teslacrypt | 1a4a1e76c6d2dc585ce77c9be7163163c0d614d5668a0c83601bb3d6f91376a0

Analysis

max time kernel
119s
max time network
114s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21-10-2024 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe
Size

384KB
MD5

65f583e82e837183c8962dfdbf5bdc35
SHA1

5181731fa74f097de73d81ff347fe2fec634887a
SHA256

1a4a1e76c6d2dc585ce77c9be7163163c0d614d5668a0c83601bb3d6f91376a0
SHA512

827817ae552ebc95dd541d62cc04af0cb798bc33af3960153f403a945f1cb139129fa6e40cd09f359bbc673ac6c11118eeecf1a33790873a9c070bc487e24a43
SSDEEP

6144:SzVGON09XRWtlggcMOEqmgWqvANwxcLSgL8J4bAvtqjPtW6wU25vB8ynNd98UW:pON09XotWgOfmgLA8cNYQAojtwU2xnv9

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+dpmtf.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/A07CFF8BC494239 2. http://tes543berda73i48fsdfsd.keratadze.at/A07CFF8BC494239 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A07CFF8BC494239 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/A07CFF8BC494239 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/A07CFF8BC494239 http://tes543berda73i48fsdfsd.keratadze.at/A07CFF8BC494239 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A07CFF8BC494239 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/A07CFF8BC494239

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/A07CFF8BC494239

http://tes543berda73i48fsdfsd.keratadze.at/A07CFF8BC494239

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A07CFF8BC494239

http://xlowfznrg4wf7dli.ONION/A07CFF8BC494239

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (410) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2908	cmd.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+dpmtf.html	sbowqhnifqfu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+dpmtf.png	sbowqhnifqfu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+dpmtf.txt	sbowqhnifqfu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+dpmtf.html	sbowqhnifqfu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+dpmtf.png	sbowqhnifqfu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+dpmtf.txt	sbowqhnifqfu.exe

