teslacrypt | 4944771164216ccf6811e327befaa3aea12e9247ff731497a94f3c03d5b1b486

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe
Size

388KB
MD5

97ee4e31ab54dd1286221f66882afc62
SHA1

ed782ac0c113e6ee1573539927f3374b8c3e859f
SHA256

4944771164216ccf6811e327befaa3aea12e9247ff731497a94f3c03d5b1b486
SHA512

1e62643409d12493e3e53da846b746496ae55ccd207ae3aebc321744a62717ea8bbe74280ec5d7373a3478ba16bd5763711a002fc8778aaf1a6f068ffd80d1b0
SSDEEP

6144:9YMk7V7PQkaYO0iNq/PimTBQNEETJYOo0DldfrvwmjcMVW5OouUI5KtrQ8POyU:9nSdO0iNEPn+TGOoYzwscMSOXUIJ

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ppwtr.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6BD2813AF3F701B 2. http://kkd47eh4hdjshb5t.angortra.at/6BD2813AF3F701B 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/6BD2813AF3F701B If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/6BD2813AF3F701B 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6BD2813AF3F701B http://kkd47eh4hdjshb5t.angortra.at/6BD2813AF3F701B http://ytrest84y5i456hghadefdsd.pontogrot.com/6BD2813AF3F701B *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/6BD2813AF3F701B

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6BD2813AF3F701B

http://kkd47eh4hdjshb5t.angortra.at/6BD2813AF3F701B

http://ytrest84y5i456hghadefdsd.pontogrot.com/6BD2813AF3F701B

http://xlowfznrg4wf7dli.ONION/6BD2813AF3F701B

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (413) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2892	cmd.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ppwtr.html	ayndhebhovnr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ppwtr.png	ayndhebhovnr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ppwtr.txt	ayndhebhovnr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ppwtr.html	ayndhebhovnr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ppwtr.png	ayndhebhovnr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ppwtr.txt	ayndhebhovnr.exe

Executes dropped EXE 2 IoCs

pid	Process
2992	ayndhebhovnr.exe
2260	ayndhebhovnr.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ykbpipvedeiu = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\ayndhebhovnr.exe\""	ayndhebhovnr.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2380 set thread context of 2708	2380	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe	31
PID 2992 set thread context of 2260	2992	ayndhebhovnr.exe	35

