teslacrypt | b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe
Size

376KB
MD5

b09aca00a8dcded70eeac6ec2b497e60
SHA1

9247ba9335b88b4fc1d8febed66e92e4aad8317c
SHA256

b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29
SHA512

f3c2a80cb592a721f454773f8aed5ba09b96641325effaa92821be9a3d80e99522100610c10ce9d4dd8ab97a60f182b9e9a3a7d1dd18505658858dcb30ccef02
SSDEEP

6144:J+lMnaN9yLmfyoZjcbxstF8cIxnTYI4LVmKJ7t2AQeRi:8TN9xyomFstF8conTCLVzTZRi

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+lfdil.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/57954348361F68D 2. http://tes543berda73i48fsdfsd.keratadze.at/57954348361F68D 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/57954348361F68D If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/57954348361F68D 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/57954348361F68D http://tes543berda73i48fsdfsd.keratadze.at/57954348361F68D http://tt54rfdjhb34rfbnknaerg.milerteddy.com/57954348361F68D *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/57954348361F68D

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/57954348361F68D

http://tes543berda73i48fsdfsd.keratadze.at/57954348361F68D

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/57954348361F68D

http://xlowfznrg4wf7dli.ONION/57954348361F68D

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (414) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2320	cmd.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+lfdil.html	uydyscpobgeo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+lfdil.png	uydyscpobgeo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+lfdil.txt	uydyscpobgeo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+lfdil.html	uydyscpobgeo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+lfdil.png	uydyscpobgeo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+lfdil.txt	uydyscpobgeo.exe

Executes dropped EXE 2 IoCs

pid	Process
2980	uydyscpobgeo.exe
2216	uydyscpobgeo.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ekqrdjvvapgv = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\uydyscpobgeo.exe\""	uydyscpobgeo.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 2468	3040	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	31
PID 2980 set thread context of 2216	2980	uydyscpobgeo.exe	35

