teslacrypt | 7097913d473590c8fc507d8b8b6eaee8cd9db77888ebb14fc193eafeac039d7a

Resubmissions

04-12-2024 19:36

241204-ybjr4stjdn 10

04-12-2024 19:28

241204-x6ma2ssqcl 10

Analysis

max time kernel
109s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c40b893661bbb99187869568375d63ef_JaffaCakes118.exe
Size

424KB
MD5

c40b893661bbb99187869568375d63ef
SHA1

ca533304be2c72b5876d756634b2b3207793260d
SHA256

7097913d473590c8fc507d8b8b6eaee8cd9db77888ebb14fc193eafeac039d7a
SHA512

bea6153b2a3411a4d2de5da6616dfcbc9a233c1297e0d7b0a7c1c443aa03f04739c9e563027723e16cec8be14f89738167073e17c34b93a4c3baeef368c97333
SSDEEP

6144:MsPAYJDo2magV+8GUEmGM41DwAHQmjdN1AUL0yogLpWPoXbftChXW3AxfulDGgB:Hp808fEmLqDwAJjpA+E+blCJxfS6

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+mhuqn.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/5D71537E38FC884 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/5D71537E38FC884 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/5D71537E38FC884 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/5D71537E38FC884 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/5D71537E38FC884 http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/5D71537E38FC884 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/5D71537E38FC884 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/5D71537E38FC884

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/5D71537E38FC884

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/5D71537E38FC884

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/5D71537E38FC884

http://xlowfznrg4wf7dli.ONION/5D71537E38FC884

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (860) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	c40b893661bbb99187869568375d63ef_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	bnwxefpapprl.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+mhuqn.png	bnwxefpapprl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+mhuqn.txt	bnwxefpapprl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+mhuqn.html	bnwxefpapprl.exe