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	ayndhebhovnr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\Recovery+ppwtr.html	ayndhebhovnr.exe
File opened for modification	C:\Program Files\ReadNew.mov	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Recovery+ppwtr.txt	ayndhebhovnr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\Recovery+ppwtr.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\Recovery+ppwtr.txt	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\main.js	ayndhebhovnr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\Recovery+ppwtr.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\Recovery+ppwtr.html	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Recovery+ppwtr.html	ayndhebhovnr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\Recovery+ppwtr.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\Recovery+ppwtr.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\Recovery+ppwtr.txt	ayndhebhovnr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\Recovery+ppwtr.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\Recovery+ppwtr.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\Recovery+ppwtr.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\Recovery+ppwtr.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\Recovery+ppwtr.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\Recovery+ppwtr.txt	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)alertIcon.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\Recovery+ppwtr.txt	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.jpg	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\cpu.css	ayndhebhovnr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Recovery+ppwtr.txt	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\Recovery+ppwtr.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\Recovery+ppwtr.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\info.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\Recovery+ppwtr.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\Recovery+ppwtr.html	ayndhebhovnr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\Recovery+ppwtr.html	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\Recovery+ppwtr.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\Recovery+ppwtr.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\clock.css	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\glow.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\Recovery+ppwtr.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\Recovery+ppwtr.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\Recovery+ppwtr.html	ayndhebhovnr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\Recovery+ppwtr.html	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\Recovery+ppwtr.html	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\icon.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\slideShow.css	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\Recovery+ppwtr.txt	ayndhebhovnr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\Recovery+ppwtr.html	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\Recovery+ppwtr.txt	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\Recovery+ppwtr.txt	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\Recovery+ppwtr.html	ayndhebhovnr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\Recovery+ppwtr.html	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\Recovery+ppwtr.txt	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\Recovery+ppwtr.txt	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\Recovery+ppwtr.txt	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_h.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\Recovery+ppwtr.html	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\Recovery+ppwtr.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\Recovery+ppwtr.png	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\Recovery+ppwtr.html	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\Recovery+ppwtr.html	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Google\Chrome\Recovery+ppwtr.html	ayndhebhovnr.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\Recovery+ppwtr.html	ayndhebhovnr.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ayndhebhovnr.exe	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe
File opened for modification	C:\Windows\ayndhebhovnr.exe	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ayndhebhovnr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ayndhebhovnr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D789B891-AABE-11EF-BF50-D686196AC2C0} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000457fa7a941c7570856f359c328fa02e002c0b1119220bf63ad5dd223e85a6d9a000000000e8000000002000020000000538de68adfc60463a37692904cd44e922e1265fb5c273eb4be9d08f61f2408c320000000a7ae998acba54d9af82152004670a45a9e195f4be438a264f1b995bbf126e6b4400000000b5f50b1fcb0cb44c80855e228c531cd392a4d5dab31ef78be279fc9582d63f2d4dd1940f3327a021d38d6e6fc8afd11acc8e5a2d5b61b24309c2f8dd2868b11	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000008552f5d359d6b9fa724996dce1318266169cc9c1d8f1b38890950bbe15f492a2000000000e8000000002000020000000909a3353f93cf9d3609ebdb0dea69b4e18ff8ab1d16ecc54dc143c318b163a0890000000481a7b740d2f8f4bc8b733738ddf92ca090d97cfe6bfbc9432bc4c70eaafdcb277944b5f573cb8fe2adea27914fcc0b7c814f284262e9017c01ad24086385807e5e0be7fb993a1ed779b86f50333df8711d2980d3de43d8773f13df51b92ac9c12de25c9b747fbcfcb37e0d5413509a2ed8a7af6e910a7228177e55fa2ca153f599bec47f575db6f1a4b1f83be01bbd040000000f7fd2236c12fee1742ae909524f5bd27522ddb5c04a6ce62f5064a3ccad3569d4f199d3c67b17f9c036c997286179d167371133b4c38607f65676423d33d3f6a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 601cfaabcb3edb01	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ayndhebhovnr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ayndhebhovnr.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