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	uydyscpobgeo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Microsoft Office\Recovery+lfdil.png	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Recovery+lfdil.png	uydyscpobgeo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\Recovery+lfdil.txt	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\Recovery+lfdil.txt	uydyscpobgeo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\Recovery+lfdil.html	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\Recovery+lfdil.png	uydyscpobgeo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\Recovery+lfdil.txt	uydyscpobgeo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\Recovery+lfdil.png	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\RSSFeeds.js	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\Recovery+lfdil.png	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\3.png	uydyscpobgeo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv	uydyscpobgeo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv	uydyscpobgeo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv	uydyscpobgeo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\Recovery+lfdil.png	uydyscpobgeo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\Recovery+lfdil.txt	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\Recovery+lfdil.html	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_s.png	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\Recovery+lfdil.txt	uydyscpobgeo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or_IN\Recovery+lfdil.html	uydyscpobgeo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\Recovery+lfdil.txt	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\Recovery+lfdil.txt	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\Recovery+lfdil.png	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\localizedStrings.js	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css	uydyscpobgeo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\Recovery+lfdil.html	uydyscpobgeo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\Recovery+lfdil.html	uydyscpobgeo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\Recovery+lfdil.png	uydyscpobgeo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\Recovery+lfdil.html	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked-loading.png	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak	uydyscpobgeo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\Recovery+lfdil.html	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\Recovery+lfdil.txt	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\Recovery+lfdil.html	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\Recovery+lfdil.html	uydyscpobgeo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\Recovery+lfdil.png	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\Recovery+lfdil.png	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Recovery+lfdil.html	uydyscpobgeo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\Recovery+lfdil.txt	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\Recovery+lfdil.txt	uydyscpobgeo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Java\jre7\lib\amd64\Recovery+lfdil.txt	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\it-IT\Recovery+lfdil.html	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.jpg	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\Recovery+lfdil.png	uydyscpobgeo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png	uydyscpobgeo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\fr-FR\Recovery+lfdil.txt	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\Recovery+lfdil.html	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\Recovery+lfdil.png	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\Recovery+lfdil.txt	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\settings.css	uydyscpobgeo.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\Recovery+lfdil.txt	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\Recovery+lfdil.txt	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\Recovery+lfdil.html	uydyscpobgeo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\Recovery+lfdil.txt	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\Recovery+lfdil.png	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\settings.js	uydyscpobgeo.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg	uydyscpobgeo.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\uydyscpobgeo.exe	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe
File opened for modification	C:\Windows\uydyscpobgeo.exe	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uydyscpobgeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uydyscpobgeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f000000000200000000001066000000010000200000002d9524aedccfa742a8b23d95e89130846c7e6368fd2fa10ab3609086cbbd360a000000000e80000000020000200000002a4e5447e7401d00d2889e0473ccc3ccf581654ed3e14d99cd7adb60b62fcfa390000000885526d313637eaa1bd2a21ea28ae8018027700faa8a8f2e8b196286fe6effff33cbf743be9de285d481b1628ad4d93727f1e9898b960d1ed478161ae7ffdc54567320956d5d80fc10401e40882161f437e35636c32fa4d726e0ba3b138c07c1d2687aa9b7fc50051ad8730eac149a9aa1f48a73e740ef29229fb9ac8bdebda84648057a8de1db7661b290b4296a1ff9400000009ee3e801b9bcc9b2e1f421c9d411d66cdcf4f5a78997dc491bbcaf2947d77343d90cabcb2df690d8fd603f27a15b3465df0905c8e1bd40765ab27acb5e47e111	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000ef8268d3250d7441b69c20cdf649afb96bb30f743492d9acadc767df521fee72000000000e8000000002000020000000c93002ea82c4dd26db97d9acf4a6bf13cd13959d29e4a20b811d515cc7bd098b20000000d647121cf521bef6da57f5f4139a64f49d090872b5a261905509a25d4121f19c400000002f5c84f727268b20c03ad1a5fa72e6d1dbed5a6c2751cd80aa6c73c578b5e52c6ab07d12063721abeb79cbfba69a04d26fc03cc8d3c2a4163a8ca3f91f60a645	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EF4E14F1-AE3B-11EF-AA6E-5A85C185DB3E} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7090d8c34842db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	uydyscpobgeo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	uydyscpobgeo.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1600	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe
2216	uydyscpobgeo.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe
Token: SeDebugPrivilege	2216	uydyscpobgeo.exe