Executes dropped EXE 2 IoCs

pid	Process
2712	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\oxappqjbhrji = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\sbowqhnifqfu.exe\""	sbowqhnifqfu.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 376 set thread context of 2700	376	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe	30
PID 2712 set thread context of 1580	2712	sbowqhnifqfu.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\Recovery+dpmtf.html	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\Recovery+dpmtf.txt	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\settings.js	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\Recovery+dpmtf.html	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\Recovery+dpmtf.html	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\Recovery+dpmtf.html	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\Recovery+dpmtf.txt	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\Recovery+dpmtf.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\Recovery+dpmtf.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\de-DE\Recovery+dpmtf.txt	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\Recovery+dpmtf.html	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\Recovery+dpmtf.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\DVD Maker\Recovery+dpmtf.html	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\Recovery+dpmtf.txt	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\Recovery+dpmtf.txt	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\Recovery+dpmtf.txt	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\Recovery+dpmtf.html	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\de-DE\Recovery+dpmtf.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\Recovery+dpmtf.txt	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Recovery+dpmtf.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\Recovery+dpmtf.html	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Recovery+dpmtf.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\Recovery+dpmtf.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\Recovery+dpmtf.txt	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\Recovery+dpmtf.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\Recovery+dpmtf.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Windows Mail\Recovery+dpmtf.txt	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\logo.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\Recovery+dpmtf.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\Recovery+dpmtf.txt	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\Recovery+dpmtf.html	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\Recovery+dpmtf.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\Recovery+dpmtf.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_SelectionSubpicture.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ru.pak	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_down.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\Recovery+dpmtf.html	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\Recovery+dpmtf.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\Recovery+dpmtf.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\Recovery+dpmtf.html	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\settings.js	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\Recovery+dpmtf.txt	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\Recovery+dpmtf.txt	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\cpu.js	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\Recovery+dpmtf.html	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\Recovery+dpmtf.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\da.pak	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_top.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\Recovery+dpmtf.html	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\Recovery+dpmtf.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Recovery+dpmtf.txt	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\Recovery+dpmtf.html	sbowqhnifqfu.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\Recovery+dpmtf.txt	sbowqhnifqfu.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sbowqhnifqfu.exe	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe
File opened for modification	C:\Windows\sbowqhnifqfu.exe	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sbowqhnifqfu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sbowqhnifqfu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{14FCC301-8F7D-11EF-9DBD-525C7857EE89} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000d342bab3a93a5ed5c9ae315087fec3b31a6b902bc60ac26aeb444c3e653502e9000000000e800000000200002000000038998b821eb3840becdc823183f5a9b659e0d573b1ba1131d437500ed478c499900000000f959ac006993991f908482b261c37d600e9892a53def16d6b1a1ffa7d11a937bbcb0563ea7b6fbb6be996ca8a667a5ec9410b44dba5a076718c1079b424ab64e609a0a960738f5fb40d0d324fde569f13f61e41eaff83b8caccf7ceb489f2de0a9b24a770d7a085f418436350a5df734a14969c67f320a3120b63b5bc690200f87795645067bd3d68678d9db280d492400000004d6b5ba1d6acca2b6f35dccaed25d43215d5ee59e0fd319e37c094c7c4b0dba4417946d50cac679c9f9ef6ad365141a09d9aff0a199c9ae4aa38dae8145ee0e0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000a96b313ff5fb2812343698703f826e1d2a1c3e7b0a9144a66058014eaa6c53b1000000000e8000000002000020000000fd27294bc7467522d3aab2595aad1f88890fb771d56c131bd9eb7f888f9d37e420000000dace4a790d0d9161ef741f68beaf7e49101214f37179e85bb577608913abab8340000000d0544e8e62fba79038ae51ddc77abab6174294715f9833ccf17c3c916e5cf7aa7651c594346ec790b3dabb2e788ebf1de09881a855a05a1d6dcc5a55ab461669	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60fc84e98923db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	sbowqhnifqfu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	sbowqhnifqfu.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2176	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe
1580	sbowqhnifqfu.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe
Token: SeDebugPrivilege	1580	sbowqhnifqfu.exe
Token: SeIncreaseQuotaPrivilege	2324	WMIC.exe
Token: SeSecurityPrivilege	2324	WMIC.exe
Token: SeTakeOwnershipPrivilege	2324	WMIC.exe
Token: SeLoadDriverPrivilege	2324	WMIC.exe
Token: SeSystemProfilePrivilege	2324	WMIC.exe