840	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe
2260	ayndhebhovnr.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe
Token: SeDebugPrivilege	2260	ayndhebhovnr.exe
Token: SeIncreaseQuotaPrivilege	544	WMIC.exe
Token: SeSecurityPrivilege	544	WMIC.exe
Token: SeTakeOwnershipPrivilege	544	WMIC.exe
Token: SeLoadDriverPrivilege	544	WMIC.exe
Token: SeSystemProfilePrivilege	544	WMIC.exe
Token: SeSystemtimePrivilege	544	WMIC.exe
Token: SeProfSingleProcessPrivilege	544	WMIC.exe
Token: SeIncBasePriorityPrivilege	544	WMIC.exe
Token: SeCreatePagefilePrivilege	544	WMIC.exe
Token: SeBackupPrivilege	544	WMIC.exe
Token: SeRestorePrivilege	544	WMIC.exe
Token: SeShutdownPrivilege	544	WMIC.exe
Token: SeDebugPrivilege	544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	544	WMIC.exe
Token: SeRemoteShutdownPrivilege	544	WMIC.exe
Token: SeUndockPrivilege	544	WMIC.exe
Token: SeManageVolumePrivilege	544	WMIC.exe
Token: 33	544	WMIC.exe
Token: 34	544	WMIC.exe
Token: 35	544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1864	WMIC.exe
Token: SeSecurityPrivilege	1864	WMIC.exe
Token: SeTakeOwnershipPrivilege	1864	WMIC.exe
Token: SeLoadDriverPrivilege	1864	WMIC.exe
Token: SeSystemProfilePrivilege	1864	WMIC.exe
Token: SeSystemtimePrivilege	1864	WMIC.exe
Token: SeProfSingleProcessPrivilege	1864	WMIC.exe
Token: SeIncBasePriorityPrivilege	1864	WMIC.exe
Token: SeCreatePagefilePrivilege	1864	WMIC.exe
Token: SeBackupPrivilege	1864	WMIC.exe
Token: SeRestorePrivilege	1864	WMIC.exe
Token: SeShutdownPrivilege	1864	WMIC.exe
Token: SeDebugPrivilege	1864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1864	WMIC.exe
Token: SeRemoteShutdownPrivilege	1864	WMIC.exe
Token: SeUndockPrivilege	1864	WMIC.exe
Token: SeManageVolumePrivilege	1864	WMIC.exe
Token: 33	1864	WMIC.exe
Token: 34	1864	WMIC.exe
Token: 35	1864	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3056	iexplore.exe
2208	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3056	iexplore.exe
3056	iexplore.exe
2160	IEXPLORE.EXE
2160	IEXPLORE.EXE
2208	DllHost.exe
2208	DllHost.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2708	2380	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2708	2380	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2708	2380	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2708	2380	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2708	2380	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2708	2380	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2708	2380	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2708	2380	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2708	2380	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2708	2380	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2708	2380	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe	31
PID 2708 wrote to memory of 2992	2708	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe	32
PID 2708 wrote to memory of 2992	2708	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe	32
PID 2708 wrote to memory of 2992	2708	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe	32
PID 2708 wrote to memory of 2992	2708	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe	32
PID 2708 wrote to memory of 2892	2708	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe	33
PID 2708 wrote to memory of 2892	2708	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe	33
PID 2708 wrote to memory of 2892	2708	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe	33
PID 2708 wrote to memory of 2892	2708	97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe	33
PID 2992 wrote to memory of 2260	2992	ayndhebhovnr.exe	35
PID 2992 wrote to memory of 2260	2992	ayndhebhovnr.exe	35
PID 2992 wrote to memory of 2260	2992	ayndhebhovnr.exe	35
PID 2992 wrote to memory of 2260	2992	ayndhebhovnr.exe	35
PID 2992 wrote to memory of 2260	2992	ayndhebhovnr.exe	35
PID 2992 wrote to memory of 2260	2992	ayndhebhovnr.exe	35
PID 2992 wrote to memory of 2260	2992	ayndhebhovnr.exe	35
PID 2992 wrote to memory of 2260	2992	ayndhebhovnr.exe	35
PID 2992 wrote to memory of 2260	2992	ayndhebhovnr.exe	35
PID 2992 wrote to memory of 2260	2992	ayndhebhovnr.exe	35
PID 2992 wrote to memory of 2260	2992	ayndhebhovnr.exe	35
PID 2260 wrote to memory of 544	2260	ayndhebhovnr.exe	36
PID 2260 wrote to memory of 544	2260	ayndhebhovnr.exe	36
PID 2260 wrote to memory of 544	2260	ayndhebhovnr.exe	36
PID 2260 wrote to memory of 544	2260	ayndhebhovnr.exe	36
PID 2260 wrote to memory of 840	2260	ayndhebhovnr.exe	41
PID 2260 wrote to memory of 840	2260	ayndhebhovnr.exe	41
PID 2260 wrote to memory of 840	2260	ayndhebhovnr.exe	41
PID 2260 wrote to memory of 840	2260	ayndhebhovnr.exe	41
PID 2260 wrote to memory of 3056	2260	ayndhebhovnr.exe	42
PID 2260 wrote to memory of 3056	2260	ayndhebhovnr.exe	42
PID 2260 wrote to memory of 3056	2260	ayndhebhovnr.exe	42
PID 2260 wrote to memory of 3056	2260	ayndhebhovnr.exe	42
PID 3056 wrote to memory of 2160	3056	iexplore.exe	44
PID 3056 wrote to memory of 2160	3056	iexplore.exe	44
PID 3056 wrote to memory of 2160	3056	iexplore.exe	44
PID 3056 wrote to memory of 2160	3056	iexplore.exe	44
PID 2260 wrote to memory of 1864	2260	ayndhebhovnr.exe	45
PID 2260 wrote to memory of 1864	2260	ayndhebhovnr.exe	45
PID 2260 wrote to memory of 1864	2260	ayndhebhovnr.exe	45
PID 2260 wrote to memory of 1864	2260	ayndhebhovnr.exe	45
PID 2260 wrote to memory of 1636	2260	ayndhebhovnr.exe	49
PID 2260 wrote to memory of 1636	2260	ayndhebhovnr.exe	49
PID 2260 wrote to memory of 1636	2260	ayndhebhovnr.exe	49
PID 2260 wrote to memory of 1636	2260	ayndhebhovnr.exe	49

