Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
26/06/2022, 03:43
Static task
static1
Behavioral task
behavioral1
Sample
3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe
-
Size
424KB
-
MD5
591c7f90216f596b849ef9562b8f155b
-
SHA1
f3c185a27c38214418daa50407c9964fd5281d95
-
SHA256
3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4
-
SHA512
31cfa0fb8cc85398223b2377a170fbbdf01ad82764611c3c7775c80119bf0b5bd24d1943135ab18a3e1cff123813b0f786d522ea7d5c5387a1f84f8de6fa178f
Malware Config
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\_RECoVERY_+lyjcr.txt
Family
teslacrypt
Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files ?
All of your files were protected by a strong encryption with RSA4096
More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen ?
!!! Specially for your PC was generated personal RSA4096 KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/C0C921457C34B8B9
2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/C0C921457C34B8B9
3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C0C921457C34B8B9
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2. After a successful installation, run the browser
3. Type in the address bar: xlowfznrg4wf7dli.onion/C0C921457C34B8B9
4. Follow the instructions on the site.
---------------- IMPORTANT INFORMATION------------------------
*-*-* Your personal pages:
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/C0C921457C34B8B9
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/C0C921457C34B8B9
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C0C921457C34B8B9
*-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/C0C921457C34B8B9
URLs
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/C0C921457C34B8B9
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/C0C921457C34B8B9
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C0C921457C34B8B9
http://xlowfznrg4wf7dli.ONION/C0C921457C34B8B9
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\_RECoVERY_+lyjcr.html
Ransom Note
<html>
<style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }
.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center>
<div style="text-align:left; font-family:Arial; <!---=0=0=0=0=0 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">
<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>
What<!------=0=0=0=0=0 --> happened <!------=0=0=0=0=0 --> to your<!------=0=0=0=0=0 --> files?</b></font><br> <font style="font-size:13px;">All <!------=0=0=0=0=0 -->of your files<!------=0=0=0=0=0 --> were
<!------=0=0=0=0=0 --> protected by a strong<!------=0=0=0=0=0 --> encr<!---=0=0=0=0=0 -->yption wi<!---=0=0=0=0=0 -->th <!------=0=0=0=0=0 -->RSA4096 <!------=0=0=0=0=0 -->
<br> More <!------=0=0=0=0=0 --> information about the <!------=0=0=0=0=0 -->encryption RSA4096 can be<!------=0=0=0=0=0 -->
fou<!---=0=0=0=0=0 -->nd <a href=http://en.wikipedia.org/wiki/RSA_(cryptosystem) target="_blank"> http://en.wikipedia.org/wiki/RSA_(cryptosystem) </a><br></font>
<br><b><font class="ttl">Wh<!--=0=0=0=0=0 -->at <!------=0=0=0=0=0 --> does th<!--=0=0=0=0=0 -->is mean?</b></font><br><font style="font-size:13px;">
T<!--=0=0=0=0=0 -->his<!------=0=0=0=0=0 --> mea<!--=0=0=0=0=0 -->ns that the <!------=0=0=0=0=0 --> str<!--=0=0=0=0=0 -->ucture and da<!--=0=0=0=0=0 -->ta wi<!--=0=0=0=0=0 -->thin your
<!------=0=0=0=0=0 -->files ha<!--=0=0=0=0=0 -->ve be<!--=0=0=0=0=0 -->en<!------=0=0=0=0=0 --> irre<!--=0=0=0=0=0 -->voca<!--=0=0=0=0=0 -->bly
changed, you will not be able work
wi<!--=0=0=0=0=0 -->th
them, read<!------=0=0=0=0=0 --> th<!--=0=0=0=0=0 -->em or see them, <!------=0=0=0=0=0 -->it is the s<!--=0=0=0=0=0 -->ame thing
<!------=0=0=0=0=0 -->as los<!--=0=0=0=0=0 -->ing <!------=0=0=0=0=0 -->them for<!--=0=0=0=0=0 -->ever,
but with our he<!--=0=0=0=0=0 -->lp, you <!------=0=0=0=0=0 --> can re<!--=0=0=0=0=0 -->st<!--=0=0=0=0=0 -->ore t<!--=0=0=0=0=0 -->hem
<br><br><b><font class="ttl"><!------=0=0=0=0=0 -->Ho<!--=0=0=0=0=0 -->w d<!--=0=0=0=0=0 -->id th<!--=0=0=0=0=0 -->is hap<!--=0=0=0=0=0 -->pen?<!------=0=0=0=0=0 --></b></font> <br> <!------=0=0=0=0=0 -->
<font style="font-size:13px;"><!------=0=0=0=0=0 --> Espec<!--=0=0=0=0=0 -->ially for y<!--=0=0=0=0=0 -->ou,<!------=0=0=0=0=0 --> on our SER<!--=0=0=0=0=0 -->VER <!------=0=0=0=0=0 -->was gene<!--=0=0=0=0=0 -->rated
<!------=0=0=0=0=0 -->the sec<!--=0=0=0=0=0 -->ret k<!--=0=0=0=0=0 -->ey
<br>Al<!--=0=0=0=0=0-->l y<!--=0=0=0=0=0-->our <!------=0=0=0=0=0 --> files w<!--=0=0=0=0=0-->ere encry<!--=0=0=0=0=0-->pted with the p<!--=0=0=0=0=0-->ublic k<!--=0=0=0=0=0-->ey,
<!------=0=0=0=0=0 --> wh<!--=0=0=0=0=0-->ich has b<!--=0=0=0=0=0-->een <!------=0=0=0=0=0 -->
trans<!--=0=0=0=0=0-->ferred to <!------=0=0=0=0=0 -->y<!--=0=0=0=0=0-->our co<!--=0=0=0=0=0-->mputer via <!------=0=0=0=0=0 -->the Inter<!--=0=0=0=0=0-->net.<!--=0=0=0=0=0--><br>
<!------=0=0=0=0=0 --> Decr<!--=0=0=0=0=0-->ypting of <!------=0=0=0=0=0 -->YO<!--=0=0=0=0=0-->UR FI<!--=0=0=0=0=0-->LES is
<!--=0=0=0=0=0 -->on<!--=0=0=0=0=0 -->ly p<!--=0=0=0=0=0 -->oss<!--=0=0=0=0=0-->ible <!--- -=0=0=0=0=0 -->w<!--=0=0=0=0=0 -->ith the he<!--=0=0=0=0=0-->lp of t<!--=0=0=0=0=0 -->he <!----=0=0=0=0=0 -->pri<!--=0=0=0=0=0-->va<!--=0=0=0=0=0 -->te k<!--=0=0=0=0=0-->ey a<!--=0=0=0=0=0 -->nd <!--=0=0=0=0=0 -->d<!--=0=0=0=0=0 -->ecr<!--=0=0=0=0=0-->ypt p<!--=0=0=0=0=0 -->rog<!--=0=0=0=0=0-->ram
<!--=0=0=0=0=0 -->wh<!--=0=0=0=0=0-->ich is on our <!--- -=0=0=0=0=0 -->Sec<!--=0=0=0=0=0-->ret <!--=0=0=0=0=0 -->Ser<!--=0=0=0=0=0-->ver!!!
</font><br><br><b><font class="ttl">Wh<!--=0=0=0=0=0-->at do I do?</b></font> <br><font style="font-size:13px;">Alas, if you <!--=0=0=0=0=0 --> do not take
<!---=0=0=0=0=0 --> the nece<!--=0=0=0=0=0-->ssary meas<!--=0=0=0=0=0-->ures
<!--=0=0=0=0=0-->for the spec<!--=0=0=0=0=0-->ified ti<!--=0=0=0=0=0-->me th<!--=0=0=0=0=0-->en t<!--=0=0=0=0=0-->he co<!--=0=0=0=0=0-->nditions fo<!--=0=0=0=0=0-->r obta<!--=0=0=0=0=0-->ining the priv<!--=0=0=0=0=0-->ate
ke<!--=0=0=0=0=0-->y w<!--=0=0=0=0=0-->ill be cha<!--=0=0=0=0=0-->nged<!--- =0=0=0=0=0 -->
<br>
<!-----=0=0=0=0=0 --> If you really need <!------=0=0=0=0=0 --> your data, <!------=0=0=0=0=0 -->then we suggest you <!------=0=0=0=0=0 --> do not waste<!------=0=0=0=0=0 --> valuable <!------=0=0=0=0=0 --> time searching <!------=0=0=0=0=0 -->for other <!------=0=0=0=0=0 --> solutions <!------=0=0=0=0=0 -->becausen
<!----=0=0=0=0=0 --> they do not exist.</font><br><br>
<!----=0=0=0=0=0 --><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions,
please<!------=0=0=0=0=0 --> visit your <!------=0=0=0=0=0 --> personal <!------=0=0=0=0=0 -->home page,<!------=0=0=0=0=0 --> there are<!------=0=0=0=0=0 --> a few <!------=0=0=0=0=0 -->different <!------=0=0=0=0=0 -->addresses<!------=0=0=0=0=0 --> pointing to <!------=0=0=0=0=0 --> your page<!------=0=0=0=0=0 --> below:<b><hr>
<!---9=9=9=9=9=9=9=9---> 1 - <a href=http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/C0C921457C34B8B9 target="_blank">http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/C0C921457C34B8B9</a> <br>
<!------9=9=9=9=9=9=9=9 --> 2 - <a href=http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/C0C921457C34B8B9 target="_blank">http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/C0C921457C34B8B9</a> <br>
<!------9=9=9=9=9=9=9=9 --> 3 - <a href=http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C0C921457C34B8B9 target="_blank">http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C0C921457C34B8B9</a> <br>
<!------9=9=9=9=9=9=9=9 --></div><br><div class="tb" style="font-size:13px; border-color:#880000;"><b>If for some reasons the
<!-----9=9=9=9=9=9=9=9 --> addresses are not available, <!------9=9=9=9=9=9=9=9 --> follow these steps:</b> <hr>
1 - <!------9=9=9=9=9=9=9=9 --> Download and <!------9=9=9=9=9=9=9=9 --> install tor-browser:
<a href=http://www.torproject.org/projects/torbrowser.html.en target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>
2 - <!---9=9=9=9=9=9=9=9 --> Af<!---9=9=9=9=9=9=9=9--->ter a<!---9=9=9=9=9=9=9=9---> succe<!---9=9=9=9=9=9=9=9--->ssful<!------9=9=9=9=9=9=9=9 --> instal<!---9=9=9=9=9=9=9=9--->lation, run the br<!---9=9=9=9=9=9=9=9--->owser and w<!---9=9=9=9=9=9=9=9--->ait for initi<!---9=9=9=9=9=9=9=9--->alization.<br>
3 - <!--- 9=9=9=9=9=9=9=9 --> Ty<!---9=9=9=9=9=9=9=9--->pe<!-- 9=9=9=9=9=9=9=9 --> in<!-- 9=9=9=9=9=9=9=9 --> the t<!---9=9=9=9=9=9=9=9--->or-bro<!---9=9=9=9=9=9=9=9--->wser<!-- 9=9=9=9=9=9=9=9 --> add<!---9=9=9=9=9=9=9=9--->ress<!-- 9=9=9=9=9=9=9=9 --> bar: <font style="font-weight:bold; color:#009977;"><!-- 9=9=9=9=9=9=9=9 -->xlowfznrg4wf7dli.onion/C0C921457C34B8B9<!-- 9=9=9=9=9=9=9=9 --></font><!-- 9=9=9=9=9=9=9=9 --><br>
4 - <!--- 9=9=9=9=9=9=9=9 --> Fol<!---9=9=9=9=9=9=9=9--->low the instr<!---9=9=9=9=9=9=9=9--->uctions <!-- 9=9=9=9=9=9=9=9 --> on the site.</div><br><br><b>!!! IMPO<!---9=9=9=9=9=9=9=9--->RTANT INFO<!---9=9=9=9=9=9=9=9--->RMATION:</b><br>
<!-----9=9=9=9=9=9=9=9 --><div class="tb" style="width:790px;"><!-----9=9=9=9=9=9=9=9 --> Yo<!---9=9=9=9=9=9=9=9--->ur Pers<!---9=9=9=9=9=9=9=9--->onal PAGES<b>:
<br> <a href=http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/C0C921457C34B8B9 target="_blank">http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/C0C921457C34B8B9</a> <br><a href=http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/C0C921457C34B8B9 target="_blank">http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/C0C921457C34B8B9</a> <br>
<!-----9=9=9=9=9=9=9=9 --><a href=http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C0C921457C34B8B9 target="_blank">http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C0C921457C34B8B9</a> <br>
<!-----9=9=9=9=9=9=9=9 --> Your <!------9=9=9=9=9=9=9=9 --> Personal TOR-Browser<!-----9=9=9=9=9=9=9=9 --> page :
<!-----9=9=9=9=9=9=9=9 --><font style="font-weight:bold; color:#009977;"><!-- 9=9=9=9=9=9=9=9 -->xlowfznrg4wf7dli.onion/C0C921457C34B8B9<!-- 9=9=9=9=9=9=9=9 --></font><br>
<!-----9=9=9=9=9=9=9=9 --> Your personal <!------9=9=9=9=9=9=9=9 --> ID
<!-----9=9=9=9=9=9=9=9 --> (if you open <!------9=9=9=9=9=9=9=9 --> the site directly):
<!-----9=9=9=9=9=9=9=9 --> <font style="font-weight:bold; color:#770000;">C0C921457C34B8B9</font><br>
</div></div></center></body></html>
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 1000 nvqbrxkktqbm.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\DebugSelect.raw => C:\Users\Admin\Pictures\DebugSelect.raw.mp3 nvqbrxkktqbm.exe File renamed C:\Users\Admin\Pictures\ExitSync.crw => C:\Users\Admin\Pictures\ExitSync.crw.mp3 nvqbrxkktqbm.exe File renamed C:\Users\Admin\Pictures\UseStop.raw => C:\Users\Admin\Pictures\UseStop.raw.mp3 nvqbrxkktqbm.exe -
Deletes itself 1 IoCs
pid Process 1776 cmd.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+lyjcr.png nvqbrxkktqbm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+lyjcr.txt nvqbrxkktqbm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+lyjcr.html nvqbrxkktqbm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run nvqbrxkktqbm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\arcnngqwyufh = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\nvqbrxkktqbm.exe\"" nvqbrxkktqbm.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\_RECoVERY_+lyjcr.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_RECoVERY_+lyjcr.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\calendar.js nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\service.js nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_RECoVERY_+lyjcr.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_RECoVERY_+lyjcr.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_RECoVERY_+lyjcr.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseover.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\RSSFeeds.js nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\_RECoVERY_+lyjcr.txt nvqbrxkktqbm.exe File opened for modification C:\Program Files\Common Files\System\_RECoVERY_+lyjcr.txt nvqbrxkktqbm.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\_RECoVERY_+lyjcr.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_RECoVERY_+lyjcr.html nvqbrxkktqbm.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\_RECoVERY_+lyjcr.txt nvqbrxkktqbm.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\_RECoVERY_+lyjcr.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv nvqbrxkktqbm.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoBeta.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_RECoVERY_+lyjcr.txt nvqbrxkktqbm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_RECoVERY_+lyjcr.html nvqbrxkktqbm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\_RECoVERY_+lyjcr.txt nvqbrxkktqbm.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\service.js nvqbrxkktqbm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_RECoVERY_+lyjcr.html nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\currency.js nvqbrxkktqbm.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\_RECoVERY_+lyjcr.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\_RECoVERY_+lyjcr.html nvqbrxkktqbm.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lv\_RECoVERY_+lyjcr.txt nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_RECoVERY_+lyjcr.txt nvqbrxkktqbm.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\_RECoVERY_+lyjcr.txt nvqbrxkktqbm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt nvqbrxkktqbm.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_RECoVERY_+lyjcr.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_RECoVERY_+lyjcr.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_RECoVERY_+lyjcr.html nvqbrxkktqbm.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_RECoVERY_+lyjcr.html nvqbrxkktqbm.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\_RECoVERY_+lyjcr.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_RECoVERY_+lyjcr.html nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\4.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\th.pak nvqbrxkktqbm.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\_RECoVERY_+lyjcr.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\_RECoVERY_+lyjcr.html nvqbrxkktqbm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tet\_RECoVERY_+lyjcr.txt nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Photo Viewer\it-IT\_RECoVERY_+lyjcr.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_RECoVERY_+lyjcr.txt nvqbrxkktqbm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\_RECoVERY_+lyjcr.txt nvqbrxkktqbm.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv nvqbrxkktqbm.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\_RECoVERY_+lyjcr.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Journal\es-ES\_RECoVERY_+lyjcr.txt nvqbrxkktqbm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\flyout.css nvqbrxkktqbm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\_RECoVERY_+lyjcr.png nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\cpu.css nvqbrxkktqbm.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\picturePuzzle.js nvqbrxkktqbm.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png nvqbrxkktqbm.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\nvqbrxkktqbm.exe 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe File opened for modification C:\Windows\nvqbrxkktqbm.exe 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2A189051-F526-11EC-B669-4659A2147DF1} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 nvqbrxkktqbm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e nvqbrxkktqbm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e nvqbrxkktqbm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e nvqbrxkktqbm.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 208 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe 1000 nvqbrxkktqbm.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 976 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe Token: SeDebugPrivilege 1000 nvqbrxkktqbm.exe Token: SeIncreaseQuotaPrivilege 688 WMIC.exe Token: SeSecurityPrivilege 688 WMIC.exe Token: SeTakeOwnershipPrivilege 688 WMIC.exe Token: SeLoadDriverPrivilege 688 WMIC.exe Token: SeSystemProfilePrivilege 688 WMIC.exe Token: SeSystemtimePrivilege 688 WMIC.exe Token: SeProfSingleProcessPrivilege 688 WMIC.exe Token: SeIncBasePriorityPrivilege 688 WMIC.exe Token: SeCreatePagefilePrivilege 688 WMIC.exe Token: SeBackupPrivilege 688 WMIC.exe Token: SeRestorePrivilege 688 WMIC.exe Token: SeShutdownPrivilege 688 WMIC.exe Token: SeDebugPrivilege 688 WMIC.exe Token: SeSystemEnvironmentPrivilege 688 WMIC.exe Token: SeRemoteShutdownPrivilege 688 WMIC.exe Token: SeUndockPrivilege 688 WMIC.exe Token: SeManageVolumePrivilege 688 WMIC.exe Token: 33 688 WMIC.exe Token: 34 688 WMIC.exe Token: 35 688 WMIC.exe Token: SeIncreaseQuotaPrivilege 688 WMIC.exe Token: SeSecurityPrivilege 688 WMIC.exe Token: SeTakeOwnershipPrivilege 688 WMIC.exe Token: SeLoadDriverPrivilege 688 WMIC.exe Token: SeSystemProfilePrivilege 688 WMIC.exe Token: SeSystemtimePrivilege 688 WMIC.exe Token: SeProfSingleProcessPrivilege 688 WMIC.exe Token: SeIncBasePriorityPrivilege 688 WMIC.exe Token: SeCreatePagefilePrivilege 688 WMIC.exe Token: SeBackupPrivilege 688 WMIC.exe Token: SeRestorePrivilege 688 WMIC.exe Token: SeShutdownPrivilege 688 WMIC.exe Token: SeDebugPrivilege 688 WMIC.exe Token: SeSystemEnvironmentPrivilege 688 WMIC.exe Token: SeRemoteShutdownPrivilege 688 WMIC.exe Token: SeUndockPrivilege 688 WMIC.exe Token: SeManageVolumePrivilege 688 WMIC.exe Token: 33 688 WMIC.exe Token: 34 688 WMIC.exe Token: 35 688 WMIC.exe Token: SeBackupPrivilege 1908 vssvc.exe Token: SeRestorePrivilege 1908 vssvc.exe Token: SeAuditPrivilege 1908 vssvc.exe Token: SeIncreaseQuotaPrivilege 1684 WMIC.exe Token: SeSecurityPrivilege 1684 WMIC.exe Token: SeTakeOwnershipPrivilege 1684 WMIC.exe Token: SeLoadDriverPrivilege 1684 WMIC.exe Token: SeSystemProfilePrivilege 1684 WMIC.exe Token: SeSystemtimePrivilege 1684 WMIC.exe Token: SeProfSingleProcessPrivilege 1684 WMIC.exe Token: SeIncBasePriorityPrivilege 1684 WMIC.exe Token: SeCreatePagefilePrivilege 1684 WMIC.exe Token: SeBackupPrivilege 1684 WMIC.exe Token: SeRestorePrivilege 1684 WMIC.exe Token: SeShutdownPrivilege 1684 WMIC.exe Token: SeDebugPrivilege 1684 WMIC.exe Token: SeSystemEnvironmentPrivilege 1684 WMIC.exe Token: SeRemoteShutdownPrivilege 1684 WMIC.exe Token: SeUndockPrivilege 1684 WMIC.exe Token: SeManageVolumePrivilege 1684 WMIC.exe Token: 33 1684 WMIC.exe Token: 34 1684 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 228 iexplore.exe 524 DllHost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 228 iexplore.exe 228 iexplore.exe 1664 IEXPLORE.EXE 1664 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 976 wrote to memory of 1000 976 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe 27 PID 976 wrote to memory of 1000 976 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe 27 PID 976 wrote to memory of 1000 976 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe 27 PID 976 wrote to memory of 1000 976 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe 27 PID 976 wrote to memory of 1776 976 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe 28 PID 976 wrote to memory of 1776 976 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe 28 PID 976 wrote to memory of 1776 976 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe 28 PID 976 wrote to memory of 1776 976 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe 28 PID 1000 wrote to memory of 688 1000 nvqbrxkktqbm.exe 30 PID 1000 wrote to memory of 688 1000 nvqbrxkktqbm.exe 30 PID 1000 wrote to memory of 688 1000 nvqbrxkktqbm.exe 30 PID 1000 wrote to memory of 688 1000 nvqbrxkktqbm.exe 30 PID 1000 wrote to memory of 208 1000 nvqbrxkktqbm.exe 39 PID 1000 wrote to memory of 208 1000 nvqbrxkktqbm.exe 39 PID 1000 wrote to memory of 208 1000 nvqbrxkktqbm.exe 39 PID 1000 wrote to memory of 208 1000 nvqbrxkktqbm.exe 39 PID 1000 wrote to memory of 228 1000 nvqbrxkktqbm.exe 40 PID 1000 wrote to memory of 228 1000 nvqbrxkktqbm.exe 40 PID 1000 wrote to memory of 228 1000 nvqbrxkktqbm.exe 40 PID 1000 wrote to memory of 228 1000 nvqbrxkktqbm.exe 40 PID 228 wrote to memory of 1664 228 iexplore.exe 42 PID 228 wrote to memory of 1664 228 iexplore.exe 42 PID 228 wrote to memory of 1664 228 iexplore.exe 42 PID 228 wrote to memory of 1664 228 iexplore.exe 42 PID 1000 wrote to memory of 1684 1000 nvqbrxkktqbm.exe 44 PID 1000 wrote to memory of 1684 1000 nvqbrxkktqbm.exe 44 PID 1000 wrote to memory of 1684 1000 nvqbrxkktqbm.exe 44 PID 1000 wrote to memory of 1684 1000 nvqbrxkktqbm.exe 44 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System nvqbrxkktqbm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" nvqbrxkktqbm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe"C:\Users\Admin\AppData\Local\Temp\3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\nvqbrxkktqbm.exeC:\Windows\nvqbrxkktqbm.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1000 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- Opens file in notepad (likely ransom note)
PID:208
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:228 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1664
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\361910~1.EXE2⤵
- Deletes itself
PID:1776
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5a68f3f13ca9b8d7e97e11322fd9b2c5d
SHA1a3c941e03c58717c737c0b298ec42492c326305e
SHA2567c81843a8397cdb815f94ec9d574b02bbea727d62bb62f4e4e6fe1243182fbec
SHA512bd1317dc0c09eb8d83cbd35dd5686b99fa2279e817c0560c7a14561e2ead9bbb38fad48f6ede7a701392375d5f901187307722656a12ecb83fd6326882c38f0c
-
Filesize
1KB
MD54a085fe0b1cf8f8d1455611224b58bba
SHA12392200b2ff77a35bdc3e21840a7e03eac42d712
SHA2563a84bd446ef550a5517f18a49fddefb0d4e2e55996b5f2b20f1c038a0ca5a75f
SHA512c0e3e56fb3284d02c065310f9af2c3549cc325ed57f9a34a261a14689042ab9eab517d9e12bdba72dbfc7950c8e95a9a2fe656cd85f68de9174f26812be2ab19
-
Filesize
66KB
MD52587f42aeb2ec75d02186aa8be1204e6
SHA1e1e8d20f8e5e2b8b77575964e8e60810bfe43cd3
SHA256cd66f98ebdf25e2e6a1d84056d2fa5c5cb9d57e70f880a848024df598e3fa7cc
SHA5122b31ef872a3b75573884e79acb304454f1e59c5af489c590bcadf6e15ec3f366fa628ff11977f0f2434f884c6b06ffb00d3034bf67c6362e4fddce5f21137bf8
-
Filesize
424KB
MD5591c7f90216f596b849ef9562b8f155b
SHA1f3c185a27c38214418daa50407c9964fd5281d95
SHA2563619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4
SHA51231cfa0fb8cc85398223b2377a170fbbdf01ad82764611c3c7775c80119bf0b5bd24d1943135ab18a3e1cff123813b0f786d522ea7d5c5387a1f84f8de6fa178f
-
Filesize
424KB
MD5591c7f90216f596b849ef9562b8f155b
SHA1f3c185a27c38214418daa50407c9964fd5281d95
SHA2563619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4
SHA51231cfa0fb8cc85398223b2377a170fbbdf01ad82764611c3c7775c80119bf0b5bd24d1943135ab18a3e1cff123813b0f786d522ea7d5c5387a1f84f8de6fa178f
