teslacrypt | 6a7506d51f1a4c93555351464c571c856c01c020eba666f4182a201e3f5b7ba7

Resubmissions

04-12-2024 11:27

241204-nkqxnstpgz 10

04-12-2024 11:23

241204-nhcl9stpbv 10

Analysis

max time kernel
146s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe
Size

376KB
MD5

c24ec3c4c8bad4bffe0a30c5da5fb33c
SHA1

6c27f9f02c94dc9ce3bf23970b9071f7b7a0d455
SHA256

6a7506d51f1a4c93555351464c571c856c01c020eba666f4182a201e3f5b7ba7
SHA512

bf4e4dbd10559d601fbc93d9099c15fba4d40812a1f539acd07b2b5a9feb843ed005892f313624039de4f4e04b3cead9ad759723037ab2a0f7814e7158416d6c
SSDEEP

6144:Te3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:TY5hMfqwTsTKcmTV5kINEx+d

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+wfpoa.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/D2DCC5A060FE6AA 2. http://kkd47eh4hdjshb5t.angortra.at/D2DCC5A060FE6AA 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/D2DCC5A060FE6AA If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/D2DCC5A060FE6AA 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/D2DCC5A060FE6AA http://kkd47eh4hdjshb5t.angortra.at/D2DCC5A060FE6AA http://ytrest84y5i456hghadefdsd.pontogrot.com/D2DCC5A060FE6AA *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/D2DCC5A060FE6AA

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/D2DCC5A060FE6AA

http://kkd47eh4hdjshb5t.angortra.at/D2DCC5A060FE6AA

http://ytrest84y5i456hghadefdsd.pontogrot.com/D2DCC5A060FE6AA

http://xlowfznrg4wf7dli.ONION/D2DCC5A060FE6AA

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (883) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	savuxuijhbwr.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+wfpoa.html	savuxuijhbwr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+wfpoa.png	savuxuijhbwr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+wfpoa.txt	savuxuijhbwr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+wfpoa.html	savuxuijhbwr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+wfpoa.png	savuxuijhbwr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+wfpoa.txt	savuxuijhbwr.exe

Executes dropped EXE 2 IoCs

pid	Process
1272	savuxuijhbwr.exe
4464	savuxuijhbwr.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xusfajteslcy = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\savuxuijhbwr.exe\""	savuxuijhbwr.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5032 set thread context of 3064	5032	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe	98
PID 1272 set thread context of 4464	1272	savuxuijhbwr.exe	103

