teslacrypt | 1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b

General

Target

1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b.exe
Size

370KB
MD5

57b33c329990ba3f266fb59ef6468568
SHA1

fc73e1a2aa3124e2924f62d09db42e10614d928a
SHA256

1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b
SHA512

ad8f3c76e9199a0d3b408426acc9163ce278ab11d951d3de7dd69b4ea54fd21a9ec37f65c16e70bfd440420a7e74f8ee55d9a30d6fa847d5af1dfccd82186f3b

Score

10^/10

teslacrypt persistence ransomware spyware stealer suricata

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\_RECoVERY_+aecnt.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/E507C241A439684 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/E507C241A439684 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E507C241A439684 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/E507C241A439684 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/E507C241A439684 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/E507C241A439684 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E507C241A439684 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/E507C241A439684

URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/E507C241A439684

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/E507C241A439684

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E507C241A439684

http://xlowfznrg4wf7dli.ONION/E507C241A439684

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

pycwtoxagmsy.exe

pid process

1644 pycwtoxagmsy.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

pycwtoxagmsy.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\DismountRename.raw => C:\Users\Admin\Pictures\DismountRename.raw.mp3	pycwtoxagmsy.exe
File renamed	C:\Users\Admin\Pictures\LockMove.png => C:\Users\Admin\Pictures\LockMove.png.mp3	pycwtoxagmsy.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1716 cmd.exe

pid	process
1716	cmd.exe

Drops startup file 3 IoCs

Processes:

pycwtoxagmsy.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+aecnt.png	pycwtoxagmsy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+aecnt.txt	pycwtoxagmsy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+aecnt.html	pycwtoxagmsy.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pycwtoxagmsy.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	pycwtoxagmsy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\ffintplvmaor = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\pycwtoxagmsy.exe\""	pycwtoxagmsy.exe

Drops file in Program Files directory 64 IoCs

Processes:

pycwtoxagmsy.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_RECoVERY_+aecnt.html	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_RECoVERY_+aecnt.html	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_RECoVERY_+aecnt.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\_RECoVERY_+aecnt.html	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\_RECoVERY_+aecnt.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\daisies.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoBeta.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_RECoVERY_+aecnt.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\_RECoVERY_+aecnt.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_RECoVERY_+aecnt.html	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\_RECoVERY_+aecnt.html	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\de-DE\_RECoVERY_+aecnt.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\_RECoVERY_+aecnt.html	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_RECoVERY_+aecnt.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\da.pak	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_RECoVERY_+aecnt.html	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_RECoVERY_+aecnt.txt	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\library.js	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_RECoVERY_+aecnt.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\_RECoVERY_+aecnt.txt	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\_RECoVERY_+aecnt.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\drag.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\_RECoVERY_+aecnt.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\_RECoVERY_+aecnt.txt	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\calendar.css	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_h.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hu.pak	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\en-US\_RECoVERY_+aecnt.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_RECoVERY_+aecnt.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_RECoVERY_+aecnt.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\_RECoVERY_+aecnt.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\_RECoVERY_+aecnt.txt	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_RECoVERY_+aecnt.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_RECoVERY_+aecnt.html	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\_RECoVERY_+aecnt.html	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_RECoVERY_+aecnt.html	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\_RECoVERY_+aecnt.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\settings.css	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_RECoVERY_+aecnt.html	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\slideShow.css	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_RECoVERY_+aecnt.txt	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\logo.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_RECoVERY_+aecnt.txt	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\drag.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\_RECoVERY_+aecnt.txt	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\_RECoVERY_+aecnt.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_RECoVERY_+aecnt.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_RECoVERY_+aecnt.html	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-today.png	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\_RECoVERY_+aecnt.txt	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_RECoVERY_+aecnt.html	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\_RECoVERY_+aecnt.txt	pycwtoxagmsy.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\_RECoVERY_+aecnt.html	pycwtoxagmsy.exe

Drops file in Windows directory 2 IoCs

Processes:

1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b.exe

description	ioc	process
File created	C:\Windows\pycwtoxagmsy.exe	1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b.exe
File opened for modification	C:\Windows\pycwtoxagmsy.exe	1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C24AFED1-E66C-11EC-8FE9-F2D3CC06C800} = "0"	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

pycwtoxagmsy.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	pycwtoxagmsy.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	pycwtoxagmsy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	pycwtoxagmsy.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	pycwtoxagmsy.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	pycwtoxagmsy.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	pycwtoxagmsy.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

220 NOTEPAD.EXE

pid	process
220	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pycwtoxagmsy.exe

pid	process
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe
1644	pycwtoxagmsy.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b.exepycwtoxagmsy.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	536	1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b.exe
Token: SeDebugPrivilege	1644	pycwtoxagmsy.exe
Token: SeIncreaseQuotaPrivilege	276	WMIC.exe
Token: SeSecurityPrivilege	276	WMIC.exe
Token: SeTakeOwnershipPrivilege	276	WMIC.exe
Token: SeLoadDriverPrivilege	276	WMIC.exe
Token: SeSystemProfilePrivilege	276	WMIC.exe
Token: SeSystemtimePrivilege	276	WMIC.exe
Token: SeProfSingleProcessPrivilege	276	WMIC.exe
Token: SeIncBasePriorityPrivilege	276	WMIC.exe
Token: SeCreatePagefilePrivilege	276	WMIC.exe
Token: SeBackupPrivilege	276	WMIC.exe
Token: SeRestorePrivilege	276	WMIC.exe
Token: SeShutdownPrivilege	276	WMIC.exe
Token: SeDebugPrivilege	276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	276	WMIC.exe
Token: SeRemoteShutdownPrivilege	276	WMIC.exe
Token: SeUndockPrivilege	276	WMIC.exe
Token: SeManageVolumePrivilege	276	WMIC.exe
Token: 33	276	WMIC.exe
Token: 34	276	WMIC.exe
Token: 35	276	WMIC.exe
Token: SeIncreaseQuotaPrivilege	276	WMIC.exe
Token: SeSecurityPrivilege	276	WMIC.exe
Token: SeTakeOwnershipPrivilege	276	WMIC.exe
Token: SeLoadDriverPrivilege	276	WMIC.exe
Token: SeSystemProfilePrivilege	276	WMIC.exe
Token: SeSystemtimePrivilege	276	WMIC.exe
Token: SeProfSingleProcessPrivilege	276	WMIC.exe
Token: SeIncBasePriorityPrivilege	276	WMIC.exe
Token: SeCreatePagefilePrivilege	276	WMIC.exe
Token: SeBackupPrivilege	276	WMIC.exe
Token: SeRestorePrivilege	276	WMIC.exe
Token: SeShutdownPrivilege	276	WMIC.exe
Token: SeDebugPrivilege	276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	276	WMIC.exe
Token: SeRemoteShutdownPrivilege	276	WMIC.exe
Token: SeUndockPrivilege	276	WMIC.exe
Token: SeManageVolumePrivilege	276	WMIC.exe
Token: 33	276	WMIC.exe
Token: 34	276	WMIC.exe
Token: 35	276	WMIC.exe
Token: SeBackupPrivilege	784	vssvc.exe
Token: SeRestorePrivilege	784	vssvc.exe
Token: SeAuditPrivilege	784	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1720	WMIC.exe
Token: SeSecurityPrivilege	1720	WMIC.exe
Token: SeTakeOwnershipPrivilege	1720	WMIC.exe
Token: SeLoadDriverPrivilege	1720	WMIC.exe
Token: SeSystemProfilePrivilege	1720	WMIC.exe
Token: SeSystemtimePrivilege	1720	WMIC.exe
Token: SeProfSingleProcessPrivilege	1720	WMIC.exe
Token: SeIncBasePriorityPrivilege	1720	WMIC.exe
Token: SeCreatePagefilePrivilege	1720	WMIC.exe
Token: SeBackupPrivilege	1720	WMIC.exe
Token: SeRestorePrivilege	1720	WMIC.exe
Token: SeShutdownPrivilege	1720	WMIC.exe
Token: SeDebugPrivilege	1720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1720	WMIC.exe
Token: SeRemoteShutdownPrivilege	1720	WMIC.exe
Token: SeUndockPrivilege	1720	WMIC.exe
Token: SeManageVolumePrivilege	1720	WMIC.exe
Token: 33	1720	WMIC.exe
Token: 34	1720	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