Token: SeIncreaseQuotaPrivilege	2664	WMIC.exe
Token: SeSecurityPrivilege	2664	WMIC.exe
Token: SeTakeOwnershipPrivilege	2664	WMIC.exe
Token: SeLoadDriverPrivilege	2664	WMIC.exe
Token: SeSystemProfilePrivilege	2664	WMIC.exe
Token: SeSystemtimePrivilege	2664	WMIC.exe
Token: SeProfSingleProcessPrivilege	2664	WMIC.exe
Token: SeIncBasePriorityPrivilege	2664	WMIC.exe
Token: SeCreatePagefilePrivilege	2664	WMIC.exe
Token: SeBackupPrivilege	2664	WMIC.exe
Token: SeRestorePrivilege	2664	WMIC.exe
Token: SeShutdownPrivilege	2664	WMIC.exe
Token: SeDebugPrivilege	2664	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2664	WMIC.exe
Token: SeRemoteShutdownPrivilege	2664	WMIC.exe
Token: SeUndockPrivilege	2664	WMIC.exe
Token: SeManageVolumePrivilege	2664	WMIC.exe
Token: 33	2664	WMIC.exe
Token: 34	2664	WMIC.exe
Token: 35	2664	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2664	WMIC.exe
Token: SeSecurityPrivilege	2664	WMIC.exe
Token: SeTakeOwnershipPrivilege	2664	WMIC.exe
Token: SeLoadDriverPrivilege	2664	WMIC.exe
Token: SeSystemProfilePrivilege	2664	WMIC.exe
Token: SeSystemtimePrivilege	2664	WMIC.exe
Token: SeProfSingleProcessPrivilege	2664	WMIC.exe
Token: SeIncBasePriorityPrivilege	2664	WMIC.exe
Token: SeCreatePagefilePrivilege	2664	WMIC.exe
Token: SeBackupPrivilege	2664	WMIC.exe
Token: SeRestorePrivilege	2664	WMIC.exe
Token: SeShutdownPrivilege	2664	WMIC.exe
Token: SeDebugPrivilege	2664	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2664	WMIC.exe
Token: SeRemoteShutdownPrivilege	2664	WMIC.exe
Token: SeUndockPrivilege	2664	WMIC.exe
Token: SeManageVolumePrivilege	2664	WMIC.exe
Token: 33	2664	WMIC.exe
Token: 34	2664	WMIC.exe
Token: 35	2664	WMIC.exe
Token: SeBackupPrivilege	2284	vssvc.exe
Token: SeRestorePrivilege	2284	vssvc.exe
Token: SeAuditPrivilege	2284	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2804	WMIC.exe
Token: SeSecurityPrivilege	2804	WMIC.exe
Token: SeTakeOwnershipPrivilege	2804	WMIC.exe
Token: SeLoadDriverPrivilege	2804	WMIC.exe
Token: SeSystemProfilePrivilege	2804	WMIC.exe
Token: SeSystemtimePrivilege	2804	WMIC.exe
Token: SeProfSingleProcessPrivilege	2804	WMIC.exe
Token: SeIncBasePriorityPrivilege	2804	WMIC.exe
Token: SeCreatePagefilePrivilege	2804	WMIC.exe
Token: SeBackupPrivilege	2804	WMIC.exe
Token: SeRestorePrivilege	2804	WMIC.exe
Token: SeShutdownPrivilege	2804	WMIC.exe
Token: SeDebugPrivilege	2804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2804	WMIC.exe
Token: SeRemoteShutdownPrivilege	2804	WMIC.exe
Token: SeUndockPrivilege	2804	WMIC.exe
Token: SeManageVolumePrivilege	2804	WMIC.exe
Token: 33	2804	WMIC.exe
Token: 34	2804	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1724	iexplore.exe
536	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1724	iexplore.exe
1724	iexplore.exe
2392	IEXPLORE.EXE
2392	IEXPLORE.EXE
536	DllHost.exe
536	DllHost.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2468	3040	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2468	3040	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2468	3040	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2468	3040	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2468	3040	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2468	3040	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2468	3040	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2468	3040	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2468	3040	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2468	3040	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2468	3040	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	31
PID 2468 wrote to memory of 2980	2468	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	32
PID 2468 wrote to memory of 2980	2468	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	32
PID 2468 wrote to memory of 2980	2468	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	32
PID 2468 wrote to memory of 2980	2468	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	32
PID 2468 wrote to memory of 2320	2468	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	33
PID 2468 wrote to memory of 2320	2468	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	33
PID 2468 wrote to memory of 2320	2468	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	33
PID 2468 wrote to memory of 2320	2468	b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe	33
PID 2980 wrote to memory of 2216	2980	uydyscpobgeo.exe	35
PID 2980 wrote to memory of 2216	2980	uydyscpobgeo.exe	35
PID 2980 wrote to memory of 2216	2980	uydyscpobgeo.exe	35
PID 2980 wrote to memory of 2216	2980	uydyscpobgeo.exe	35
PID 2980 wrote to memory of 2216	2980	uydyscpobgeo.exe	35
PID 2980 wrote to memory of 2216	2980	uydyscpobgeo.exe	35
PID 2980 wrote to memory of 2216	2980	uydyscpobgeo.exe	35
PID 2980 wrote to memory of 2216	2980	uydyscpobgeo.exe	35
PID 2980 wrote to memory of 2216	2980	uydyscpobgeo.exe	35
PID 2980 wrote to memory of 2216	2980	uydyscpobgeo.exe	35
PID 2980 wrote to memory of 2216	2980	uydyscpobgeo.exe	35
PID 2216 wrote to memory of 2664	2216	uydyscpobgeo.exe	36
PID 2216 wrote to memory of 2664	2216	uydyscpobgeo.exe	36
PID 2216 wrote to memory of 2664	2216	uydyscpobgeo.exe	36
PID 2216 wrote to memory of 2664	2216	uydyscpobgeo.exe	36
PID 2216 wrote to memory of 1600	2216	uydyscpobgeo.exe	44
PID 2216 wrote to memory of 1600	2216	uydyscpobgeo.exe	44
PID 2216 wrote to memory of 1600	2216	uydyscpobgeo.exe	44
PID 2216 wrote to memory of 1600	2216	uydyscpobgeo.exe	44
PID 2216 wrote to memory of 1724	2216	uydyscpobgeo.exe	45
PID 2216 wrote to memory of 1724	2216	uydyscpobgeo.exe	45
PID 2216 wrote to memory of 1724	2216	uydyscpobgeo.exe	45
PID 2216 wrote to memory of 1724	2216	uydyscpobgeo.exe	45
PID 1724 wrote to memory of 2392	1724	iexplore.exe	47
PID 1724 wrote to memory of 2392	1724	iexplore.exe	47
PID 1724 wrote to memory of 2392	1724	iexplore.exe	47
PID 1724 wrote to memory of 2392	1724	iexplore.exe	47
PID 2216 wrote to memory of 2804	2216	uydyscpobgeo.exe	48
PID 2216 wrote to memory of 2804	2216	uydyscpobgeo.exe	48
PID 2216 wrote to memory of 2804	2216	uydyscpobgeo.exe	48
PID 2216 wrote to memory of 2804	2216	uydyscpobgeo.exe	48
PID 2216 wrote to memory of 1440	2216	uydyscpobgeo.exe	51
PID 2216 wrote to memory of 1440	2216	uydyscpobgeo.exe	51
PID 2216 wrote to memory of 1440	2216	uydyscpobgeo.exe	51
PID 2216 wrote to memory of 1440	2216	uydyscpobgeo.exe	51