Executes dropped EXE 1 IoCs

pid	Process
3152	bnwxefpapprl.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bgmitxnvylkp = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\bnwxefpapprl.exe\""	bnwxefpapprl.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+mhuqn.html	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\_RECoVERY_+mhuqn.html	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_RECoVERY_+mhuqn.txt	bnwxefpapprl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\_RECoVERY_+mhuqn.txt	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\_RECoVERY_+mhuqn.txt	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+mhuqn.txt	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\_RECoVERY_+mhuqn.html	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\_RECoVERY_+mhuqn.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\he-IL\_RECoVERY_+mhuqn.html	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-PT\View3d\_RECoVERY_+mhuqn.html	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\SmallTile.scale-200.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\winsdkfb\Images\_RECoVERY_+mhuqn.html	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-16.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200_contrast-white.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\MedTile.scale-200_contrast-white.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\SmallTile.scale-125.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-black_scale-125.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200_contrast-high.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ml-IN\View3d\_RECoVERY_+mhuqn.html	bnwxefpapprl.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	bnwxefpapprl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\_RECoVERY_+mhuqn.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\_RECoVERY_+mhuqn.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+mhuqn.txt	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\_RECoVERY_+mhuqn.html	bnwxefpapprl.exe
File opened for modification	C:\Program Files\Common Files\System\uk-UA\_RECoVERY_+mhuqn.txt	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLargeTile.scale-100.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-60.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\_RECoVERY_+mhuqn.html	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\_RECoVERY_+mhuqn.html	bnwxefpapprl.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\_RECoVERY_+mhuqn.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\View3d\_RECoVERY_+mhuqn.txt	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-16_altform-unplated.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-100_contrast-white.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\_RECoVERY_+mhuqn.txt	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\SmallTile.scale-125.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\_RECoVERY_+mhuqn.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\management\_RECoVERY_+mhuqn.html	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\calls_emptystate_v3.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+mhuqn.txt	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-24.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\_RECoVERY_+mhuqn.html	bnwxefpapprl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_RECoVERY_+mhuqn.html	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-black_scale-125.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\_RECoVERY_+mhuqn.txt	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\BlurredGradientBackground.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\_RECoVERY_+mhuqn.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-80_altform-unplated.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_RECoVERY_+mhuqn.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+mhuqn.html	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d7.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_scale-100.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\_RECoVERY_+mhuqn.html	bnwxefpapprl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\_RECoVERY_+mhuqn.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\BadgeLogo.scale-125_contrast-black.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_SplashScreen.scale-200.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_altform-unplated_contrast-black.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\management\_RECoVERY_+mhuqn.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\_RECoVERY_+mhuqn.html	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppStoreLogo.scale-125.png	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\_RECoVERY_+mhuqn.html	bnwxefpapprl.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40_contrast-high.png	bnwxefpapprl.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\bnwxefpapprl.exe	c40b893661bbb99187869568375d63ef_JaffaCakes118.exe
File opened for modification	C:\Windows\bnwxefpapprl.exe	c40b893661bbb99187869568375d63ef_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c40b893661bbb99187869568375d63ef_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bnwxefpapprl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
428	iexplore.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30253a198446db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "413718574"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "413718574"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000645c69dcf33f304d82964e308b3da4ad00000000020000000000106600000001000020000000e49ce4ecbdb0df20640cdc81946b2b4a12b6719818681504de5f8fe06dea2b14000000000e8000000002000020000000640de1b610ec5dc990abe4e10562ed0f261f2d50325561a582fa72c5f38d470d200000000f2b04f1cfb20771c437b67866af8c6c3e4b437dc5186df120cb39a3f0af06b6400000002ea544245d2ee3fccd7a863c892ca6d833c24199f2b9ddb901c0e99317af4802e4f104e251057574b6954d51db5233c17b33491fc86fab0f01094cf4d905680d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{444AFDBA-B277-11EF-B9D5-E6FB6C85BB83} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31147652"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 406a35198446db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31147652"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000645c69dcf33f304d82964e308b3da4ad00000000020000000000106600000001000020000000c694a7b9abbfd6aa7f406001b00647db366bfdcd923ce8f5f991dd60851122ea000000000e800000000200002000000046b884bb01e6db9f92668ef662f21a33436936a3995a8b78111913d9b7a6eb90200000008b9de9106396eec8f290098ec16335da24d0c5e41f42bddd45941be8e6dfccc440000000861f14222e75e244dac643e99192ed478b46a59a0641f5e08f66ba46a9fe6cdf482978e6c212f0265068efdcd030fbc12000f4d4a7561b02c76e0a7ee06f79f2	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	bnwxefpapprl.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2604	NOTEPAD.EXE
852	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe
3152	bnwxefpapprl.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	c40b893661bbb99187869568375d63ef_JaffaCakes118.exe
Token: SeDebugPrivilege	3152	bnwxefpapprl.exe
Token: SeIncreaseQuotaPrivilege	4160	WMIC.exe
Token: SeSecurityPrivilege	4160	WMIC.exe
Token: SeTakeOwnershipPrivilege	4160	WMIC.exe
Token: SeLoadDriverPrivilege	4160	WMIC.exe
Token: SeSystemProfilePrivilege	4160	WMIC.exe
Token: SeSystemtimePrivilege	4160	WMIC.exe
Token: SeProfSingleProcessPrivilege	4160	WMIC.exe
Token: SeIncBasePriorityPrivilege	4160	WMIC.exe
Token: SeCreatePagefilePrivilege	4160	WMIC.exe
Token: SeBackupPrivilege	4160	WMIC.exe
Token: SeRestorePrivilege	4160	WMIC.exe
Token: SeShutdownPrivilege	4160	WMIC.exe
Token: SeDebugPrivilege	4160	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4160	WMIC.exe
Token: SeRemoteShutdownPrivilege	4160	WMIC.exe
Token: SeUndockPrivilege	4160	WMIC.exe
Token: SeManageVolumePrivilege	4160	WMIC.exe
Token: 33	4160	WMIC.exe
Token: 34	4160	WMIC.exe
Token: 35	4160	WMIC.exe
Token: 36	4160	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4160	WMIC.exe
Token: SeSecurityPrivilege	4160	WMIC.exe
Token: SeTakeOwnershipPrivilege	4160	WMIC.exe
Token: SeLoadDriverPrivilege	4160	WMIC.exe
Token: SeSystemProfilePrivilege	4160	WMIC.exe
Token: SeSystemtimePrivilege	4160	WMIC.exe
Token: SeProfSingleProcessPrivilege	4160	WMIC.exe
Token: SeIncBasePriorityPrivilege	4160	WMIC.exe
Token: SeCreatePagefilePrivilege	4160	WMIC.exe
Token: SeBackupPrivilege	4160	WMIC.exe
Token: SeRestorePrivilege	4160	WMIC.exe
Token: SeShutdownPrivilege	4160	WMIC.exe
Token: SeDebugPrivilege	4160	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4160	WMIC.exe
Token: SeRemoteShutdownPrivilege	4160	WMIC.exe
Token: SeUndockPrivilege	4160	WMIC.exe
Token: SeManageVolumePrivilege	4160	WMIC.exe
Token: 33	4160	WMIC.exe
Token: 34	4160	WMIC.exe
Token: 35	4160	WMIC.exe
Token: 36	4160	WMIC.exe
Token: SeBackupPrivilege	3132	vssvc.exe
Token: SeRestorePrivilege	3132	vssvc.exe
Token: SeAuditPrivilege	3132	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3696	WMIC.exe
Token: SeSecurityPrivilege	3696	WMIC.exe
Token: SeTakeOwnershipPrivilege	3696	WMIC.exe
Token: SeLoadDriverPrivilege	3696	WMIC.exe
Token: SeSystemProfilePrivilege	3696	WMIC.exe
Token: SeSystemtimePrivilege	3696	WMIC.exe
Token: SeProfSingleProcessPrivilege	3696	WMIC.exe
Token: SeIncBasePriorityPrivilege	3696	WMIC.exe
Token: SeCreatePagefilePrivilege	3696	WMIC.exe
Token: SeBackupPrivilege	3696	WMIC.exe
Token: SeRestorePrivilege	3696	WMIC.exe
Token: SeShutdownPrivilege	3696	WMIC.exe
Token: SeDebugPrivilege	3696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3696	WMIC.exe
Token: SeRemoteShutdownPrivilege	3696	WMIC.exe
Token: SeUndockPrivilege	3696	WMIC.exe
Token: SeManageVolumePrivilege	3696	WMIC.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
2604	NOTEPAD.EXE
428	iexplore.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
428	iexplore.exe
428	iexplore.exe
3556	IEXPLORE.EXE
3556	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 3152	2108	c40b893661bbb99187869568375d63ef_JaffaCakes118.exe	82
PID 2108 wrote to memory of 3152	2108	c40b893661bbb99187869568375d63ef_JaffaCakes118.exe	82
PID 2108 wrote to memory of 3152	2108	c40b893661bbb99187869568375d63ef_JaffaCakes118.exe	82
PID 2108 wrote to memory of 2724	2108	c40b893661bbb99187869568375d63ef_JaffaCakes118.exe	83
PID 2108 wrote to memory of 2724	2108	c40b893661bbb99187869568375d63ef_JaffaCakes118.exe	83
PID 2108 wrote to memory of 2724	2108	c40b893661bbb99187869568375d63ef_JaffaCakes118.exe	83
PID 3152 wrote to memory of 4160	3152	bnwxefpapprl.exe	85
PID 3152 wrote to memory of 4160	3152	bnwxefpapprl.exe	85
PID 3152 wrote to memory of 2604	3152	bnwxefpapprl.exe	99
PID 3152 wrote to memory of 2604	3152	bnwxefpapprl.exe	99
PID 3152 wrote to memory of 2604	3152	bnwxefpapprl.exe	99
PID 3152 wrote to memory of 4652	3152	bnwxefpapprl.exe	100
PID 3152 wrote to memory of 4652	3152	bnwxefpapprl.exe	100
PID 4652 wrote to memory of 3572	4652	msedge.exe	101
PID 4652 wrote to memory of 3572	4652	msedge.exe	101
PID 3152 wrote to memory of 3696	3152	bnwxefpapprl.exe	102
PID 3152 wrote to memory of 3696	3152	bnwxefpapprl.exe	102
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 304	4652	msedge.exe	104
PID 4652 wrote to memory of 272	4652	msedge.exe	105
PID 4652 wrote to memory of 272	4652	msedge.exe	105
PID 4652 wrote to memory of 2880	4652	msedge.exe	106
PID 4652 wrote to memory of 2880	4652	msedge.exe	106
PID 4652 wrote to memory of 2880	4652	msedge.exe	106
PID 4652 wrote to memory of 2880	4652	msedge.exe	106
PID 4652 wrote to memory of 2880	4652	msedge.exe	106

