teslacrypt | b5a35f6dc7bc0708cfa5b5fb39472509eb81c22ccd93bdb563305164381a1d3e

Resubmissions

20-10-2024 16:47

241020-vaj5ps1blj 10

19-10-2024 22:18

241019-172znsvajm 10

Analysis

max time kernel
119s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
Size

356KB
MD5

5ef1fdd422951c153db8c39b87e84e5d
SHA1

a89966004343653b2d20c06b373b1390ed0450d3
SHA256

b5a35f6dc7bc0708cfa5b5fb39472509eb81c22ccd93bdb563305164381a1d3e
SHA512

94a775ab67babe692fd6cc6c597453f3607e39627579ec82575025a1c1aa3015a108418852a64d84e4fb8c2a5ef4b5619284b25d52a5790b5e3ef11153c11871
SSDEEP

6144:nOWcl+ocAAe1EAnT43osv0pnzKK+PDncAuLELquaWVzsHA93Wo8nswPm22fwh:nFeq0F+PzcOLyWRsHA93/oswe

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ddrwy.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4EF4ED8C821A875E 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4EF4ED8C821A875E 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/4EF4ED8C821A875E If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/4EF4ED8C821A875E 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4EF4ED8C821A875E http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4EF4ED8C821A875E http://yyre45dbvn2nhbefbmh.begumvelic.at/4EF4ED8C821A875E Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/4EF4ED8C821A875E

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4EF4ED8C821A875E

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4EF4ED8C821A875E

http://yyre45dbvn2nhbefbmh.begumvelic.at/4EF4ED8C821A875E

http://xlowfznrg4wf7dli.ONION/4EF4ED8C821A875E

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (433) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2284 cmd.exe

pid	process
2284	cmd.exe

Drops startup file 6 IoCs

Processes:

tnvhutyoduas.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+ddrwy.html	tnvhutyoduas.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ddrwy.txt	tnvhutyoduas.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ddrwy.html	tnvhutyoduas.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+ddrwy.txt	tnvhutyoduas.exe

Executes dropped EXE 2 IoCs

Processes:

tnvhutyoduas.exetnvhutyoduas.exe

pid process

2656 tnvhutyoduas.exe
2996 tnvhutyoduas.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2656	tnvhutyoduas.exe
2996	tnvhutyoduas.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tnvhutyoduas.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\vipalce = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\tnvhutyoduas.exe"	tnvhutyoduas.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exetnvhutyoduas.exe

description	pid	process	target process
PID 2212 set thread context of 1688	2212	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
PID 2656 set thread context of 2996	2656	tnvhutyoduas.exe	tnvhutyoduas.exe

Drops file in Program Files directory 64 IoCs

Processes:

tnvhutyoduas.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\_ReCoVeRy_+ddrwy.txt	tnvhutyoduas.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_ReCoVeRy_+ddrwy.txt	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\_ReCoVeRy_+ddrwy.html	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Common Files\_ReCoVeRy_+ddrwy.txt	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\slideShow.css	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_ReCoVeRy_+ddrwy.txt	tnvhutyoduas.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\_ReCoVeRy_+ddrwy.html	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\_ReCoVeRy_+ddrwy.html	tnvhutyoduas.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\_ReCoVeRy_+ddrwy.txt	tnvhutyoduas.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_ReCoVeRy_+ddrwy.txt	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\localizedStrings.js	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\_ReCoVeRy_+ddrwy.txt	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Google\_ReCoVeRy_+ddrwy.txt	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Java\jre7\bin\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\_ReCoVeRy_+ddrwy.txt	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\service.js	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\settings.css	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_ReCoVeRy_+ddrwy.html	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\_ReCoVeRy_+ddrwy.txt	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\_ReCoVeRy_+ddrwy.txt	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\_ReCoVeRy_+ddrwy.html	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\CopyRemove.zip	tnvhutyoduas.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_ReCoVeRy_+ddrwy.html	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak	tnvhutyoduas.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_ReCoVeRy_+ddrwy.txt	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_ReCoVeRy_+ddrwy.txt	tnvhutyoduas.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	tnvhutyoduas.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_ReCoVeRy_+ddrwy.html	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\localizedStrings.js	tnvhutyoduas.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_ReCoVeRy_+ddrwy.html	tnvhutyoduas.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\en-US\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\_ReCoVeRy_+ddrwy.txt	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\clock.js	tnvhutyoduas.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	tnvhutyoduas.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\cpu.js	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js	tnvhutyoduas.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_ReCoVeRy_+ddrwy.txt	tnvhutyoduas.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\_ReCoVeRy_+ddrwy.png	tnvhutyoduas.exe