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailLargeTile.scale-200.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\Windows Portable Devices\Recovery+wfpoa.txt	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\Recovery+wfpoa.html	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\Recovery+wfpoa.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-400.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileWide.scale-200.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\2.jpg	savuxuijhbwr.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\amd64\Recovery+wfpoa.txt	savuxuijhbwr.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\Recovery+wfpoa.html	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200_contrast-high.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Hero.jpg	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-72_altform-lightunplated.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ko-KR\View3d\Recovery+wfpoa.html	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-256_altform-unplated.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_Success.jpg	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-40.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_contrast-high.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_altform-unplated_contrast-high.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-200.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Recovery+wfpoa.txt	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-40_altform-unplated_contrast-black.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-200.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SmallTile.scale-100_contrast-white.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-48_altform-unplated.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp7.scale-200.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyView.scale-100.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+wfpoa.txt	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_WideTile.scale-125.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-40_altform-unplated.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\Recovery+wfpoa.html	savuxuijhbwr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\Recovery+wfpoa.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-20_contrast-black.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-100.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\Recovery+wfpoa.txt	savuxuijhbwr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Recovery+wfpoa.html	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\AppPowerPoint32x32.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\WideTile.scale-100.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-150.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Recovery+wfpoa.txt	savuxuijhbwr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\Recovery+wfpoa.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Preview.scale-100_layoutdir-LTR.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square71x71\PaintSmallTile.scale-150.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-20_altform-unplated.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\Recovery+wfpoa.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_3_Loud.m4a	savuxuijhbwr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\Recovery+wfpoa.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\Recovery+wfpoa.txt	savuxuijhbwr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\Recovery+wfpoa.txt	savuxuijhbwr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\Recovery+wfpoa.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7db.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-200.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-30_altform-unplated.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\WideTile.scale-125.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-unplated.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-400.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-48_altform-lightunplated.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\Recovery+wfpoa.png	savuxuijhbwr.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	savuxuijhbwr.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\Recovery+wfpoa.txt	savuxuijhbwr.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\savuxuijhbwr.exe	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe
File opened for modification	C:\Windows\savuxuijhbwr.exe	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	savuxuijhbwr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	savuxuijhbwr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	savuxuijhbwr.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4268	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe
4464	savuxuijhbwr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe
Token: SeDebugPrivilege	4464	savuxuijhbwr.exe
Token: SeIncreaseQuotaPrivilege	3892	WMIC.exe
Token: SeSecurityPrivilege	3892	WMIC.exe
Token: SeTakeOwnershipPrivilege	3892	WMIC.exe
Token: SeLoadDriverPrivilege	3892	WMIC.exe
Token: SeSystemProfilePrivilege	3892	WMIC.exe
Token: SeSystemtimePrivilege	3892	WMIC.exe
Token: SeProfSingleProcessPrivilege	3892	WMIC.exe
Token: SeIncBasePriorityPrivilege	3892	WMIC.exe
Token: SeCreatePagefilePrivilege	3892	WMIC.exe
Token: SeBackupPrivilege	3892	WMIC.exe
Token: SeRestorePrivilege	3892	WMIC.exe
Token: SeShutdownPrivilege	3892	WMIC.exe
Token: SeDebugPrivilege	3892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3892	WMIC.exe
Token: SeRemoteShutdownPrivilege	3892	WMIC.exe
Token: SeUndockPrivilege	3892	WMIC.exe
Token: SeManageVolumePrivilege	3892	WMIC.exe
Token: 33	3892	WMIC.exe
Token: 34	3892	WMIC.exe
Token: 35	3892	WMIC.exe
Token: 36	3892	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4444	WMIC.exe
Token: SeSecurityPrivilege	4444	WMIC.exe
Token: SeTakeOwnershipPrivilege	4444	WMIC.exe
Token: SeLoadDriverPrivilege	4444	WMIC.exe
Token: SeSystemProfilePrivilege	4444	WMIC.exe
Token: SeSystemtimePrivilege	4444	WMIC.exe
Token: SeProfSingleProcessPrivilege	4444	WMIC.exe
Token: SeIncBasePriorityPrivilege	4444	WMIC.exe
Token: SeCreatePagefilePrivilege	4444	WMIC.exe
Token: SeBackupPrivilege	4444	WMIC.exe
Token: SeRestorePrivilege	4444	WMIC.exe
Token: SeShutdownPrivilege	4444	WMIC.exe
Token: SeDebugPrivilege	4444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4444	WMIC.exe
Token: SeRemoteShutdownPrivilege	4444	WMIC.exe
Token: SeUndockPrivilege	4444	WMIC.exe
Token: SeManageVolumePrivilege	4444	WMIC.exe
Token: 33	4444	WMIC.exe
Token: 34	4444	WMIC.exe
Token: 35	4444	WMIC.exe
Token: 36	4444	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 3064	5032	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe	98
PID 5032 wrote to memory of 3064	5032	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe	98
PID 5032 wrote to memory of 3064	5032	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe	98
PID 5032 wrote to memory of 3064	5032	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe	98
PID 5032 wrote to memory of 3064	5032	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe	98
PID 5032 wrote to memory of 3064	5032	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe	98
PID 5032 wrote to memory of 3064	5032	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe	98
PID 5032 wrote to memory of 3064	5032	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe	98
PID 5032 wrote to memory of 3064	5032	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe	98
PID 5032 wrote to memory of 3064	5032	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe	98
PID 3064 wrote to memory of 1272	3064	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe	99
PID 3064 wrote to memory of 1272	3064	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe	99
PID 3064 wrote to memory of 1272	3064	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe	99
PID 3064 wrote to memory of 2676	3064	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe	100
PID 3064 wrote to memory of 2676	3064	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe	100
PID 3064 wrote to memory of 2676	3064	c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe	100
PID 1272 wrote to memory of 4464	1272	savuxuijhbwr.exe	103
PID 1272 wrote to memory of 4464	1272	savuxuijhbwr.exe	103
PID 1272 wrote to memory of 4464	1272	savuxuijhbwr.exe	103
PID 1272 wrote to memory of 4464	1272	savuxuijhbwr.exe	103
PID 1272 wrote to memory of 4464	1272	savuxuijhbwr.exe	103
PID 1272 wrote to memory of 4464	1272	savuxuijhbwr.exe	103
PID 1272 wrote to memory of 4464	1272	savuxuijhbwr.exe	103
PID 1272 wrote to memory of 4464	1272	savuxuijhbwr.exe	103
PID 1272 wrote to memory of 4464	1272	savuxuijhbwr.exe	103
PID 1272 wrote to memory of 4464	1272	savuxuijhbwr.exe	103
PID 4464 wrote to memory of 3892	4464	savuxuijhbwr.exe	104
PID 4464 wrote to memory of 3892	4464	savuxuijhbwr.exe	104
PID 4464 wrote to memory of 4268	4464	savuxuijhbwr.exe	108
PID 4464 wrote to memory of 4268	4464	savuxuijhbwr.exe	108
PID 4464 wrote to memory of 4268	4464	savuxuijhbwr.exe	108
PID 4464 wrote to memory of 4008	4464	savuxuijhbwr.exe	109
PID 4464 wrote to memory of 4008	4464	savuxuijhbwr.exe	109
PID 4008 wrote to memory of 752	4008	msedge.exe	110
PID 4008 wrote to memory of 752	4008	msedge.exe	110
PID 4464 wrote to memory of 4444	4464	savuxuijhbwr.exe	111
PID 4464 wrote to memory of 4444	4464	savuxuijhbwr.exe	111
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113
PID 4008 wrote to memory of 548	4008	msedge.exe	113