Token: SeSystemtimePrivilege	2324	WMIC.exe
Token: SeProfSingleProcessPrivilege	2324	WMIC.exe
Token: SeIncBasePriorityPrivilege	2324	WMIC.exe
Token: SeCreatePagefilePrivilege	2324	WMIC.exe
Token: SeBackupPrivilege	2324	WMIC.exe
Token: SeRestorePrivilege	2324	WMIC.exe
Token: SeShutdownPrivilege	2324	WMIC.exe
Token: SeDebugPrivilege	2324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2324	WMIC.exe
Token: SeRemoteShutdownPrivilege	2324	WMIC.exe
Token: SeUndockPrivilege	2324	WMIC.exe
Token: SeManageVolumePrivilege	2324	WMIC.exe
Token: 33	2324	WMIC.exe
Token: 34	2324	WMIC.exe
Token: 35	2324	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2324	WMIC.exe
Token: SeSecurityPrivilege	2324	WMIC.exe
Token: SeTakeOwnershipPrivilege	2324	WMIC.exe
Token: SeLoadDriverPrivilege	2324	WMIC.exe
Token: SeSystemProfilePrivilege	2324	WMIC.exe
Token: SeSystemtimePrivilege	2324	WMIC.exe
Token: SeProfSingleProcessPrivilege	2324	WMIC.exe
Token: SeIncBasePriorityPrivilege	2324	WMIC.exe
Token: SeCreatePagefilePrivilege	2324	WMIC.exe
Token: SeBackupPrivilege	2324	WMIC.exe
Token: SeRestorePrivilege	2324	WMIC.exe
Token: SeShutdownPrivilege	2324	WMIC.exe
Token: SeDebugPrivilege	2324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2324	WMIC.exe
Token: SeRemoteShutdownPrivilege	2324	WMIC.exe
Token: SeUndockPrivilege	2324	WMIC.exe
Token: SeManageVolumePrivilege	2324	WMIC.exe
Token: 33	2324	WMIC.exe
Token: 34	2324	WMIC.exe
Token: 35	2324	WMIC.exe
Token: SeBackupPrivilege	2692	vssvc.exe
Token: SeRestorePrivilege	2692	vssvc.exe
Token: SeAuditPrivilege	2692	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2848	WMIC.exe
Token: SeSecurityPrivilege	2848	WMIC.exe
Token: SeTakeOwnershipPrivilege	2848	WMIC.exe
Token: SeLoadDriverPrivilege	2848	WMIC.exe
Token: SeSystemProfilePrivilege	2848	WMIC.exe
Token: SeSystemtimePrivilege	2848	WMIC.exe
Token: SeProfSingleProcessPrivilege	2848	WMIC.exe
Token: SeIncBasePriorityPrivilege	2848	WMIC.exe
Token: SeCreatePagefilePrivilege	2848	WMIC.exe
Token: SeBackupPrivilege	2848	WMIC.exe
Token: SeRestorePrivilege	2848	WMIC.exe
Token: SeShutdownPrivilege	2848	WMIC.exe
Token: SeDebugPrivilege	2848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2848	WMIC.exe
Token: SeRemoteShutdownPrivilege	2848	WMIC.exe
Token: SeUndockPrivilege	2848	WMIC.exe
Token: SeManageVolumePrivilege	2848	WMIC.exe
Token: 33	2848	WMIC.exe
Token: 34	2848	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2776	iexplore.exe
2260	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2776	iexplore.exe
2776	iexplore.exe
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2260	DllHost.exe
2260	DllHost.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 2700	376	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe	30
PID 376 wrote to memory of 2700	376	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe	30
PID 376 wrote to memory of 2700	376	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe	30
PID 376 wrote to memory of 2700	376	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe	30
PID 376 wrote to memory of 2700	376	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe	30
PID 376 wrote to memory of 2700	376	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe	30
PID 376 wrote to memory of 2700	376	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe	30
PID 376 wrote to memory of 2700	376	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe	30
PID 376 wrote to memory of 2700	376	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe	30
PID 376 wrote to memory of 2700	376	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe	30
PID 376 wrote to memory of 2700	376	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2712	2700	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe	31
PID 2700 wrote to memory of 2712	2700	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe	31
PID 2700 wrote to memory of 2712	2700	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe	31
PID 2700 wrote to memory of 2712	2700	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe	31
PID 2700 wrote to memory of 2908	2700	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2908	2700	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2908	2700	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2908	2700	65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe	32
PID 2712 wrote to memory of 1580	2712	sbowqhnifqfu.exe	34
PID 2712 wrote to memory of 1580	2712	sbowqhnifqfu.exe	34
PID 2712 wrote to memory of 1580	2712	sbowqhnifqfu.exe	34
PID 2712 wrote to memory of 1580	2712	sbowqhnifqfu.exe	34
PID 2712 wrote to memory of 1580	2712	sbowqhnifqfu.exe	34
PID 2712 wrote to memory of 1580	2712	sbowqhnifqfu.exe	34
PID 2712 wrote to memory of 1580	2712	sbowqhnifqfu.exe	34
PID 2712 wrote to memory of 1580	2712	sbowqhnifqfu.exe	34
PID 2712 wrote to memory of 1580	2712	sbowqhnifqfu.exe	34
PID 2712 wrote to memory of 1580	2712	sbowqhnifqfu.exe	34
PID 2712 wrote to memory of 1580	2712	sbowqhnifqfu.exe	34
PID 1580 wrote to memory of 2324	1580	sbowqhnifqfu.exe	35
PID 1580 wrote to memory of 2324	1580	sbowqhnifqfu.exe	35
PID 1580 wrote to memory of 2324	1580	sbowqhnifqfu.exe	35
PID 1580 wrote to memory of 2324	1580	sbowqhnifqfu.exe	35
PID 1580 wrote to memory of 2176	1580	sbowqhnifqfu.exe	43
PID 1580 wrote to memory of 2176	1580	sbowqhnifqfu.exe	43
PID 1580 wrote to memory of 2176	1580	sbowqhnifqfu.exe	43
PID 1580 wrote to memory of 2176	1580	sbowqhnifqfu.exe	43
PID 1580 wrote to memory of 2776	1580	sbowqhnifqfu.exe	44
PID 1580 wrote to memory of 2776	1580	sbowqhnifqfu.exe	44
PID 1580 wrote to memory of 2776	1580	sbowqhnifqfu.exe	44
PID 1580 wrote to memory of 2776	1580	sbowqhnifqfu.exe	44
PID 2776 wrote to memory of 2816	2776	iexplore.exe	46
PID 2776 wrote to memory of 2816	2776	iexplore.exe	46
PID 2776 wrote to memory of 2816	2776	iexplore.exe	46
PID 2776 wrote to memory of 2816	2776	iexplore.exe	46
PID 1580 wrote to memory of 2848	1580	sbowqhnifqfu.exe	47
PID 1580 wrote to memory of 2848	1580	sbowqhnifqfu.exe	47
PID 1580 wrote to memory of 2848	1580	sbowqhnifqfu.exe	47
PID 1580 wrote to memory of 2848	1580	sbowqhnifqfu.exe	47
PID 1580 wrote to memory of 1044	1580	sbowqhnifqfu.exe	51
PID 1580 wrote to memory of 1044	1580	sbowqhnifqfu.exe	51
PID 1580 wrote to memory of 1044	1580	sbowqhnifqfu.exe	51
PID 1580 wrote to memory of 1044	1580	sbowqhnifqfu.exe	51