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uydyscpobgeo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	uydyscpobgeo.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b09aca00a8dcded70eeac6ec2b497e60_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\uydyscpobgeo.exe
    C:\Windows\uydyscpobgeo.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\uydyscpobgeo.exe
      C:\Windows\uydyscpobgeo.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2216
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:1600
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1724
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1724 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2392
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\UYDYSC~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\B09ACA~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2320

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+lfdil.html

Filesize
11KB

MD5
d64e5bc287114770603e30805c561d80

SHA1
ca8d81d8cd270ebfb44bf903be141b22be4b4a4d

SHA256
5bbe1926535141116b34e2baddd444b92d2640a5febc03b57bba285c883039b6

SHA512
2bb31e6cee4ed20a618ea132b842fe1d479f7881c768b018294d352b864f41dfa63c76405297ba3768dce21ebf7adfa6ff965c2c80b54420c88890dab350987c

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+lfdil.png

Filesize
63KB

MD5
e8503dfd1ac8dde7391c5601eaa2473d

SHA1
ce7a564e3eb882583934c14236bb10abef4737ac

SHA256
4fde6a94f94bc6ba03cfc97be2858d6d06ed42b8f0c981a7bcee6003d351739b

SHA512
fbdaa3336ab218e097a41d98393567f991cddef3a4d112f433d2c0e37e56d9d3b752fa9b4869776da29c9fa4e2c99c30316ea4b715f432ce27515ddbba38fa4a

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+lfdil.txt

Filesize
1KB

MD5
7b09ceda63a16e548431b994b82c7e44

SHA1
62d7cdd78e81228b9217e43c68ff5326bcd0ecde

SHA256
8a447f0cd96a2d5037cf2c095e80f2798b1f67273f75ccb2b7a012509922144d

SHA512
c4f0a416708c2be7713c9e57b38d57f6c975e8753ab8b1c624c789f031ee445c1eaabf5598149afa27834d7ad487265f4705504bad660483b91f8ac383178503

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
96a6625721ed95649635ada0f75da28b