520 iexplore.exe
632 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

520 iexplore.exe
520 iexplore.exe
1200 IEXPLORE.EXE
1200 IEXPLORE.EXE

pid	process
520	iexplore.exe
632	DllHost.exe

pid	process
520	iexplore.exe
520	iexplore.exe
1200	IEXPLORE.EXE
1200	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b.exepycwtoxagmsy.exeiexplore.exe

description	pid	process	target process
PID 536 wrote to memory of 1644	536	1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b.exe	pycwtoxagmsy.exe
PID 536 wrote to memory of 1644	536	1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b.exe	pycwtoxagmsy.exe
PID 536 wrote to memory of 1644	536	1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b.exe	pycwtoxagmsy.exe
PID 536 wrote to memory of 1644	536	1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b.exe	pycwtoxagmsy.exe
PID 536 wrote to memory of 1716	536	1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b.exe	cmd.exe
PID 536 wrote to memory of 1716	536	1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b.exe	cmd.exe
PID 536 wrote to memory of 1716	536	1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b.exe	cmd.exe
PID 536 wrote to memory of 1716	536	1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b.exe	cmd.exe
PID 1644 wrote to memory of 276	1644	pycwtoxagmsy.exe	WMIC.exe
PID 1644 wrote to memory of 276	1644	pycwtoxagmsy.exe	WMIC.exe
PID 1644 wrote to memory of 276	1644	pycwtoxagmsy.exe	WMIC.exe
PID 1644 wrote to memory of 276	1644	pycwtoxagmsy.exe	WMIC.exe
PID 1644 wrote to memory of 220	1644	pycwtoxagmsy.exe	NOTEPAD.EXE
PID 1644 wrote to memory of 220	1644	pycwtoxagmsy.exe	NOTEPAD.EXE
PID 1644 wrote to memory of 220	1644	pycwtoxagmsy.exe	NOTEPAD.EXE
PID 1644 wrote to memory of 220	1644	pycwtoxagmsy.exe	NOTEPAD.EXE
PID 1644 wrote to memory of 520	1644	pycwtoxagmsy.exe	iexplore.exe
PID 1644 wrote to memory of 520	1644	pycwtoxagmsy.exe	iexplore.exe
PID 1644 wrote to memory of 520	1644	pycwtoxagmsy.exe	iexplore.exe
PID 1644 wrote to memory of 520	1644	pycwtoxagmsy.exe	iexplore.exe
PID 520 wrote to memory of 1200	520	iexplore.exe	IEXPLORE.EXE
PID 520 wrote to memory of 1200	520	iexplore.exe	IEXPLORE.EXE
PID 520 wrote to memory of 1200	520	iexplore.exe	IEXPLORE.EXE
PID 520 wrote to memory of 1200	520	iexplore.exe	IEXPLORE.EXE
PID 1644 wrote to memory of 1720	1644	pycwtoxagmsy.exe	WMIC.exe
PID 1644 wrote to memory of 1720	1644	pycwtoxagmsy.exe	WMIC.exe
PID 1644 wrote to memory of 1720	1644	pycwtoxagmsy.exe	WMIC.exe
PID 1644 wrote to memory of 1720	1644	pycwtoxagmsy.exe	WMIC.exe
PID 1644 wrote to memory of 1840	1644	pycwtoxagmsy.exe	cmd.exe
PID 1644 wrote to memory of 1840	1644	pycwtoxagmsy.exe	cmd.exe
PID 1644 wrote to memory of 1840	1644	pycwtoxagmsy.exe	cmd.exe
PID 1644 wrote to memory of 1840	1644	pycwtoxagmsy.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

pycwtoxagmsy.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pycwtoxagmsy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	pycwtoxagmsy.exe