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	savuxuijhbwr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	savuxuijhbwr.exe

C:\Users\Admin\AppData\Local\Temp\c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Users\Admin\AppData\Local\Temp\c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c24ec3c4c8bad4bffe0a30c5da5fb33c_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\savuxuijhbwr.exe
    C:\Windows\savuxuijhbwr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\savuxuijhbwr.exe
      C:\Windows\savuxuijhbwr.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4464
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3892
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:4268
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4008
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe6c5b46f8,0x7ffe6c5b4708,0x7ffe6c5b4718
        6⤵
        
        PID:752
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,2973796882603864988,10866967322652666252,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
        6⤵
        
        PID:548
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,2973796882603864988,10866967322652666252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
        6⤵
        
        PID:2484
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,2973796882603864988,10866967322652666252,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2488 /prefetch:8
        6⤵
        
        PID:4012
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2973796882603864988,10866967322652666252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
        6⤵
        
        PID:4848
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2973796882603864988,10866967322652666252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
        6⤵
        
        PID:1028
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,2973796882603864988,10866967322652666252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
        6⤵
        
        PID:3348
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,2973796882603864988,10866967322652666252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
        6⤵
        
        PID:4536
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2973796882603864988,10866967322652666252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2324 /prefetch:1
        6⤵
        
        PID:1464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2973796882603864988,10866967322652666252,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
        6⤵
        
        PID:448
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2973796882603864988,10866967322652666252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
        6⤵
        
        PID:456
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2973796882603864988,10866967322652666252,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
        6⤵
        
        PID:4992
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\SAVUXU~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\C24EC3~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+wfpoa.html

Filesize
7KB

MD5
846222b71c0275db0fa9ad1146ebdcbc

SHA1
a500fcdbdfc7b4683c73689c3489174cfea45fab

SHA256
fc0f7422ab36e72e4726d41d3fb7c797f88b6805594b07a92661c00d63318560

SHA512
7e78b23b41ed9273a5afb449c72e0c70820fb3ba726a9133037947b9f911f7dfcca10f739a42fc68e9ca6e85afedc0f2d87945e77f676898c6cc06b7bfa41632

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+wfpoa.png

Filesize
63KB

MD5
5f5e96b1e30ee5f17eedc28565b0940e

SHA1
f347fe10e7f097d3b71ef9a49805130f84c2765f

SHA256
0ecf9e7bce6c673b94f4691301f1a3617b5beec286526d85ef4d0d85ffe6024d

SHA512
1692aec56489b588a691d4cb5002f08c95bb907373d1ab746ef0e40c300ebe8d1d592df004d4c60fd29a9810a0aa9cdf4426c6d968f09e03fc60450b891840fc

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+wfpoa.txt

Filesize
1KB

MD5
054407e7ca4bcf524af0671ea393e243

SHA1
66f036da07950299a5bf95e795fab63bbf9d85e7

SHA256
e1cd1b1fe9daabcb9935b90322f8bb98a2cba2fafeaae645c62925b3c3e7279f

SHA512
c6d6250a5e08fb4072207647810fb1dc3bd1032b1501f82d960fa680a342bd420022e3ef1738692e0f77fc65c983cc785f9a25cbb91bd7a42562b02cac785ab6

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
504e570f26ff2e4204b0944317d2be32

SHA1
d44fe512e72ae69b41bcf1dcbd7620b29e35122f

SHA256
9304bd0bf13142fbaf25932aa1f9433a24de8a64669b9dc6ed865a1dec935c5c

SHA512
2c00a5f465eaaad25d8739bf8ede1b2c4bade7f9bd6ae21d5a34bb08d710fb0217275e4cf970146c8352e5cc1c72944f256d304e23b560faa1bfd0290e64f009

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
872e6410130e1688a2da5dc948f62252