Drops file in Windows directory 2 IoCs

Processes:

5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\tnvhutyoduas.exe	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
File opened for modification	C:\Windows\tnvhutyoduas.exe	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exetnvhutyoduas.execmd.exeIEXPLORE.EXEcmd.exe5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exetnvhutyoduas.exeNOTEPAD.EXEDllHost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tnvhutyoduas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tnvhutyoduas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea220000000002000000000010660000000100002000000014442d246c2b5a494cdfbfbaf5913c40d21b429845f2ecbd8c281d705a31bb9b000000000e800000000200002000000037b17b5dd6464c138c6a3accf3afce6030f46f642e2f8f82ae63d5b34da2a91190000000cdd2f985d54ce32b44a2d59a08eb3a09ca7d4c5dccf5eee43d40acfef49e0fbfa7086a9915b88352cdb141aafc8c2882619418e2af01c5a381a18b703cafe9d02c791e9eb32921420a92b4ca109e3ef046ccf1dbbc01beb3ce15d352111ab567465387981593119c54bc7383f064969ce974b1c150fca9defe3d1e8110f5b237009eb0e1335db8543b934bf8df03499440000000ece964054d57f498041f2a10ee485f34a4f377325b347a5b4add60ad9ec582ffdf188d566ca148d09fa859cb4939e0027361c047d7891eceedef9986d24bade4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{407F99F1-8E68-11EF-9A8E-4A174794FC88} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0dcfb147522db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000000549a399c75cc6bedbd6e6208122f9b085adc1fddf41fb0bb3064adb8accbf79000000000e80000000020000200000007ed16827fbd0d2817b734b80f1491119e86b4d5ef543a2281a5942fa23c10e2b20000000d32890d47397ac8c99195e2c72da60771d77e67fd256b8b8bf83f7141baff844400000006db4c4a7e9f7ed996698423e4a3722e004790bc6edbf5535b65527412341564c2910b504e7e2a960f3c41c8ae0c01e6fbc44230441675b8339044f73dbc271eb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3024 NOTEPAD.EXE

pid	process
3024	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tnvhutyoduas.exe