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bnwxefpapprl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	bnwxefpapprl.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c40b893661bbb99187869568375d63ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c40b893661bbb99187869568375d63ef_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\bnwxefpapprl.exe
  C:\Windows\bnwxefpapprl.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3152
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4160
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    - Suspicious use of FindShellTrayWindow
    PID:2604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9164146f8,0x7ff916414708,0x7ff916414718
      4⤵
      PID:3572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,9705431704955442468,1312399174979789336,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
      4⤵
      PID:304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,9705431704955442468,1312399174979789336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
      4⤵
      PID:272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,9705431704955442468,1312399174979789336,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
      4⤵
      PID:2880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9705431704955442468,1312399174979789336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
      4⤵
      PID:3108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9705431704955442468,1312399174979789336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
      4⤵
      PID:3772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,9705431704955442468,1312399174979789336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
      4⤵
      PID:1656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,9705431704955442468,1312399174979789336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
      4⤵
      PID:4516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9705431704955442468,1312399174979789336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
      4⤵
      PID:2600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9705431704955442468,1312399174979789336,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
      4⤵
      PID:116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9705431704955442468,1312399174979789336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
      4⤵
      PID:3716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9705431704955442468,1312399174979789336,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
      4⤵
      PID:3520
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3696
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\BNWXEF~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\C40B89~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2724

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1416

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\PingRequest.gif
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:428
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:428 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3556

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\MergeCompare.fon
1⤵
PID:3908

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SkipEnable.ps1xml
1⤵
- Opens file in notepad (likely ransom note)
PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+mhuqn.html

Filesize
11KB

MD5
949095e45b293406538fef80367596b4

SHA1
ea089d466e8722fc23b7a7cdc138202be0449998

SHA256
7c0bfe52cc1a1f0e97fdfd2d1ed6455ddc68464a78af61cadc12733ebe327ee1

SHA512
dfbe54b3b836feaaf297e0827021c0b72037f28a8d69decfba4260b8eb90f0f66176e2b5685c2e33fdba595bbe16f539c62c977c19b8b634853090376ac870da

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+mhuqn.png

Filesize
64KB

MD5
fe1181ebc94d198e51edb57098d62210

SHA1
2f22327aa75a8c430f40fd640e241b76750a4332

SHA256
fea6bb79aaa16628ebccae4858d00be312ec923e4998cdcc02fd833f2e42ba5e

SHA512
9be7ff7b2915268b3757ee76bd617294ae206bfce3ffb830d342bef2da0b40f04f61aeadd053c93a78a3c1f3b37c681d768a82951fa5c97bbfc9c2120e078962

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+mhuqn.txt

Filesize
1KB

MD5
e7ce36db1f8277b1922225bb20ba5fe8

SHA1
30a31121c3b5c881b8b37b2d79f2519a7d92a89e

SHA256
db740a00a20ba16dfbf5e69e274467b5686ea6f153f595369c3165e64b83cd43

SHA512
9f069fcfb1b586ac9abe18949626006d89b620711b474db88a95f7642054acd7e0009dbc2de559b64600773346ecb6613277d29a16c0f0f3902e17a45f93d592

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
3449773488998814358f1552832a8f7e

SHA1
a1d3eaf441c6849f9cdf7d472804196dac60269d

SHA256
26710fd063379760f2274c14737b3e6934300edc8467f4da3e466d7e87bc528a

SHA512
6f9c3b879e2ac599ba828d329617573f5bc4eebe1638746a8fc0e368e45c67c4f7a65d1c237a1856bf90c4e8af30440f48c90e17bf37cbbaa77f2bb97744a4f7

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
ab2bf9e349b6c7e6b394b53c9d20682d

SHA1
783bc9fab3338cff7b5a41eeb4202e3f600b99ce

SHA256
7e5edaf847c7ee31b103fe3b996d5664e31d627d68c5ca19305f96eaa7438ecb

SHA512
d7927a6aa4f675764571bb96f5efc5263984322e63b32b34cedbc5e09178870139bb3fd2faaa98a354d9dcb5658c1710b4a9ec06aeea5bab4feeb6259b692266

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
6f8b8587eb48c8a701b2d9f935b77c6f

SHA1
01502b656cd043d277ca31ec768bea65a5b19ff0

SHA256
acfbaa3711d873007f274dec14c3819962e8d94f57cb964b801c3d8d4d600e54

SHA512
2975e9d6c73e8f65d39ffa81c3124532c27c770374dafe870330e67fa261a084bce798fc682a8a252c16b4e493baf08f5599b2234b0adb9cd9ce9729be427e79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
225a8e444ad6f810467d3c7c59a47619

SHA1
7ec81c49d15a65f7d585e6f00c64d4771b15b03c

SHA256
a4474abdc4ee79627f3699c76c7364456c6d22db87e8f97af7835b983ffe7319

SHA512
00713a3f3419c6475e6da7b43bfd18f94be933bd507157f2d5a0e106f38c012551f4ce506bdda504fd0258e6106de9fb61bb304e7fb9d355b6abfa5041fc4d69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
29207bc088563343b3ea662bd9673e8f

SHA1
36b9a5ca4fc65ddd0c003719a1b6d79023c96a2e

SHA256
c7791a109cf2b50239a3f5d0c2613bed356375c9ae786f6451747deb03db069c

SHA512
8e7c52412afd15938c51f9ed155c0433a206f16d90271ba63aa261f4490f735c145f7bcc553cc776b0b672c607be420b15648d543a94088a4a1c840bcee73a1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d7bcca8e-3203-45f6-8d74-766b1fee43b1.tmp

Filesize
5KB

MD5
13db34d6048779115c75881b8a1c62c3

SHA1
62af6893f21a376b7c8c769452c5cee1a03be005

SHA256
4d405fcc3f9b4dbd9c7f0015557b5b5be0d24f0b00bb96dbf7f96a9588b90f43

SHA512
5672ddecb5c32b4bbb270d5425fe30b5ff63b241ba4a6b742c8378fe80b321a01f289df79c3ac91a0f34d7434a76f069f8b170507212bd842385a18c3e9770c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4c5891e64ecb7b1fa0820073b7ff1844

SHA1
339734631b22c2d9d842b71fd24f9f2a4baced35

SHA256
cdcfb7910f99be01d74502c55601ad0276a68b93293dd59ac8db69f992714a0c

SHA512
86edba0255065ca0a0fee621f92398f70f968585591980d83bbb2a051953cdf933e6f902e1bd25996570782ad1300411692a9c1607937b3bd26090e69b50a347

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c26d8da94e59e1375764a3a83e221475

SHA1
54fca457ba345fa4a736685bd15a28d03b7c00a0

SHA256
d89d66bc791d779998a4e6b7ceb37abd54fb81b32916d7d5f876befb264b413e

SHA512
a6b18579f015ff6bea3f75fd97553aa57b747c6c6910b223014c6998e281e93fad6e3289b19508bf4a2ce60069e9b580022807af23ab63293d5ac0bc72852476

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656325443828.txt

Filesize
77KB

MD5
6b7d22486488e7e0346f84dbdaf1995b

SHA1
bd7a90c0b2b32d82fd1b9125c2f934c8077f974a

SHA256
3388ca4fa3255f9e88085b9379d3d80f301d4b903b011ee4d41daff2bf2c250e

SHA512
dba43e31cb0875bd490c1229f6c40b0588c52cf0725a4e5d9a9a11f9216eeedeaf37fee113e958b8542519165f831650ec90ce7e74f5c019542bcec24f6838f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727657695736094.txt

Filesize
47KB

MD5
52cc88f1fd77909fab61697bfe522416

SHA1
670aee31158288bbd94507628a0c22ec9ca638dc

SHA256
58ea532c0c14ac8ac965ed2ed71ebf84a21e7ec6c99f1d1544a8a58aa28660af

SHA512
fa1ffb38e276d833be159cb5b7d0d3596933ee75e7ca5ed227e8ab7a66ac7111f63f54b7720ed7ca1bc0aa958d6b3773a8ddbe6ada2b208478e1b4e9e2572110

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666235612999.txt

Filesize
74KB

MD5
2d5966239951fad0de1247f7329e9cf1

SHA1
ec4dab3a5df75dc0623084f22905a55baf0f8ad1

SHA256
d3f30196cbedd066d4844129e6afe52a7e0487149a30b5e1d1942bd3f47b3040

SHA512
64c6b1e5242a57e2b28dea44a2ef52fc63ed6704de08d6bfe2d011e146ce16a89dcbc665bef0fe47edfdb3a59ce42b10d92a3d98b282ee098e296d1311197f3a

Download Submit
C:\Windows\bnwxefpapprl.exe

Filesize
424KB

MD5
c40b893661bbb99187869568375d63ef

SHA1
ca533304be2c72b5876d756634b2b3207793260d

SHA256
7097913d473590c8fc507d8b8b6eaee8cd9db77888ebb14fc193eafeac039d7a

SHA512
bea6153b2a3411a4d2de5da6616dfcbc9a233c1297e0d7b0a7c1c443aa03f04739c9e563027723e16cec8be14f89738167073e17c34b93a4c3baeef368c97333

Download Submit
memory/2108-0-0x00000000022B0000-0x0000000002335000-memory.dmp

Filesize
532KB

Download
memory/2108-9-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2108-10-0x00000000022B0000-0x0000000002335000-memory.dmp

Filesize
532KB

Download
memory/2108-2-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3152-10479-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3152-9626-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3152-6038-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3152-2965-0x0000000000680000-0x0000000000705000-memory.dmp

Filesize
532KB

Download
memory/3152-2963-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3152-10539-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3152-11-0x0000000000680000-0x0000000000705000-memory.dmp

Filesize
532KB

Download