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	sbowqhnifqfu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sbowqhnifqfu.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:376
- C:\Users\Admin\AppData\Local\Temp\65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\sbowqhnifqfu.exe
    C:\Windows\sbowqhnifqfu.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\sbowqhnifqfu.exe
      C:\Windows\sbowqhnifqfu.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1580
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:2176
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2776 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2816
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\SBOWQH~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\65F583~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+dpmtf.html

Filesize
11KB

MD5
8b3fea40ec03551ecf5c445e756c0499

SHA1
5cdd2b9288be0fcf168a54b8ddd3d7b98351b77b

SHA256
aa3d22eee0da29bd6a2d95cf072944d45e9cf607360e38839748f2baf47fd0f9

SHA512
d338c7b7f2c06b2d8db29c3691c78c5980591270c696a139b131a19f9394bae4d047507f59c6f2a25743009ea94d53a638b57e1c4bfdda69d8fd420cf819fe5a

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+dpmtf.png

Filesize
64KB

MD5
b471ef04d6009e96bc673bc47d9d79bf

SHA1
dda23d327ec0a77f376f29ed6650eee1d5508b29

SHA256
5e796937ad1a7ef084a09c50d42f7cd6c6db6c4d204709fcdd1c52fe79cc38f8

SHA512
82188f88c2d9ea6054dd1a144f008cae6a201379a800f26c2c3762f3d71a05006128fe56fd4ebbd3bc0576a85129cc589a3c4b9a66be857f5fd1509f30a8d80f

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+dpmtf.txt

Filesize
1KB

MD5
37cce6149939c8f25cf58258295b0ec3

SHA1
1b9bd5a8be3ad05f185c14c787e2b6f988b18e00

SHA256
2ac7e0932cdf305aa846dfb269c0ccff60efc288f3caa53b8e7f7628dc60cbd2

SHA512
c40359cb6333dcec4b36641fe52f3ab048839299785ab9077eaad50cfcc22a1e2df7b469e16153ca2f1873e0ad8200ca45232f9577bdbfdeb477cd6b38e19028

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
7484bea31b1651b0f64892dfcab285b7