pid	process
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe
2996	tnvhutyoduas.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exetnvhutyoduas.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1688	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
Token: SeDebugPrivilege	2996	tnvhutyoduas.exe
Token: SeIncreaseQuotaPrivilege	2868	WMIC.exe
Token: SeSecurityPrivilege	2868	WMIC.exe
Token: SeTakeOwnershipPrivilege	2868	WMIC.exe
Token: SeLoadDriverPrivilege	2868	WMIC.exe
Token: SeSystemProfilePrivilege	2868	WMIC.exe
Token: SeSystemtimePrivilege	2868	WMIC.exe
Token: SeProfSingleProcessPrivilege	2868	WMIC.exe
Token: SeIncBasePriorityPrivilege	2868	WMIC.exe
Token: SeCreatePagefilePrivilege	2868	WMIC.exe
Token: SeBackupPrivilege	2868	WMIC.exe
Token: SeRestorePrivilege	2868	WMIC.exe
Token: SeShutdownPrivilege	2868	WMIC.exe
Token: SeDebugPrivilege	2868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2868	WMIC.exe
Token: SeRemoteShutdownPrivilege	2868	WMIC.exe
Token: SeUndockPrivilege	2868	WMIC.exe
Token: SeManageVolumePrivilege	2868	WMIC.exe
Token: 33	2868	WMIC.exe
Token: 34	2868	WMIC.exe
Token: 35	2868	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2868	WMIC.exe
Token: SeSecurityPrivilege	2868	WMIC.exe
Token: SeTakeOwnershipPrivilege	2868	WMIC.exe
Token: SeLoadDriverPrivilege	2868	WMIC.exe
Token: SeSystemProfilePrivilege	2868	WMIC.exe
Token: SeSystemtimePrivilege	2868	WMIC.exe
Token: SeProfSingleProcessPrivilege	2868	WMIC.exe
Token: SeIncBasePriorityPrivilege	2868	WMIC.exe
Token: SeCreatePagefilePrivilege	2868	WMIC.exe
Token: SeBackupPrivilege	2868	WMIC.exe
Token: SeRestorePrivilege	2868	WMIC.exe
Token: SeShutdownPrivilege	2868	WMIC.exe
Token: SeDebugPrivilege	2868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2868	WMIC.exe
Token: SeRemoteShutdownPrivilege	2868	WMIC.exe
Token: SeUndockPrivilege	2868	WMIC.exe
Token: SeManageVolumePrivilege	2868	WMIC.exe
Token: 33	2868	WMIC.exe
Token: 34	2868	WMIC.exe
Token: 35	2868	WMIC.exe
Token: SeBackupPrivilege	1684	vssvc.exe
Token: SeRestorePrivilege	1684	vssvc.exe
Token: SeAuditPrivilege	1684	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2744	WMIC.exe
Token: SeSecurityPrivilege	2744	WMIC.exe
Token: SeTakeOwnershipPrivilege	2744	WMIC.exe
Token: SeLoadDriverPrivilege	2744	WMIC.exe
Token: SeSystemProfilePrivilege	2744	WMIC.exe
Token: SeSystemtimePrivilege	2744	WMIC.exe
Token: SeProfSingleProcessPrivilege	2744	WMIC.exe
Token: SeIncBasePriorityPrivilege	2744	WMIC.exe
Token: SeCreatePagefilePrivilege	2744	WMIC.exe
Token: SeBackupPrivilege	2744	WMIC.exe
Token: SeRestorePrivilege	2744	WMIC.exe
Token: SeShutdownPrivilege	2744	WMIC.exe
Token: SeDebugPrivilege	2744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2744	WMIC.exe
Token: SeRemoteShutdownPrivilege	2744	WMIC.exe
Token: SeUndockPrivilege	2744	WMIC.exe
Token: SeManageVolumePrivilege	2744	WMIC.exe
Token: 33	2744	WMIC.exe
Token: 34	2744	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1744 iexplore.exe
2420 DllHost.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXEDllHost.exe

pid process

1744 iexplore.exe
1744 iexplore.exe
1704 IEXPLORE.EXE
1704 IEXPLORE.EXE
2420 DllHost.exe
2420 DllHost.exe

pid	process
1744	iexplore.exe
2420	DllHost.exe

pid	process
1744	iexplore.exe
1744	iexplore.exe
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
2420	DllHost.exe
2420	DllHost.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exetnvhutyoduas.exetnvhutyoduas.exeiexplore.exe