SHA1
0c543d9ca6d36a4fa4ffa0abc9bd7d67f2bae7d4

SHA256
44439deaffb76eb1f0d340832bc73fa66509bc5dd72f0eba00f09c65d8becf15

SHA512
858fab350c4609e1563da62704b6a9e8e5fd7ecf894c3c1f53d93779959990e0a1d0ded9180e48c4045358aa447854ace922ff1a204765564b51585977ad6fc5

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
7de7adb4d11e1ff35a8cdb5cb27804e1

SHA1
530d3a542b7edfe84787e754dd6b70aa8a1cace7

SHA256
af9893b6b72b1e6e15486b371c4306cc0c4bc6eb864f68f4f2b37cb44620aa3b

SHA512
d7de8289cb9201bc105487794abb6f7b65a0005fa1da70a025b607b7fa020f979f8806aff011ddf4f4740beae5b3ea3bd7d29b3aa18408beefbaf2edbd866fe0

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
620594d34429ad1c017f4306a461d175

SHA1
fada4c321372e289ea0bbc4b986b52e1d5434994

SHA256
63e1d4ce48052a0484cf093aa0bbedc89a715d2740371144b3973916d6a380e2

SHA512
24bf0306184d8902c8518836b3c613618e6637b8359fd5ad73fc1b858ec5ef7b33ca6af6cb48e5042ada5583a0fc6b3839142a01671e67a76fabef119bee049c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1087c2a264e0b4fc9af8451eb420091f

SHA1
de30f025f8d431038960f4d0997ccb8c1919febc

SHA256
3406b887e1f1c45b1c77923455a9168a51a44d2ca40a29faa006c45b97b56a3c

SHA512
85f9f9a84024390e663178fcbfa71944c09ee9be9d2dcc63c08637367dbf0b4bfe83bf3b397ac5c9566d6669b1901bb9adfb686edb45bbebc622139492239d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
627b357e527200c6895bcde05d57beee

SHA1
1c7651bcb0b1f501906fb519a81994613225046b

SHA256
7fd44538435efc9057d675fc4fb1c8fb8d38275d6017619cdfd0e563ba84fa46

SHA512
f3d4c8b05e4a16170b2f022113596ec23d1276daf21c3b94fd8703e08ea4f398092abb0203b4f62d628588aca10feab926a1e06fd87f434828c55f85862d64b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad7427133f5e2b7e5e9d93bb7dfb51c4

SHA1
790311c8826e8fb5d294d88abd343c7f86a93bb0

SHA256
badf69c006ef26b65fd3dd421570b530fc8e1cb69261eb62eba78aead324bbff

SHA512
9112775d15c5ea197c2bb67fbd00b8c3ad6d9afb30636650a933cce5c10190d663876cb836f2aa09f6cd39cb6b8e1745ffe6f98a3f7932505002fb64076844b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0350f0a0a74189228b4038e8aedb0b3

SHA1
b3ad2fdd20f80d15af7a70c3eac93913d8e03e67

SHA256
640b0fbb2cbeeba552e014e4dcdfb7f5ed98edcab1ad6a54eb0d50cfa5ba9589

SHA512
9bdedf03ee05f4402ba963e98b3408cb3e9bad7983e02166236bb40b33076be80901625b9e3c9bd350ec74444bc14d6b83d394300082b85389855df6864de586

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfc16add195089420f8fcae29b47d341

SHA1
0524046b8698e07e387770212c211cfb8b929ead

SHA256
d3ca786aef0734712761c57d4b6a6209225e6be5295c766e90cc461b825ceec1

SHA512
9146d96f44d4e98711e79ac03fc113be701759a4c8e8a37261824df60372b63d659e01d0b6f02981b2400544219039b902486551c2a7502ad98b7c4b2b5d9713

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6d30e526a9c98693d5c158fa2786af3

SHA1
cebd4c7da3cb895eedb7ebf36e2b1904383199aa

SHA256
063c48937ab5e86132d06240a94f6e8b01363e4a1ea24b30144fe6ae662265a3

SHA512
9ff881c25e0f894fa52353539beee334b00a11c4c4c326a47c92e27e0288c8f399f1145adad4c0d838faacf7c278ef45f3d9d5aa39fc7b1d7fc6c3ad90e19158

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18af9f1ba59c1fb5a56c64f01cbf6e02

SHA1
294939cc050ebab16d82e4f9d552b575b72b8e49

SHA256
3dcb418c594b77f4e019e7918b05decabfe3e2e6472938a2a14f59cc8df24695

SHA512
7ca9c88381ed9985b394be04d7d297c5cd8b07ff4893ed759e739e32345d07b8e89a19026ec96e5fe371dc6e1a77419db79c0fecabc8941c65354a7bc5599241

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a14feba41880c331a6701147f4a5ebb

SHA1
83ede752d50b80527ea1d462ce3a74e12ee3a62f

SHA256
8713af489ce393ce67b4961c4ffd2e2e9b299240305eaa0b6cf183f1b20977b2

SHA512
fd527b7dca4901709963283745ca41c9f7108bb9f16d96d7d9e7441cdec30001aaa6c5486f2c641b12a4c8d756d664ca30b5602618f4970db8b9b3ca06ddf622

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82442b645f7bb64a52c9ee3ffd21af0c

SHA1
2eaf3ab5b40646b20ee37ca812ea0dfa7172679b

SHA256
d69f67cb38035d9d3a58aabad439ec9213e80568453ae52861ec43990aa4420e

SHA512
d1f18c170d458ff5d8fb7268a187f02625477a2207bab96facdff2c9a8ab262b2618e02c51c7082798bbf3c56a9165f6a46134c8f1b83b3ce1791486c4e1f3b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
800f8fc48bd9e88080fb395c5c4599cf

SHA1
0822b4d42c49b6f30b625587a424322fb5ab6a35

SHA256
0ed8b8aadf8cfc95aa8f81f1980f2d9b1aa8c29205b58f3f0c195d874d4c39bc

SHA512
2f1eb2e8ea64cb15f71e7c2dae16040478fc79ac50bf7f20ee41e762f3dbe3da887bbd6263e71ce6b15a17da0d801dd6dbbb0ffc6ea4f2d07f2e6763cd19f08b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5caf29a16a3472fb4d89fcb6a33725f7

SHA1
deac503605e630549808261b0dc5c6af185af634

SHA256
7367e9ddf440d570c799806dae6d4a03b25fc7fd31c00b81af230390371cad3a

SHA512
a4276326fe63b873451484eeef04e6fb4d385eabbe145d25f81e749f15cf794e14fbd77d2ace857db04d2c1e45e59eaa280f1cbec140173bf61754e1500f4259

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab37A7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar37A6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\uydyscpobgeo.exe

Filesize
376KB

MD5
b09aca00a8dcded70eeac6ec2b497e60

SHA1
9247ba9335b88b4fc1d8febed66e92e4aad8317c

SHA256
b45ae8dabc0e3d299a47425c624d526ce6668728499307d77acb6266f4c4ae29

SHA512
f3c2a80cb592a721f454773f8aed5ba09b96641325effaa92821be9a3d80e99522100610c10ce9d4dd8ab97a60f182b9e9a3a7d1dd18505658858dcb30ccef02

Download Submit
memory/536-6102-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/2216-6128-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2216-6131-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2216-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2216-52-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2216-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2216-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2216-1903-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2216-1959-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2216-1958-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2216-5251-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2216-6095-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2216-57-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2216-6101-0x0000000003A60000-0x0000000003A62000-memory.dmp

Filesize
8KB

Download
memory/2216-6104-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2216-6105-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-30-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2468-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2468-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2980-31-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/3040-19-0x0000000000360000-0x0000000000363000-memory.dmp

Filesize
12KB

Download
memory/3040-0-0x0000000000360000-0x0000000000363000-memory.dmp

Filesize
12KB

Download
memory/3040-1-0x0000000000360000-0x0000000000363000-memory.dmp

Filesize
12KB

Download