SHA1
f27229bb15c4ec63a1c0da2ed72117c2c93ef60b

SHA256
62e58f39e50348f77497bc8bb39353c7b8f0db15cbe09c0890131e422001ef16

SHA512
fbf7d9c3522e3985ad85419e10bfa70bd82054389b27f725a3e74e6f01eb8431ee3a505465f4d817404c2a787455f0608984edf6e7c5e94fffe40aa793f35359

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
e784539245e4301bc016b957e471340b

SHA1
792547b09b59c010d786d72d966156b4d304e16a

SHA256
da70b2d745cf31b25283eee2abdb22d7db968fa1f6cbfa34e6ada3d684e08678

SHA512
a43cd3a67f20d90a7c9d018c0dda4aab010fb2a56cfcab2ff3e1002c9dfb2ff3f75c29a0e56ff04794f130d7984b5959203a44ed8e8bd17c0a4ee1fca3ed7349

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
bd4a0ee91cd14dc3c1c72a3024a472ed

SHA1
e56c228f4c6d213a5c6ad76dcd7e57125f1ac786

SHA256
cfa3b30885119558dd9d0f9cb8b83b80f1c55c079143db6e2a45bb8db535f329

SHA512
d313ab2c4cdc8ca02d939feb887e322cf3ad8f3d175b5ed113545c68888016ee935ba367348a113420dbc4d346cadf88eb16688a85d235c43bb2c868d608ce6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5d3189ed3d8cd0504875fa80343fb9c

SHA1
a51a6ce0f10bc9e145e2549c19c6baaf53452af7

SHA256
e4215187ab3d4c5678caf5efc788ab2f2a6446da37e21c8e9536611b5caefc99

SHA512
5ec22818f195a3f37edbeb4abf9003e20c5a200f447f388b371b9289f39a616ba8dd2ef27280bb568d117995f1200c729395bec329732c15cb19dde0b94e552b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b9999a43e09efdb8b5e351b46ab2f66

SHA1
efd23fd1d18222a2cc670e8bcaf28c3fc1c78383

SHA256
4172e3a394af7ac2328a2d940bf7be0b76bae930f8e9f28e27bc08c7a778d383

SHA512
8cf0b2421c3bb8bdee9ec06876d23df0ad292810774653aecfaa4845d790462c3faed6c9fee704a9e9bb72102b9c4d943251ce0fe2f71fee3170c5b103936b95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6b65fd52e5fe389cf7f0fd01d1eb63d

SHA1
1990d26c2c894f843a73b0f270fe68c71056744e

SHA256
72ece26bbaa63ddc32a2ef4b104becaa6237fe6e3f21372a892cfc816d4ea216

SHA512
0953dff6cbeeb15720bb67c317965de6121d89cff0a81acc077077e0252e98b28ef86cda62412691efceb524400587e542eb8bd9e5e1d3171152118ffdbb1ae6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88f7cd62f0756d7803f06f63781ea3a0

SHA1
482c1630b62ba5a0feac1d937303937bc2feb28f

SHA256
7f4e39d00e7219614ddd9a8ce63660550e45ce3fba039cbcdd20d9d3f2a164ac

SHA512
b5b2fe31a9784697b550eba1830c08a48aa19cdcb58ba4ae9552b5e583357dd8140c66015a5e495ae06f02814677fdf7eab04c426fd891e6dd77be25ae7eec4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81494885888767fe7c0d77ca9720da85

SHA1
5c3a1ff4e5c092d69d3e54340ab24a9fb7b22df4

SHA256
0f85922b06f4854261a336c6794fe44cd60346c52d806afb7fa4b71759bd542b

SHA512
11706a43718e177a882dba2800d6ed1bb41a9cbe1c9a84cf8d6032a613c8251f1f1d79727c747e80a7e7af477084974fe52c36265e202030068d21a03f6aad2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e8aef442e4d105c1dc73a050db96c2a

SHA1
6135ac26ea91f104acd816541f022bbe2c79ef3f

SHA256
2280e43d0d4d6dacd45042feafe95f844272022540ad2f427a8041a36eb976a2

SHA512
2e53c78f5b5d59bcd02dbc44202c11b2693d050d05342c4341aca32ccd4c3ceed362727deeca6b68acca7cdaabe7d6ccde5a8bf0267783bc3e4982068ec35ef7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82d18cc7269aae99e7a4da9a2d0692d0