description	pid	process	target process
PID 2212 wrote to memory of 1688	2212	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
PID 2212 wrote to memory of 1688	2212	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
PID 2212 wrote to memory of 1688	2212	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
PID 2212 wrote to memory of 1688	2212	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
PID 2212 wrote to memory of 1688	2212	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
PID 2212 wrote to memory of 1688	2212	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
PID 2212 wrote to memory of 1688	2212	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
PID 2212 wrote to memory of 1688	2212	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
PID 2212 wrote to memory of 1688	2212	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
PID 2212 wrote to memory of 1688	2212	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
PID 2212 wrote to memory of 1688	2212	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
PID 1688 wrote to memory of 2656	1688	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe	tnvhutyoduas.exe
PID 1688 wrote to memory of 2656	1688	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe	tnvhutyoduas.exe
PID 1688 wrote to memory of 2656	1688	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe	tnvhutyoduas.exe
PID 1688 wrote to memory of 2656	1688	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe	tnvhutyoduas.exe
PID 1688 wrote to memory of 2284	1688	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe	cmd.exe
PID 1688 wrote to memory of 2284	1688	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe	cmd.exe
PID 1688 wrote to memory of 2284	1688	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe	cmd.exe
PID 1688 wrote to memory of 2284	1688	5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe	cmd.exe
PID 2656 wrote to memory of 2996	2656	tnvhutyoduas.exe	tnvhutyoduas.exe
PID 2656 wrote to memory of 2996	2656	tnvhutyoduas.exe	tnvhutyoduas.exe
PID 2656 wrote to memory of 2996	2656	tnvhutyoduas.exe	tnvhutyoduas.exe
PID 2656 wrote to memory of 2996	2656	tnvhutyoduas.exe	tnvhutyoduas.exe
PID 2656 wrote to memory of 2996	2656	tnvhutyoduas.exe	tnvhutyoduas.exe
PID 2656 wrote to memory of 2996	2656	tnvhutyoduas.exe	tnvhutyoduas.exe
PID 2656 wrote to memory of 2996	2656	tnvhutyoduas.exe	tnvhutyoduas.exe
PID 2656 wrote to memory of 2996	2656	tnvhutyoduas.exe	tnvhutyoduas.exe
PID 2656 wrote to memory of 2996	2656	tnvhutyoduas.exe	tnvhutyoduas.exe
PID 2656 wrote to memory of 2996	2656	tnvhutyoduas.exe	tnvhutyoduas.exe
PID 2656 wrote to memory of 2996	2656	tnvhutyoduas.exe	tnvhutyoduas.exe
PID 2996 wrote to memory of 2868	2996	tnvhutyoduas.exe	WMIC.exe
PID 2996 wrote to memory of 2868	2996	tnvhutyoduas.exe	WMIC.exe
PID 2996 wrote to memory of 2868	2996	tnvhutyoduas.exe	WMIC.exe
PID 2996 wrote to memory of 2868	2996	tnvhutyoduas.exe	WMIC.exe
PID 2996 wrote to memory of 3024	2996	tnvhutyoduas.exe	NOTEPAD.EXE
PID 2996 wrote to memory of 3024	2996	tnvhutyoduas.exe	NOTEPAD.EXE
PID 2996 wrote to memory of 3024	2996	tnvhutyoduas.exe	NOTEPAD.EXE
PID 2996 wrote to memory of 3024	2996	tnvhutyoduas.exe	NOTEPAD.EXE
PID 2996 wrote to memory of 1744	2996	tnvhutyoduas.exe	iexplore.exe
PID 2996 wrote to memory of 1744	2996	tnvhutyoduas.exe	iexplore.exe
PID 2996 wrote to memory of 1744	2996	tnvhutyoduas.exe	iexplore.exe
PID 2996 wrote to memory of 1744	2996	tnvhutyoduas.exe	iexplore.exe
PID 1744 wrote to memory of 1704	1744	iexplore.exe	IEXPLORE.EXE
PID 1744 wrote to memory of 1704	1744	iexplore.exe	IEXPLORE.EXE
PID 1744 wrote to memory of 1704	1744	iexplore.exe	IEXPLORE.EXE
PID 1744 wrote to memory of 1704	1744	iexplore.exe	IEXPLORE.EXE
PID 2996 wrote to memory of 2744	2996	tnvhutyoduas.exe	WMIC.exe
PID 2996 wrote to memory of 2744	2996	tnvhutyoduas.exe	WMIC.exe
PID 2996 wrote to memory of 2744	2996	tnvhutyoduas.exe	WMIC.exe
PID 2996 wrote to memory of 2744	2996	tnvhutyoduas.exe	WMIC.exe
PID 2996 wrote to memory of 1808	2996	tnvhutyoduas.exe	cmd.exe
PID 2996 wrote to memory of 1808	2996	tnvhutyoduas.exe	cmd.exe
PID 2996 wrote to memory of 1808	2996	tnvhutyoduas.exe	cmd.exe
PID 2996 wrote to memory of 1808	2996	tnvhutyoduas.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

tnvhutyoduas.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	tnvhutyoduas.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	tnvhutyoduas.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\tnvhutyoduas.exe
    C:\Windows\tnvhutyoduas.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\tnvhutyoduas.exe
      C:\Windows\tnvhutyoduas.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2996
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:3024
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1744
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1744 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1704
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\TNVHUT~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\5EF1FD~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ddrwy.html

Filesize
12KB

MD5
ccea1accd625cdbaf4017eb8fdce9c6b

SHA1
c2c27ea2af80e511f182f6bf376bdcb032a5165f

SHA256
056ae90b6c993e2f222dee91cdd562404e08d9f846805dcb9598d949d23e1f88

SHA512
786f6d942c8e7b096bc6fa452352f7c158a07cb759f7c4ac03d5db2faf4eaddc81649badfe68d1e214b2dde15cacc3a0bb9a8e701c9ea8cf330bff0508752de2

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ddrwy.png

Filesize
64KB

MD5
45e417be3bccd1b4a925b3640b21a923

SHA1
fe57898423449018bebaf99be2f6766dcc4ddb06

SHA256
f5a09074c42fb3789671e3fbcb0972f414a989208f36ef86e6fe340fda407900

SHA512
b9aae0825b84c64740c1707a40101a251c57d8e6fd3a475a7181531b484014b4b2cfee3cb4d90ee13d01851edb2e950cae4ad1ca79b0263bcdb994a9d1653305

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ddrwy.txt

Filesize
1KB

MD5
046b1fbcb17169d61e7c723590fb5925

SHA1
7665f0b04d3ac161e6c4e5005f5fde93b03606a6

SHA256
b7f900d45d1b32ccaa7e769666892192af1a5b208adec9f1c51e0afff51e3dde

SHA512
8602cc538d3ef683c1db0faeceec616a0181e4f504bc4f85a01b50c277c7bb437c31041e987b70e4903b68c13fb9ab62fb398ea063151c467663523bedbc1280

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
32465cc129b5a22712cfd9d3c34482e6

SHA1
48839144d45a0819af31b53eb360a4ba82989fff

SHA256
d4e70c6086a2aa3ea2984fba0a4947b2ab265c53bd51bb2311529aaaa978bf59

SHA512
7f6fc6fb5fee41d33163de201fec47ff6ad52a543c751166d34a99f1ca0ccfac4b1783c735d840c840d7db6c676260abd74b2e6720b60be666be8f75598a0dba

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
4d85c5972eaa2580d23ae16e9b49997f

SHA1
b32a8e1c131bfc66ab5d7473fa3eb1249365faa6

SHA256
03a555f00696bd77489494760de8d4b6d9fb383cb7444c337f777870f72c287a

SHA512
6c9964266e152b639ca38d657d2710113525724c9ab5710fd0d00898e794674b86c405bd3a02c8490e984988abc0051774d3b9e478a804947437ec0fc1575811

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
76cc74b248121248d6bae8d454f0cd4d

SHA1
1c8d07c62150f22e14a4d9c0b1697fa4f73805b9

SHA256
e73cf53909128a9e8d377dbd082d9a9af3f556df024958d651fd9681b33cbdb7

SHA512
5a41ec79f433b7514b44f6948fd781e2fb85d4b4d1847dab9c1e4cc57c95ca76a76077e2b99efc9bfbd8d6514b31166fad2fa012fdef8fdb8b75a23b8f59fdad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f94dcf3b95ca2a335186b8e14dee7f6f

SHA1
fb4ec0ceef9bff54c6d1679cefe437b3e7358f51

SHA256
7b038e9bbe5550d47dd4aa226effda32ccf88ba927bc6ef6634b60ee5c45a23a

SHA512
ff3cb646ccce7995fe422287911d4f9f2e585b0496e755b07237d630c75e6bcda2377c2c10ed755584c329044c8b79331c814fe3fde9941539118921526d4492

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97f8c07e8107ecab1870e82a23da6ef9

SHA1
ed86cbec5199867eb86843aad7441c59802455bd

SHA256
f34bd2b747c2a014cbd7e318f5b8bb8974621dfe8ef196f19744433bacbab27e

SHA512
fc94dcf94ce3f758010de3ef45f485e2e908708169b42defe0d33dbb7b3c2af716bf9a12df74840d89538add420171c7eb6045b7f79893f8ced41897808ea92b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa5cd3450df11d1bc166c93b44ac3ed7

SHA1
fec1ba37098888240434dc67e2807590546062b4

SHA256
a6ae0cd3f05389a9f583bab1e917c7c34e96221ed1b36b01299521b31d9dd26f

SHA512
e1f6418a80638f9a3b6216e34f9d9c91d60fedf289438bc0e22a60011eba4c000a1a5b000548009e48c902d834da18d2e572de34481bcde49f4dc59dd5f57902

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e96d736e72ff4a5c8234593b08dbf910

SHA1
aa624dc050ca671b7a37c4ab786730706ac8c5bb

SHA256
25e33b97b9ca574b3a885987c7c20bddd9c9f07d1a888744c5a270b04f1453c1

SHA512
06548c1f0828e325380e5642fc4b70c432e579bf847d7d4fcdfec60f73a2a1e3b2ecdbd5a858e4fc028ca1abe62d350fd7dc6ed01e1dced2ff91be99c670027a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c758a2efd84f8305d8a5032b1970eff