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ayndhebhovnr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ayndhebhovnr.exe

C:\Users\Admin\AppData\Local\Temp\97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\97ee4e31ab54dd1286221f66882afc62_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\ayndhebhovnr.exe
    C:\Windows\ayndhebhovnr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\ayndhebhovnr.exe
      C:\Windows\ayndhebhovnr.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2260
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:840
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3056 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2160
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\AYNDHE~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\97EE4E~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2892

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ppwtr.html

Filesize
9KB

MD5
26c95f119ea78db509663da1ac1b47fe

SHA1
f8eec92299d65944448302e154588c5ed20dc64c

SHA256
422933cb8cda506c78306485a2eccecc9f1fc92174f4b15ed72f56fcf3513cec

SHA512
80a1d841136e930e7d4e9a7a6b19712016674b77dcf4b44e754d4ef176707575d7ccbb9cdeec4024ab622d607c1d4f7490032ae8c0f59a8dc21883af6760fb3f

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ppwtr.png

Filesize
63KB

MD5
e88847d62344ac33253dd3ce3fdbeca2

SHA1
8e5a3331194ffc8a1774d02fe7948fa9e166684a

SHA256
d4baf6c313e2765b3d15c1b922b56cc1e09f07c9c39393b29b152932daf2a7f8

SHA512
9be97e34e3f020b67f62423136f181aeebefa1a92cf871691d78e03909647caaa52dff0e2d38a4782294694caa14e1ff776bd40b65393159348610345d7b5ad3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ppwtr.txt

Filesize
1KB

MD5
065719809129b6b1403c7e377517f00e

SHA1
41051667828032feed1e88273551ae9474d63ebe

SHA256
65879848130db39d1afb7b932e0c9605cf705fb694f8f21fdbb956516a0bf5cb

SHA512
852086dbf835d7e6816bbf3935004aea6c07754c2bd88050e14369615ced84a9bbfa2c75f93e5ac66b07ebe3a53db02ed83cf2cce0116174ce6727c76b1e0e2b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
e0167828a0b459353dccdf885b7d58c7

SHA1
2a96f7140821868d7aced4b8c610ab8dfb42ecd4

SHA256
bfb2780007e1c88533c19b5aee024e377997974fea4679b87217ae38e969d7f8

SHA512
fbf59f2cb1eb432e15b12ac378b96867226f9c556f58fef0e9cc53855ed556178405b16f0a515169cd994ce5dfd05c7a95a4405957ca65c26bd4915451622d2a

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
d77d26cd7ce15668a9fc6a96641ca61e

SHA1
ac2865411c08804d7ad2e2846ba90ef5e18358ac

SHA256
93cfcaa8946ba4872cfa3b5090c99b59b3532bac0ae714e3b5aa0355a0de0781

SHA512
c7e694aefa1ecafa8398a29450cb8509f1a88503cc52544386c27d75524a69527c464d315d15b5586d511754867e4898bdfc419504747a7aad593aa40dba7ffc

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
d0bf4d81a3ca6d7dff48602a8d87c42e

SHA1
5077b4c7cdd38d670b0fa0221ff9b41d1547c2e2

SHA256
9b4074244e56ca7b53bb2d9b1f2b4dd68df663e28abcbff4657bb7fd3e19c55e

SHA512
a243bf60887402cb756a30e641c7a8fc4e830c5a6ed26fca578c0a808afd2ed0463193e13ec14772ed87a96fd1dcec426abf9980da669eef388bf698c0353ea8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
338aefe5b27270666188645f59ad857d

SHA1
b352545c5f84ca3470a4ab569f6aaee751c12960

SHA256
5e7a6d8d1716ba8f3142ca5bd4fe30f24e3be2293e263d9f67076f1c3e96ab91

SHA512
33b9770c8e2ee7dd2aa6dcad7452021b7ebadce6a64b417736257ffcd68f7c9f463344770901e36989f3841a28f4157e6ab4bc7ea6f56201e987421a6299e6a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
596002079022e8ba2656fbca07a08f14