SHA1
bddcd2e866943b8d6ac64742e790d5e2d91d4bf8

SHA256
ccc4597e40e7aee8a7bdb4fef31ca5d1e147b4c19ec1f958e8335b3f448745fa

SHA512
455e1f9b18778c8ce6973d53af73d3cc6872d496aa6d74b9a0c09a265804e4234ac195e0a663ebe9ceb9fec9a8a1f7f0a28ad4cb882bf42b4513670ceb273e2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
349d5270c1a1ed439db7e7dcbbd874fd

SHA1
dff36ec2c3707d13ec79f5bfc0c9109ef411173d

SHA256
e93bc5cbc918af383eaf3ce51de1cf4e34b955d7d2d818be87776364ddf3728e

SHA512
8ae3f41aab4e8554dce3bb0d8695259281104ad3c3f4b538644e5dae588295a4b14c98decf9320f1f5a55e374e3bec49a78406c2c18d907cff13c1ee10eec52f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f79cc950ce609df69fae5a054e17b83

SHA1
4aa46ede78df95fc73147b56a28a312d81b5728e

SHA256
3ac3338657cce5839285d16aabaeb819eb6832f7130a172d342a2af5e704e774

SHA512
b24b6a78af06daaec815475ca1936d4d022ae2d453fe898c21a172331858eab5ff509f0805c666211c2b3136b046b8b136d19921564b40c468b51d1b69031114

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04814a9ee4638b65f09e0b8ca0c23b7c

SHA1
8432dc6bd5277cd115fbc8f8b3b48c889d7218bb

SHA256
dea36b7238dabb3f9ed33ae7577da81ba4d3752d06089973cfb23aa726ea7043

SHA512
d9aff82e5a58c00e7d7936a25eae681519c01cec8c6ae4b56fdc9b214a6d3daa4bb6e0f797935bfb4a26cbb18641977e71f531b2930238a5818e21f4a7b0ef96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ac0ef28e39f635fc42364324cc97722

SHA1
006bfbcfc48327621bff7e66f40f6b65081b6e69

SHA256
0f4d11d0d84b256ad8264bdfecc697a26e6b834afbc104b6df4a88a1508c70ac

SHA512
c66f6267adf0ede3055904a06c1b98c815de393b6c754701551e6c3cba730ef30aa92cedc891937632dcddd1f09acdce355a9ea558b1fcb8cbb0370c5b401792

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCFEF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCFEE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\sbowqhnifqfu.exe

Filesize
384KB

MD5
65f583e82e837183c8962dfdbf5bdc35

SHA1
5181731fa74f097de73d81ff347fe2fec634887a

SHA256
1a4a1e76c6d2dc585ce77c9be7163163c0d614d5668a0c83601bb3d6f91376a0

SHA512
827817ae552ebc95dd541d62cc04af0cb798bc33af3960153f403a945f1cb139129fa6e40cd09f359bbc673ac6c11118eeecf1a33790873a9c070bc487e24a43

Download Submit
memory/376-0-0x00000000002C0000-0x00000000002C3000-memory.dmp

Filesize
12KB

Download
memory/376-17-0x00000000002C0000-0x00000000002C3000-memory.dmp

Filesize
12KB

Download
memory/376-1-0x00000000002C0000-0x00000000002C3000-memory.dmp

Filesize
12KB

Download
memory/1580-6097-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1580-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1580-56-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1580-54-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1580-52-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1580-1779-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1580-1783-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1580-5159-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1580-6072-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1580-6078-0x0000000004040000-0x0000000004042000-memory.dmp

Filesize
8KB

Download
memory/1580-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1580-6082-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1580-6094-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1580-1098-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1580-6096-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2260-6079-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2700-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2700-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2700-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2700-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2700-31-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2700-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2700-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2700-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2700-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2700-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2700-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2712-28-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download