SHA1
c9c5e13692aacfd6295958ba89bda50d398e1294

SHA256
213889d2665f7abd6ada83cd5ee2b8a0a7ddd683053aa51b48c7a6712826eb89

SHA512
3edbc4f7904a7a0fe5adb6eb3e336eae390819d52ebacde65e65d0a8421d8d740448cfa4551a2c56fe3a659af17b7be912bb8f82ebe500abc72dad5c24bcb9f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d5c7b6361760f4ecbe441125f1ccc84

SHA1
7ddc54d383262e33dfe8d6714b278aace79c03b3

SHA256
6ae6a5c4db22ea5fbf0e96bfb16b23ece2ef9c3c0d938e6128edf49311fdcdb0

SHA512
8fbfa1ddb98b4bbe42ef0d66b384ac8ad52ca911e615fc0e104fdcdb7f408e120b8ed1b1435379ed39ae29757d6c68d001be1eedad5d5246ab4e951bd03ca7b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c961bf3a83c118f1938c7ad3c8fb619

SHA1
48a6c6185099cd2cd50cb1583fdb0d76a47dce10

SHA256
0c19f05535c45ef9aef8dae48a7cb3fefd86fbc6fb18dfd8ad694d70dc81f575

SHA512
b4d1533b5cc20336ac87765368c3bf0ef77ccd63c4fc0bd629f7ce8dcd3f598254b296615584abf3da9f8e4cf4ebe05050c97a38ef71b7506995085acb4ed1a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8bb58993c37076cd356f82c27afff5f

SHA1
2774da3250e4e27faa170529c70dbb6fa7fb0c8d

SHA256
d399f6a5a085890b632184d4a50e6b38e69cfa953b245b05186b0ef36aa69f10

SHA512
57088ffa9e22d7c050a5b6333f7c7b7e1df680b8e1000d942bef4aa0a271ffbc919aef007e3f971c4fada235d79888e0f3b26088fcf6ab678e7274ecab6755d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b40c62fce61c5d351cf9e28f276066ed

SHA1
136354b7590dc79d0dc4f68e59c09a46293ce776

SHA256
913114acd3a7be8cd0648b1c071c9fafb0f5a342e42023dc79c9e13ecdc68c27

SHA512
818c489bfa9ccc089969ad46f8e7ec298c2abd7efb5ea2bec12d4f862d6f63d77cf1016f6b7c5c9691066151556363e5894c5f1fee171a917dcc6e5217cdcb64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4ebaa7c6fa3716231fc29f6c333b01b

SHA1
66c496cad91e5d98e49dc026fda977d9a4402a38

SHA256
429e5277fc897d82aaa6571c6fdc4009d1a892932fe6c012a419d079b460a369

SHA512
719e665696475368a52c910b8cef5603eefeedeb8ab8bc05b404f4bcfce076bbeb732677e023ad8394719e7b0ddf33ce1090d5aae32f378f2c557292209475b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE958.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEA07.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\tnvhutyoduas.exe

Filesize
356KB

MD5
5ef1fdd422951c153db8c39b87e84e5d

SHA1
a89966004343653b2d20c06b373b1390ed0450d3

SHA256
b5a35f6dc7bc0708cfa5b5fb39472509eb81c22ccd93bdb563305164381a1d3e

SHA512
94a775ab67babe692fd6cc6c597453f3607e39627579ec82575025a1c1aa3015a108418852a64d84e4fb8c2a5ef4b5619284b25d52a5790b5e3ef11153c11871

Download Submit
memory/1688-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1688-29-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1688-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1688-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1688-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1688-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1688-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1688-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1688-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1688-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1688-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2212-18-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2212-0-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2212-1-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2420-6136-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2656-28-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2996-1897-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2996-6146-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2996-6143-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2996-6140-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2996-6138-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2996-6135-0x0000000002C20000-0x0000000002C22000-memory.dmp

Filesize
8KB

Download
memory/2996-6129-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2996-5234-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2996-3045-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2996-1898-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2996-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2996-49-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2996-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2996-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2996-53-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download