SHA1
b2589e5e44371fcfb342fee959488ef8208d49a4

SHA256
bd9fa3228a7a70b6b68c9cb379bfb19725c85162cfd55fc20ceb2243dacac7a2

SHA512
482c1220aa8ef4a477cc716552a8e3a2f6c54c810096120040db6ad02549ffc40ac15bcf75256a4a7fbefc3893e2feea580d9e869d2732b6e26573d9b0c86f7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
788373d1294cdca1ac0434d59bed79a4

SHA1
8198744a5d0dbb96aa16d5983c67c39388a9c728

SHA256
ffb093c7d6654012153483955580febdcd12855774165850d2315bba76054470

SHA512
e7b36c0d0f48f1fba8e2fbdcc1263c58f54da2ac12b0b6965769498d934a177080731853b19e98b27432f4074fe3c80b039123e0e586e6e05a28aaed324277e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a9aeabd483b268101e2e1678f703cf4

SHA1
704568cc5fdf55a7e474c9bd48dfcf096b080269

SHA256
d86e2574bf4a850563a4b3989c003a629026f0c1a3d4ed4239d6fb9164ff14a0

SHA512
9f6046af0dbf71eec3f165965948cdca94d11c8821a84f5fe51ec6ac1d8479ac7bf3c7b1fc2aacb7099c9e57dc1746c567531ea92031ac2724b5eda3f2e55160

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a8080f31c46a9e3eca7fdcfb330c1f4

SHA1
1b147901a111430385d9cff4375cf6a69eab52c6

SHA256
eaf3ca9d50f1de721d68f87af9895c2f4d5517c72f8bd1bdf9bd1fa17eefccb9

SHA512
8e548ec12c6c9b66b401214ae406bd2dfce16250c82ce3396e8092caf6bfbafd4911bafeff4bd658794eb261cf0269c6f934ca2606a2fed4ca0523f6ed4855ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
927811b39168503e3c7a216275f893dd

SHA1
f3924e2de1bc6718788d108dfa4f8889f6e0c7b7

SHA256
7d46516b6102db34f4ee8dfaa18f6980fe042588f91bb25ba651dd4e6f10cd8c

SHA512
c5e0037b9c31c04c649e301ba8f988211f91ddceaf893f3ee1fdeff89d65497f522fb792e21f17fe4728c611a1319c510da13857e91349d7ceb3da4af440cbf8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78aa3ac8b580c765280425b3b553a477

SHA1
b9b5a41aa1e6e57715adc2739acc00f82980ce22

SHA256
fe4c00364f2d683e7f66c595a36eab529f6688833722b82dc3079425f983d2ff

SHA512
fd1a7de01526667681493a25bc4f7f20062f0ca34c5428df2fd750caf9ada89ca0572237bebd0571f88f7af887bb6eb715b48888c0a083c8b8ed352f20a7b2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3E1A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3E6B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\ayndhebhovnr.exe

Filesize
388KB

MD5
97ee4e31ab54dd1286221f66882afc62

SHA1
ed782ac0c113e6ee1573539927f3374b8c3e859f

SHA256
4944771164216ccf6811e327befaa3aea12e9247ff731497a94f3c03d5b1b486

SHA512
1e62643409d12493e3e53da846b746496ae55ccd207ae3aebc321744a62717ea8bbe74280ec5d7373a3478ba16bd5763711a002fc8778aaf1a6f068ffd80d1b0

Download Submit
memory/2208-6099-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2260-4405-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2260-53-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2260-6098-0x0000000004010000-0x0000000004012000-memory.dmp

Filesize
8KB

Download
memory/2260-1828-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2260-49-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2260-6548-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2260-6545-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2260-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2260-6102-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2260-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2260-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2260-1832-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2260-6103-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2260-4948-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2260-6092-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2380-19-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/2380-0-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/2380-1-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/2708-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2708-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2708-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2708-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2708-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2708-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2708-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2708-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2708-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2708-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2708-28-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2992-29-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download