
__$-=-+*
URLs
http://88fga.ketteaero.com/CBD08E65A3B6D8A
http://2bdfb.spinakrosa.at/CBD08E65A3B6D8A
http://uj5nj.onanwhit.com/CBD08E65A3B6D8A
http://k7tlx3ghr3m4n2tu.onion/CBD08E65A3B6D8A
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
pid Process 2672 cmd.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\+REcovER+yxkpp+.txt htbdms.exe -
Executes dropped EXE 2 IoCs
pid Process 2748 htbdms.exe 848 htbdms.exe -
Loads dropped DLL 2 IoCs
pid Process 2992 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 2992 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\vssitfmgf = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START \"\" \"C:\\Users\\Admin\\Documents\\htbdms.exe\"" htbdms.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2888 set thread context of 2992 2888 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 31 PID 2748 set thread context of 848 2748 htbdms.exe 35 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\DVD Maker\it-IT\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\currency.js htbdms.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Program Files\VideoLAN\VLC\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt htbdms.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png htbdms.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png htbdms.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png htbdms.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt htbdms.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt htbdms.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\16.png htbdms.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt htbdms.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt htbdms.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\slideshow_glass_frame.png htbdms.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\logger\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\Windows NT\Accessories\it-IT\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png htbdms.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d11\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png htbdms.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_WMC_LogoText.png htbdms.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)notConnectedStateIcon.png htbdms.exe File opened for modification C:\Program Files\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png htbdms.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png htbdms.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_left.png htbdms.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\settings.css htbdms.exe File opened for modification C:\Program Files\Java\jre7\lib\management\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\Windows Defender\es-ES\+REcovER+yxkpp+.txt htbdms.exe File opened for modification C:\Program Files\Windows Mail\de-DE\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\clock.js htbdms.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png htbdms.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\+REcovER+yxkpp+.png htbdms.exe File opened for modification C:\Program Files\RestoreOut.mp4 htbdms.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbdms.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbdms.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1832 vssadmin.exe 936 vssadmin.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Axronics htbdms.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe 848 htbdms.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 848 htbdms.exe Token: SeBackupPrivilege 1208 vssvc.exe Token: SeRestorePrivilege 1208 vssvc.exe Token: SeAuditPrivilege 1208 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2212 DllHost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2212 DllHost.exe 2212 DllHost.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2992 2888 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 31 PID 2888 wrote to memory of 2992 2888 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 31 PID 2888 wrote to memory of 2992 2888 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 31 PID 2888 wrote to memory of 2992 2888 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 31 PID 2888 wrote to memory of 2992 2888 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 31 PID 2888 wrote to memory of 2992 2888 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 31 PID 2888 wrote to memory of 2992 2888 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 31 PID 2888 wrote to memory of 2992 2888 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 31 PID 2888 wrote to memory of 2992 2888 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 31 PID 2888 wrote to memory of 2992 2888 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 31 PID 2888 wrote to memory of 2992 2888 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 31 PID 2992 wrote to memory of 2748 2992 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 32 PID 2992 wrote to memory of 2748 2992 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 32 PID 2992 wrote to memory of 2748 2992 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 32 PID 2992 wrote to memory of 2748 2992 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 32 PID 2992 wrote to memory of 2672 2992 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 33 PID 2992 wrote to memory of 2672 2992 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 33 PID 2992 wrote to memory of 2672 2992 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 33 PID 2992 wrote to memory of 2672 2992 4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe 33 PID 2748 wrote to memory of 848 2748 htbdms.exe 35 PID 2748 wrote to memory of 848 2748 htbdms.exe 35 PID 2748 wrote to memory of 848 2748 htbdms.exe 35 PID 2748 wrote to memory of 848 2748 htbdms.exe 35 PID 2748 wrote to memory of 848 2748 htbdms.exe 35 PID 2748 wrote to memory of 848 2748 htbdms.exe 35 PID 2748 wrote to memory of 848 2748 htbdms.exe 35 PID 2748 wrote to memory of 848 2748 htbdms.exe 35 PID 2748 wrote to memory of 848 2748 htbdms.exe 35 PID 2748 wrote to memory of 848 2748 htbdms.exe 35 PID 2748 wrote to memory of 848 2748 htbdms.exe 35 PID 848 wrote to memory of 1832 848 htbdms.exe 36 PID 848 wrote to memory of 1832 848 htbdms.exe 36 PID 848 wrote to memory of 1832 848 htbdms.exe 36 PID 848 wrote to memory of 1832 848 htbdms.exe 36 PID 848 wrote to memory of 884 848 htbdms.exe 45 PID 848 wrote to memory of 884 848 htbdms.exe 45 PID 848 wrote to memory of 884 848 htbdms.exe 45 PID 848 wrote to memory of 884 848 htbdms.exe 45 PID 848 wrote to memory of 936 848 htbdms.exe 46 PID 848 wrote to memory of 936 848 htbdms.exe 46 PID 848 wrote to memory of 936 848 htbdms.exe 46 PID 848 wrote to memory of 936 848 htbdms.exe 46 PID 848 wrote to memory of 2684 848 htbdms.exe 50 PID 848 wrote to memory of 2684 848 htbdms.exe 50 PID 848 wrote to memory of 2684 848 htbdms.exe 50 PID 848 wrote to memory of 2684 848 htbdms.exe 50 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" htbdms.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System htbdms.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\Documents\htbdms.exeC:\Users\Admin\Documents\htbdms.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\Documents\htbdms.exeC:\Users\Admin\Documents\htbdms.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:848 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:1832
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+REcovER+yxkpp+.txt5⤵
- System Location Discovery: System Language Discovery
PID:884
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:936
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\DOCUME~1\htbdms.exe >> NUL5⤵
- System Location Discovery: System Language Discovery
PID:2684
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4AFFA3~1.EXE >> NUL3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2672
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2212
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5cb15a1ab0f3175caa30946b5dd534578
SHA1dfb3cd72e79b36f32ce2e196cebd754b03f95c88
SHA2561d21fbebf80c0f01fc748581d67feb872c4b3de8304b6f7a1d28ec64df1f8fcd
SHA5128bc1ece33638b5ba56b5a579d3ac7af29ed3bfafcaf8ae3bd6e269c4f93fd03bd425fc1b1ba041d8674072bfe013b6974c5810fc85468c91566c3c76fd71afe0
-
Filesize
1KB
MD5843d484dfca3c6534719a82b184e7be3
SHA1f6001346c20f4e077041e07d345cd37a6b743878
SHA256c4e3275538c4b97c783fa65e2a24aa9539bc9e26cee4c85be366757281ae20fd
SHA5120bb110d5e849c37840502d6ddb48b9c62c7422d1e8e74363108fbf1b400fcd6705046590514834bdecd03c641f9f03b1b03ebb794373f156d839ea2a97dd65a4
-
Filesize
364KB
MD54affa384ff6ab351df42fc3a02716670
SHA17bebae1ad50fd27c3df625dc3995256f7d8bb8c2
SHA2564f1e783f68071d95e0b07e1f8b80ed49d0d94a089ae96016b197f846350cfe66
SHA512802616cac860ed2facd74387475e45ecd5a9e00fb106db801cd0168659fcecb9bb0ca6afb4cfeeca592d24d20c07add685e9a65c3178c839d37850a324906070