SHA1
9145924aa8c2f4e6402e39186c75a22832e44aa1

SHA256
d478f3de49285548c322c82d71acc04cc2bdc77569ec48dabf90fd968faf85d0

SHA512
b97ed0f191ffa1301672f1935895735dae2a1a95fa2616078b90475679866c275ae0a7e54fa5311dfd75beb59e28c36d331fe0ca480ba183a5ff6ec330a80c88

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
45cd623d19b06227883060819342d524

SHA1
249c0e723d38fbc4c84fdc4c2d78b63b2ae2de0e

SHA256
b13424ff3e56dbdaf99d8a340f28159e53336b797f48c1c451f944622ce35942

SHA512
645d5e08ec77e52b07006a3bdae3923f30da75c99d44daca2b657eb436a8898c6e649794fff6bf2b5df374042f8817fb467db2946a60896bb721a6d20ecc9db6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5abde019007861f93acaea8b81e00086

SHA1
d66b7e66dd532f8b617a92b3edfa78b454a24d43

SHA256
5674cb5053072d6a127c498a0f59e62b64853c1ba3c4ef39459fd9985e7fb9ce

SHA512
07d65e25eda34e255e095fe415080ad040ca9bca95c1482c795dcd15ee8737d54d3ed5fa96782e7bcce3c637637e4d2ec94ec49ceb8a97daa165e0f3bbd5a738

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
05c36fa176eb87e9fc23cef22e496c73

SHA1
d2676fece97ae91ae75060ff4ee051e01675c31d

SHA256
a89b9419a8552a6a03906ec42bea0a23a57c7217438de9b7df5c0533986de0d5

SHA512
38389c9e978dd762096fdc817ce0e14e96aa974a15eb92bcd29746c6ddde7ab7e7f7c409d1eaf573ff0a508c6950ab0f4fd80e06fcbfd4130a3786c434511d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9ae52d7d4bd727efef12a7f49dfdeaa8

SHA1
079fbd92c5411dce62613e81103e4e1164d49065

SHA256
1e1046fc32b825aa6611be362cce318d68a4c968c71544209b770a04a00c9ee9

SHA512
e9c152be9524e1272391cd1c95c029dfde42ce6ad9f33f496d568f762d6c941fed95437fca0e0897fa446e46d33dc2b20193fe1b982a654b63f3579874175990

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662898920525.txt

Filesize
77KB

MD5
ad53b00fc38476e5518651b9c6f9f6d6

SHA1
030c0ecef44af7d5e3e3f2075955dc3d0fd1ea08

SHA256
9a3b358264d1f899cdd6e5f55350a86aeadccefbc7609d28bcd79ef65bc63f82

SHA512
f094fe586b8543e1f6876709109f5816ea3fdfc71d447cdcbf61b0ec23e037bd061edbcf2a0c41432a96dead5a848d8f4bbce445e34714d7d72f91d15fae79f2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727672984949051.txt

Filesize
74KB

MD5
00780b8bc1e06d0bf031070964210256

SHA1
8870672ca11ea8a2f5111d2842af71af30a4e712

SHA256
fc7ff1607906a2334e2cedc7e999cab43b538e7a4004924ba6c588ece2380c78

SHA512
86797c277a0d076c43483d85e9494c8f6f432028cd97d02e32072fdf14b2054b61ddcb6e62001d8a9e8787370a0144cafb05f7b01f63dcdbb29eadcaa073b241

Download Submit
C:\Windows\savuxuijhbwr.exe

Filesize
376KB

MD5
c24ec3c4c8bad4bffe0a30c5da5fb33c

SHA1
6c27f9f02c94dc9ce3bf23970b9071f7b7a0d455

SHA256
6a7506d51f1a4c93555351464c571c856c01c020eba666f4182a201e3f5b7ba7

SHA512
bf4e4dbd10559d601fbc93d9099c15fba4d40812a1f539acd07b2b5a9feb843ed005892f313624039de4f4e04b3cead9ad759723037ab2a0f7814e7158416d6c

Download Submit
memory/1272-12-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/3064-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3064-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3064-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3064-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3064-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4464-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4464-1990-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4464-3948-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4464-6656-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4464-1978-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4464-578-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4464-9446-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4464-10711-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4464-10712-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4464-10720-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4464-10721-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4464-25-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4464-23-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4464-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4464-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4464-10762-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4464-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5032-0-0x00000000006E0000-0x00000000006E3000-memory.dmp

Filesize
12KB

Download
memory/5032-4-0x00000000006E0000-0x00000000006E3000-memory.dmp

Filesize
12KB

Download
memory/5032-1-0x00000000006E0000-0x00000000006E3000-memory.dmp

Filesize
12KB

Download