C:\Users\Admin\AppData\Local\Temp\1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b.exe
"C:\Users\Admin\AppData\Local\Temp\1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\pycwtoxagmsy.exe
  C:\Windows\pycwtoxagmsy.exe
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Drops startup file
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1644
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:276
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:220
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:520
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:520 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1200
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\PYCWTO~1.EXE
    3⤵
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\1CC658~1.EXE
  2⤵
  - Deletes itself
  PID:1716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\RECOVERY.HTM

Filesize
10KB

MD5
a2196f3205fdd9e3a6bda5a721e071b6

SHA1
b23ca73edf809225490f0a9517a3c46d5405a8b8

SHA256
d1c6e971a1c865e28eae0f3fefc7bb29269663dc0f3b24c5b75459fc70de5ffa

SHA512
f3eefded3943e81a21e34ec06be5f8401221e1701068bb46b6408ae4d290228fd94b4ab56d527fd62de44ad9ae4aa4d8029c4ee28e93d84f1b5ba44f66dc3fd2

Download Submit
C:\Users\Admin\Desktop\RECOVERY.TXT

Filesize
1KB

MD5
05c32b553d92385f2bb06616788df487

SHA1
7faeef0d408423f9cc5ce7f136ee315a01abcd11

SHA256
e24b488744679dbbc50cb90b0e48f6e833669bd5bc1b6bed098a0b1b4ad48e84

SHA512
182fcd64c86b5f648bb6c99d4fa1a590bc94f57d121e14ba14487a7d2c2d1e9f89e622d0d7d886aae2d0e488d96d04c96b21b39b8ec82b9a0a8e884aeba1c542

Download Submit
C:\Users\Admin\Desktop\RECOVERY.png

Filesize
63KB

MD5
d28193864fee3dec7e41ffd967c1bac3

SHA1
749160fccfc14434f709e89ddaab7f4a60c62498

SHA256
233cf86ded59d0f0c46822e05c3beed7ee4dbfd3f1d31dbb520dd5670dfbd70a

SHA512
94bfebc5464d9c456f7299b65e1b8161a3d8995904e5bce9f27bde18b70f897671578c23e64ebcaa6561865f76fefccecf2df58434479f54344347296cfc08ea

Download Submit
C:\Windows\pycwtoxagmsy.exe

Filesize
370KB

MD5
57b33c329990ba3f266fb59ef6468568

SHA1
fc73e1a2aa3124e2924f62d09db42e10614d928a

SHA256
1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b

SHA512
ad8f3c76e9199a0d3b408426acc9163ce278ab11d951d3de7dd69b4ea54fd21a9ec37f65c16e70bfd440420a7e74f8ee55d9a30d6fa847d5af1dfccd82186f3b

Download Submit
C:\Windows\pycwtoxagmsy.exe

Filesize
370KB

MD5
57b33c329990ba3f266fb59ef6468568

SHA1
fc73e1a2aa3124e2924f62d09db42e10614d928a

SHA256
1cc6588ef5bedc29ed497ebd5acd253af95f6938c1d731cab2ca5d910b00ec0b

SHA512
ad8f3c76e9199a0d3b408426acc9163ce278ab11d951d3de7dd69b4ea54fd21a9ec37f65c16e70bfd440420a7e74f8ee55d9a30d6fa847d5af1dfccd82186f3b

Download Submit
memory/220-66-0x0000000000000000-mapping.dmp

Download
memory/276-65-0x0000000000000000-mapping.dmp

Download
memory/536-61-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/536-55-0x0000000001CC0000-0x0000000001CEE000-memory.dmp

Filesize
184KB

Download
memory/536-54-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/536-56-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1644-62-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1644-57-0x0000000000000000-mapping.dmp

Download
memory/1644-64-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1644-74-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1716-60-0x0000000000000000-mapping.dmp

Download
memory/1720-70-0x0000000000000000-mapping.dmp

Download
memory/1840-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads