teslacrypt | ba45f2c559c3c2e0f76441928d967c31ad6b10ee3c65ada1bbd74ee8a0052dcb

Analysis

max time kernel
131s
max time network
127s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe
Size

388KB
MD5

d957a4ca07273763ed76ba4eedce60b2
SHA1

357b159b7404225fb9271bc5c6645a79d8706153
SHA256

ba45f2c559c3c2e0f76441928d967c31ad6b10ee3c65ada1bbd74ee8a0052dcb
SHA512

0b1cef4d07a43d504b2ca95c6fbfe18f7e89235db6d6a6551f9be73ab800e2126e47fe23233b77575d34a1b91b0af576f8cb14205fdb2fd2516986b4d5057ce7
SSDEEP

6144:XYMk7V7PQkaYO0iNq/PimTBQNEETJYOo0DldfrvwmjcMVW5OouUI5KtrQ8POyU:XnSdO0iNEPn+TGOoYzwscMSOXUIJ

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+jyxce.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E251F02C506487A1 2. http://kkd47eh4hdjshb5t.angortra.at/E251F02C506487A1 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/E251F02C506487A1 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/E251F02C506487A1 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E251F02C506487A1 http://kkd47eh4hdjshb5t.angortra.at/E251F02C506487A1 http://ytrest84y5i456hghadefdsd.pontogrot.com/E251F02C506487A1 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/E251F02C506487A1

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E251F02C506487A1

http://kkd47eh4hdjshb5t.angortra.at/E251F02C506487A1

http://ytrest84y5i456hghadefdsd.pontogrot.com/E251F02C506487A1

http://xlowfznrg4wf7dli.ONION/E251F02C506487A1

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (396) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2776	cmd.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+jyxce.png	jiodgtqkcvbn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+jyxce.txt	jiodgtqkcvbn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+jyxce.html	jiodgtqkcvbn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+jyxce.png	jiodgtqkcvbn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+jyxce.txt	jiodgtqkcvbn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+jyxce.html	jiodgtqkcvbn.exe

Executes dropped EXE 2 IoCs

pid	Process
2840	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\sgqslhxgmxip = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\jiodgtqkcvbn.exe\""	jiodgtqkcvbn.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2368 set thread context of 2016	2368	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe	31
PID 2840 set thread context of 768	2840	jiodgtqkcvbn.exe	35

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\Recovery+jyxce.txt	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\cpu.css	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\Recovery+jyxce.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\Recovery+jyxce.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\Recovery+jyxce.txt	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\settings.css	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\Recovery+jyxce.txt	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\fr-FR\Recovery+jyxce.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\Recovery+jyxce.txt	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\Recovery+jyxce.html	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\Recovery+jyxce.html	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\Recovery+jyxce.html	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\de-DE\Recovery+jyxce.html	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\Recovery+jyxce.html	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Recovery+jyxce.txt	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\Recovery+jyxce.txt	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\Recovery+jyxce.txt	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\Recovery+jyxce.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\flyout_background.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\Recovery+jyxce.txt	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\Recovery+jyxce.txt	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\Recovery+jyxce.txt	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Recovery+jyxce.html	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\Recovery+jyxce.txt	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\Recovery+jyxce.html	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\Recovery+jyxce.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\Recovery+jyxce.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\Recovery+jyxce.html	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\Recovery+jyxce.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\Recovery+jyxce.txt	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\Recovery+jyxce.html	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\Recovery+jyxce.html	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\Recovery+jyxce.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\ja-JP\Recovery+jyxce.html	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\Recovery+jyxce.txt	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\localizedStrings.js	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\slideshow_glass_frame.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\Recovery+jyxce.html	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\Recovery+jyxce.txt	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\Recovery+jyxce.html	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Recovery+jyxce.html	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\Recovery+jyxce.txt	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\de-DE\Recovery+jyxce.txt	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\Recovery+jyxce.html	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\Recovery+jyxce.html	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\Recovery+jyxce.html	jiodgtqkcvbn.exe
File opened for modification	C:\Program Files\Uninstall Information\Recovery+jyxce.png	jiodgtqkcvbn.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\jiodgtqkcvbn.exe	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe
File opened for modification	C:\Windows\jiodgtqkcvbn.exe	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jiodgtqkcvbn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jiodgtqkcvbn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0979fed2b4adb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c1485dd57f3d164982afe404571a00ad00000000020000000000106600000001000020000000e2dc07ae783a223d986fb77243386dd040d6b87c19f553ef8cc9674053a1a93c000000000e8000000002000020000000d0071469e4d91268ef262b8072f2c57f156ce1f3ad9b69fb15ee4022337747ce90000000fe852bf7d54ebeee270d4529a979d3904c2756e1da58e36db53996fe747226e1d2c4d681bd7850779758e3193a8a0e3a54f5f48cfba3eca5c38d78b43d96580637865717377c25b8a898db378d6e53329fe80fe7ab40a2189fcc33c127dd9ed63971960282922ad05f52d641aca0ac1104e5856732b75609402e95c18eeac743aac60393d488509f4b519bf5a11b490340000000b5f96d44e2c7ebd3e23fede93d277293369711cdca460486ea0e06b2f5b883f8d320908f6143608cbb23e7463f9939c63619161a9366cdac13dbe8c0d2e8b959	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{19047291-B61F-11EF-BF23-EE33E2B06AA8} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c1485dd57f3d164982afe404571a00ad00000000020000000000106600000001000020000000890366653c486ae66dc4d49e4b2ea1afb3fbc6f4be222de37596479bfe232db4000000000e8000000002000020000000e5a86372991a9906dc711f9e09e7ade71f711ff263cd7e5ac08e4c2f33fae3ca20000000a8d10eb35e92ba53b7177d45b3d9ebd1d6cf8334fb8556f1028d67121201d9b640000000352320703a79654eef03958f12d14f510440cc4bf2346197dc39351e1d87a4e86e628e090819a844b01f444ddcc2b2659a2424a906e8e5d9a45e70fc6f2f616e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	jiodgtqkcvbn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	jiodgtqkcvbn.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
920	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe
768	jiodgtqkcvbn.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe
Token: SeDebugPrivilege	768	jiodgtqkcvbn.exe
Token: SeIncreaseQuotaPrivilege	2444	WMIC.exe
Token: SeSecurityPrivilege	2444	WMIC.exe
Token: SeTakeOwnershipPrivilege	2444	WMIC.exe
Token: SeLoadDriverPrivilege	2444	WMIC.exe
Token: SeSystemProfilePrivilege	2444	WMIC.exe
Token: SeSystemtimePrivilege	2444	WMIC.exe
Token: SeProfSingleProcessPrivilege	2444	WMIC.exe
Token: SeIncBasePriorityPrivilege	2444	WMIC.exe
Token: SeCreatePagefilePrivilege	2444	WMIC.exe
Token: SeBackupPrivilege	2444	WMIC.exe
Token: SeRestorePrivilege	2444	WMIC.exe
Token: SeShutdownPrivilege	2444	WMIC.exe
Token: SeDebugPrivilege	2444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2444	WMIC.exe
Token: SeRemoteShutdownPrivilege	2444	WMIC.exe
Token: SeUndockPrivilege	2444	WMIC.exe
Token: SeManageVolumePrivilege	2444	WMIC.exe
Token: 33	2444	WMIC.exe
Token: 34	2444	WMIC.exe
Token: 35	2444	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2844	WMIC.exe
Token: SeSecurityPrivilege	2844	WMIC.exe
Token: SeTakeOwnershipPrivilege	2844	WMIC.exe
Token: SeLoadDriverPrivilege	2844	WMIC.exe
Token: SeSystemProfilePrivilege	2844	WMIC.exe
Token: SeSystemtimePrivilege	2844	WMIC.exe
Token: SeProfSingleProcessPrivilege	2844	WMIC.exe
Token: SeIncBasePriorityPrivilege	2844	WMIC.exe
Token: SeCreatePagefilePrivilege	2844	WMIC.exe
Token: SeBackupPrivilege	2844	WMIC.exe
Token: SeRestorePrivilege	2844	WMIC.exe
Token: SeShutdownPrivilege	2844	WMIC.exe
Token: SeDebugPrivilege	2844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2844	WMIC.exe
Token: SeRemoteShutdownPrivilege	2844	WMIC.exe
Token: SeUndockPrivilege	2844	WMIC.exe
Token: SeManageVolumePrivilege	2844	WMIC.exe
Token: 33	2844	WMIC.exe
Token: 34	2844	WMIC.exe
Token: 35	2844	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
880	iexplore.exe
2416	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
880	iexplore.exe
880	iexplore.exe
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2416	DllHost.exe
2416	DllHost.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2016	2368	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2016	2368	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2016	2368	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2016	2368	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2016	2368	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2016	2368	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2016	2368	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2016	2368	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2016	2368	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2016	2368	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2016	2368	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe	31
PID 2016 wrote to memory of 2840	2016	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe	32
PID 2016 wrote to memory of 2840	2016	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe	32
PID 2016 wrote to memory of 2840	2016	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe	32
PID 2016 wrote to memory of 2840	2016	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe	32
PID 2016 wrote to memory of 2776	2016	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe	33
PID 2016 wrote to memory of 2776	2016	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe	33
PID 2016 wrote to memory of 2776	2016	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe	33
PID 2016 wrote to memory of 2776	2016	d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe	33
PID 2840 wrote to memory of 768	2840	jiodgtqkcvbn.exe	35
PID 2840 wrote to memory of 768	2840	jiodgtqkcvbn.exe	35
PID 2840 wrote to memory of 768	2840	jiodgtqkcvbn.exe	35
PID 2840 wrote to memory of 768	2840	jiodgtqkcvbn.exe	35
PID 2840 wrote to memory of 768	2840	jiodgtqkcvbn.exe	35
PID 2840 wrote to memory of 768	2840	jiodgtqkcvbn.exe	35
PID 2840 wrote to memory of 768	2840	jiodgtqkcvbn.exe	35
PID 2840 wrote to memory of 768	2840	jiodgtqkcvbn.exe	35
PID 2840 wrote to memory of 768	2840	jiodgtqkcvbn.exe	35
PID 2840 wrote to memory of 768	2840	jiodgtqkcvbn.exe	35
PID 2840 wrote to memory of 768	2840	jiodgtqkcvbn.exe	35
PID 768 wrote to memory of 2444	768	jiodgtqkcvbn.exe	36
PID 768 wrote to memory of 2444	768	jiodgtqkcvbn.exe	36
PID 768 wrote to memory of 2444	768	jiodgtqkcvbn.exe	36
PID 768 wrote to memory of 2444	768	jiodgtqkcvbn.exe	36
PID 768 wrote to memory of 920	768	jiodgtqkcvbn.exe	41
PID 768 wrote to memory of 920	768	jiodgtqkcvbn.exe	41
PID 768 wrote to memory of 920	768	jiodgtqkcvbn.exe	41
PID 768 wrote to memory of 920	768	jiodgtqkcvbn.exe	41
PID 768 wrote to memory of 880	768	jiodgtqkcvbn.exe	42
PID 768 wrote to memory of 880	768	jiodgtqkcvbn.exe	42
PID 768 wrote to memory of 880	768	jiodgtqkcvbn.exe	42
PID 768 wrote to memory of 880	768	jiodgtqkcvbn.exe	42
PID 880 wrote to memory of 2764	880	iexplore.exe	44
PID 880 wrote to memory of 2764	880	iexplore.exe	44
PID 880 wrote to memory of 2764	880	iexplore.exe	44
PID 880 wrote to memory of 2764	880	iexplore.exe	44
PID 768 wrote to memory of 2844	768	jiodgtqkcvbn.exe	45
PID 768 wrote to memory of 2844	768	jiodgtqkcvbn.exe	45
PID 768 wrote to memory of 2844	768	jiodgtqkcvbn.exe	45
PID 768 wrote to memory of 2844	768	jiodgtqkcvbn.exe	45
PID 768 wrote to memory of 1212	768	jiodgtqkcvbn.exe	48
PID 768 wrote to memory of 1212	768	jiodgtqkcvbn.exe	48
PID 768 wrote to memory of 1212	768	jiodgtqkcvbn.exe	48
PID 768 wrote to memory of 1212	768	jiodgtqkcvbn.exe	48

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jiodgtqkcvbn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	jiodgtqkcvbn.exe

C:\Users\Admin\AppData\Local\Temp\d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\jiodgtqkcvbn.exe
    C:\Windows\jiodgtqkcvbn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\jiodgtqkcvbn.exe
      C:\Windows\jiodgtqkcvbn.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:768
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:920
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:880
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:880 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2764
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\JIODGT~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\D957A4~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2776

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+jyxce.html

Filesize
9KB

MD5
7db800741d2edea9bd5e1616ddd6219b

SHA1
0ce68fe2a44f5d6ee48d4aa2da68e173a6f7935a

SHA256
9bdee57b37fab4d7003d3ec6ebce083ab5a088c646bc09ba42055d4fd30af51c

SHA512
b5719d03023fbcd2e1d2e51aa9bdc9f3b4487e75061083df30841434738cc42e77063fcb076b34edf9e2d62eb7835043390c18ce561edf53036959281256c3bf

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+jyxce.png

Filesize
63KB

MD5
6b6d2bbfd8043527ad643ba9dc6c2e11

SHA1
0bf2d65cdeecea2561dda1a58cb8e24f69ce0f5f

SHA256
0364bb76f0b2ca46bfb8ea1454db715749ab40197aa6dbf55ad0ac4019fdcd66

SHA512
1d6f5e7b78792a6042f25b28a4ed8f062da581fdf71ed1a7b0725a08c51daea6456435b2ebd05b14205e8c0eb417b225124c18d6881e46b0f592e44ea2de1829

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+jyxce.txt

Filesize
1KB

MD5
c769d08087573a6ffa978410b1d82150

SHA1
2f757083f0184713e38f5345d6cadac5763afb30

SHA256
7eb05e30e11d9e3c6bc77c4fb86e97725ecf90807b545e4bd925311a875acaff

SHA512
72699e83daaccfeebf8671b2aec800ff698bddcdae359b7da947efc7fba0a28407f0126331a642e6abdf3b6c50933e294fa57e1bed452013d0bde0152009e499

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
61d34181044e0326514da2f698720339

SHA1
5f49be6ee51d542c2cd24ed7228b932c5ee8d349

SHA256
754cea10d147ccadc8bf7e540ada14868f1187d7ab2c77050206639fe709a038

SHA512
578250d0709cd79fdcae0594e6f57ab53134a623506538222422634364cab37fc625deb9dd1bb4cc578f112bce3e9f07be8abc727a3a0d4ebf4d6289eead2476

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
41726e1c6b725f20dde01f38865945e2

SHA1
8dbdd9e3ce068d44325da7c54069b46d36be5251

SHA256
865403e4dd6cdf6be35120c7eec7797fc396fc883b3d8523ec8a08464ff6415b

SHA512
a499968088d52a1da9609bb99179f6b4888dddd7c891e95dcfbbe74407ff8a2f4ce8bfbc2deedf63a6ea389460c6b2354773e9415cffa7eefdfc221ac8daadc8

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
e6155f3cfed0e911552321e292e40e4c

SHA1
c9e81cff1744d4dd61f4cfa6d33cf99bfcb04dc6

SHA256
5c8e24a4b17a9a6571e0b2a0a3ea9904a61076098e36dd7059337380ddfccf4b

SHA512
6cd8eb6e4bbe7bdbbe3c0751dfec6265d69af7d51b0a795f61ba9287af24c9ec9cf31dc6573215b4f2cebc7070081a098ccf85c23effc9326b4a70a374b27b5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
e8d001378b805d4a49791d580c47d27e

SHA1
fbf36a15a28b8fffc3adf73a6097e5dad02ab49c

SHA256
719e1112200b2a20be4b075b292af4b5ede8caa2fd072870255d62b187bee67f

SHA512
569be2f2acb7153a9f7aa231f7d0cb5308a08a5f2bba6895d3e10027b4f1c75e7a609a72f2de00ae560a80d3dc00cea2603b118b16b2edf22cd28ddd44d5b30f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2a89483e1a1e62f38d59a057e0d84b9

SHA1
085e92024fc9e3903c2cb274ac7ce48eb6721884

SHA256
e53210a6d6f884ffbb20e3e1266107f5830d2c08451cac22d1ed7031369d1c70

SHA512
3397e3a536001e985e616af514fac90a3bd410df5d3ef4cd810581ebba2bd0d3b8634c5dc2c76ae1cd5796a71617e3b0d710d95c4c8aaa8089d594b73bb55e41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa23d0bfbca0c93c354af919abb59061

SHA1
7d827a83e1f969d2456f63e743791704c2f18a57

SHA256
7c3bac709f191b02d30452b653e4cd0cd3e7f74ae3eb162c37be7e3663f701c1

SHA512
257e9b1a0919e7299e2f080b9b3d332a24551871a773ffe08d0a1e798a2bd6ab8f3a5158512d7ad82f83c83ba0712577c4eb29c1102ab6b0ae46b0527fe64193

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bc467fceb2d2e64c88ad24604057629

SHA1
35d903fdcfa6c8ac02e3a0254c8d08ddabc1f5eb

SHA256
674e923cff34f217ea0e10755b574d6d4d7e906376af73c32e52d2b8a73bf093

SHA512
01bc4503656a4cd8a7224e42c85d1ee34934a74c96d74d816aa0ad7771dbb57e05409c205fe300d5e806e3157ca9d4d4b907ebf1eb588053a432023add40b1c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5680af0404e956c5b6e8b0f53e64e2bd

SHA1
7bb102aa7d6d11b4b392ca7089cff30bb2217002

SHA256
f18d54d6906e4da4b920762601c88f3d6ead5c015802c6cdd2ab64ad8d2be6b3

SHA512
6e1d4910ca3f490454a9242634331d21611039585e66e66d715c941ffe45bcb7e441bb5af7b9203eb3ed6508b48e8436b67ea122647a5cb1b41f0b4642a96408

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48b28fe820ea3e59226d6e98ac92a881

SHA1
efd06571671dbd2a5b7503ef1d8036496448679c

SHA256
d298c3ad5f83c2f85721bcc95af8e65a5d60168bb544ae5b723badebd84e34b1

SHA512
9f24ad819fe2eabe2f0756f534eaaeb04268f190596da3d0f7cf869641590c08d32186360f4324b4d18b5a735bb67bded082b8855051219c2860b684122249df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98aa5a4b000a18c40ce5b204e36acc24

SHA1
4be9469002537c354c65d23a402d52dea2c057c6

SHA256
2644fab2c117e76f38c6d00d1b970a372b2f12e5c6dba0037e5ffc09af940b66

SHA512
668bbcf3d3821abf53c3532a383f2dc120f14ea282687a1296c86063289089bfc5f044ed93df01eedda81d5bbb2a339df23eb4c01a0e93fc5ece9bb9e9f05039

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83883511d43c0f59ca959976e818dcb2

SHA1
684f808f3c788a21abdd29fbda935556e4b4a864

SHA256
b216c0822c1e93f744b051e3c5e32885a78a717b156edab5864574c6717b43a6

SHA512
026f758855bb8b35fe88034f0cf8aa8ec9f6c4cedbf63031d7d7941b3cc9e7ade86bd1a6f487ef5a48c2fcf5105dc0a9a7922fe106e99c7e0f87c6bcead195a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
452cfbfc2265dc3c916d4ac4627daacb

SHA1
4bb4239b4490ab584a0952439733f869e12f8903

SHA256
34b2af6b2367b1bdf4449a8731e6b68ecb4518905b5e475e73a7445718b06163

SHA512
5f0a664744226c50b648c6f78e4f4490067a842d5e586c675f3a95a1937b5d811f3611ca8e4731b0cddc3470b1d6a248148bdebb7b159849be39ced30ed7eafc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fef3c2375720a3df0a439e8c9ceb2879

SHA1
8c1381ef9e0e72bb4e0e2ab9a91deed4304816f9

SHA256
c5f81ee2abad63436a0e0da8a38a6cf3052e3788121dbc41c2602f21a8650ad6

SHA512
edb3903319199853b74a4067e40be4c963cb9d642f9fe349aa0461e6f07a276e2b28393a1dc5274caa6b2c6f32686660161b419fedceca1b6a944db2d29f37e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
040af68f79453d8b0fd7420cb53f1b1f

SHA1
e018e2f043ac9e1af1fb1d6082aefd35bf28ac60

SHA256
38c3c61ed7911200381fdf3d9ff3c570c125bc32d341230f574eb1864c619962

SHA512
dbb5af81cb5aee8c58693f888ffbc7d37314836abf54d6b2947dc15aab9577e10bba08662a4c79ad835c2b1d1bfbc280c03f79aaa70af0da218158d3c2f33b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab510E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5140.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\jiodgtqkcvbn.exe

Filesize
388KB

MD5
d957a4ca07273763ed76ba4eedce60b2

SHA1
357b159b7404225fb9271bc5c6645a79d8706153

SHA256
ba45f2c559c3c2e0f76441928d967c31ad6b10ee3c65ada1bbd74ee8a0052dcb

SHA512
0b1cef4d07a43d504b2ca95c6fbfe18f7e89235db6d6a6551f9be73ab800e2126e47fe23233b77575d34a1b91b0af576f8cb14205fdb2fd2516986b4d5057ce7

Download Submit
memory/768-863-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/768-6042-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/768-861-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/768-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/768-884-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/768-57-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/768-52-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/768-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/768-2918-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/768-5061-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/768-6006-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/768-6012-0x0000000002EE0000-0x0000000002EE2000-memory.dmp

Filesize
8KB

Download
memory/768-6039-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/768-6015-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/768-6016-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/768-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2016-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2016-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2016-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2016-30-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2016-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2016-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2016-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2016-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2016-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2016-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2016-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2368-0-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/2368-19-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/2368-1-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/2416-6013-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2840-31-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download