teslacrypt | 43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9

Analysis

max time kernel
151s
max time network
157s
platform
windows7_x64
resource
win7-20220414-en
submitted
07-07-2022 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9.exe
Size

424KB
MD5

197ef937b8c32bec4f8a0db5b1e8df7f
SHA1

735102b45ca1e87ed6fbc045cc41483e795dbf21
SHA256

43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9
SHA512

0c24f36e6d466c19d4b20ebee30259a2e7d1cb3cd957708ab46b993433f510cc97d42bd192f6a9ceb0c517c88c56397189af3088083534a357ac017b4a4a1403

Score

10^/10

teslacrypt persistence ransomware spyware stealer suricata

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\_RECoVERY_+apagi.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/701751618A95D6A 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/701751618A95D6A 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/701751618A95D6A If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/701751618A95D6A 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/701751618A95D6A http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/701751618A95D6A http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/701751618A95D6A *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/701751618A95D6A

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/701751618A95D6A

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/701751618A95D6A

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/701751618A95D6A

http://xlowfznrg4wf7dli.ONION/701751618A95D6A

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

Processes:

hvqqcdtxsmaq.exe

pid	Process
2044	hvqqcdtxsmaq.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

hvqqcdtxsmaq.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ConvertFromStop.raw => C:\Users\Admin\Pictures\ConvertFromStop.raw.mp3	hvqqcdtxsmaq.exe
File renamed	C:\Users\Admin\Pictures\InitializeProtect.crw => C:\Users\Admin\Pictures\InitializeProtect.crw.mp3	hvqqcdtxsmaq.exe
File renamed	C:\Users\Admin\Pictures\InstallDisconnect.raw => C:\Users\Admin\Pictures\InstallDisconnect.raw.mp3	hvqqcdtxsmaq.exe
File renamed	C:\Users\Admin\Pictures\SendComplete.png => C:\Users\Admin\Pictures\SendComplete.png.mp3	hvqqcdtxsmaq.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1432	cmd.exe

Drops startup file 3 IoCs

Processes:

hvqqcdtxsmaq.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+apagi.png	hvqqcdtxsmaq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+apagi.html	hvqqcdtxsmaq.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hvqqcdtxsmaq.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	hvqqcdtxsmaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\xihsgboiamip = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\hvqqcdtxsmaq.exe\""	hvqqcdtxsmaq.exe

Drops file in Program Files directory 64 IoCs

Processes:

hvqqcdtxsmaq.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\_RECoVERY_+apagi.png	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Java\_RECoVERY_+apagi.html	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\_RECoVERY_+apagi.png	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_RECoVERY_+apagi.png	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\_RECoVERY_+apagi.html	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\_RECoVERY_+apagi.png	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Gradient.png	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\_RECoVERY_+apagi.html	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\_RECoVERY_+apagi.png	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\flyout.css	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_RECoVERY_+apagi.html	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_RECoVERY_+apagi.png	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\_RECoVERY_+apagi.png	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\_RECoVERY_+apagi.html	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\init.js	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\_RECoVERY_+apagi.png	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\_RECoVERY_+apagi.html	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\_RECoVERY_+apagi.html	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\_RECoVERY_+apagi.html	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\SendJoin.odt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\_RECoVERY_+apagi.png	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\_RECoVERY_+apagi.html	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\en-US\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_RECoVERY_+apagi.png	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_RECoVERY_+apagi.png	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\_RECoVERY_+apagi.html	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_RECoVERY_+apagi.html	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_RECoVERY_+apagi.png	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_RECoVERY_+apagi.html	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_RECoVERY_+apagi.png	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\fr-FR\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_RECoVERY_+apagi.html	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\_RECoVERY_+apagi.txt	hvqqcdtxsmaq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_RECoVERY_+apagi.png	hvqqcdtxsmaq.exe

Drops file in Windows directory 2 IoCs

Processes:

43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9.exe

description	ioc	Process
File created	C:\Windows\hvqqcdtxsmaq.exe	43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9.exe
File opened for modification	C:\Windows\hvqqcdtxsmaq.exe	43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7D5F3D91-FE3B-11EC-AA2F-C621D3E3FB96} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

hvqqcdtxsmaq.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	hvqqcdtxsmaq.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	hvqqcdtxsmaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	hvqqcdtxsmaq.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	hvqqcdtxsmaq.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	hvqqcdtxsmaq.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	hvqqcdtxsmaq.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
220	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

hvqqcdtxsmaq.exe

pid	Process
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe
2044	hvqqcdtxsmaq.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9.exehvqqcdtxsmaq.exeWMIC.exevssvc.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	1664	43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9.exe
Token: SeDebugPrivilege	2044	hvqqcdtxsmaq.exe
Token: SeIncreaseQuotaPrivilege	1884	WMIC.exe
Token: SeSecurityPrivilege	1884	WMIC.exe
Token: SeTakeOwnershipPrivilege	1884	WMIC.exe
Token: SeLoadDriverPrivilege	1884	WMIC.exe
Token: SeSystemProfilePrivilege	1884	WMIC.exe
Token: SeSystemtimePrivilege	1884	WMIC.exe
Token: SeProfSingleProcessPrivilege	1884	WMIC.exe
Token: SeIncBasePriorityPrivilege	1884	WMIC.exe
Token: SeCreatePagefilePrivilege	1884	WMIC.exe
Token: SeBackupPrivilege	1884	WMIC.exe
Token: SeRestorePrivilege	1884	WMIC.exe
Token: SeShutdownPrivilege	1884	WMIC.exe
Token: SeDebugPrivilege	1884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1884	WMIC.exe
Token: SeRemoteShutdownPrivilege	1884	WMIC.exe
Token: SeUndockPrivilege	1884	WMIC.exe
Token: SeManageVolumePrivilege	1884	WMIC.exe
Token: 33	1884	WMIC.exe
Token: 34	1884	WMIC.exe
Token: 35	1884	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1884	WMIC.exe
Token: SeSecurityPrivilege	1884	WMIC.exe
Token: SeTakeOwnershipPrivilege	1884	WMIC.exe
Token: SeLoadDriverPrivilege	1884	WMIC.exe
Token: SeSystemProfilePrivilege	1884	WMIC.exe
Token: SeSystemtimePrivilege	1884	WMIC.exe
Token: SeProfSingleProcessPrivilege	1884	WMIC.exe
Token: SeIncBasePriorityPrivilege	1884	WMIC.exe
Token: SeCreatePagefilePrivilege	1884	WMIC.exe
Token: SeBackupPrivilege	1884	WMIC.exe
Token: SeRestorePrivilege	1884	WMIC.exe
Token: SeShutdownPrivilege	1884	WMIC.exe
Token: SeDebugPrivilege	1884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1884	WMIC.exe
Token: SeRemoteShutdownPrivilege	1884	WMIC.exe
Token: SeUndockPrivilege	1884	WMIC.exe
Token: SeManageVolumePrivilege	1884	WMIC.exe
Token: 33	1884	WMIC.exe
Token: 34	1884	WMIC.exe
Token: 35	1884	WMIC.exe
Token: SeBackupPrivilege	1216	vssvc.exe
Token: SeRestorePrivilege	1216	vssvc.exe
Token: SeAuditPrivilege	1216	vssvc.exe
Token: SeIncreaseQuotaPrivilege	364	WMIC.exe
Token: SeSecurityPrivilege	364	WMIC.exe
Token: SeTakeOwnershipPrivilege	364	WMIC.exe
Token: SeLoadDriverPrivilege	364	WMIC.exe
Token: SeSystemProfilePrivilege	364	WMIC.exe
Token: SeSystemtimePrivilege	364	WMIC.exe
Token: SeProfSingleProcessPrivilege	364	WMIC.exe
Token: SeIncBasePriorityPrivilege	364	WMIC.exe
Token: SeCreatePagefilePrivilege	364	WMIC.exe
Token: SeBackupPrivilege	364	WMIC.exe
Token: SeRestorePrivilege	364	WMIC.exe
Token: SeShutdownPrivilege	364	WMIC.exe
Token: SeDebugPrivilege	364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	364	WMIC.exe
Token: SeRemoteShutdownPrivilege	364	WMIC.exe
Token: SeUndockPrivilege	364	WMIC.exe
Token: SeManageVolumePrivilege	364	WMIC.exe
Token: 33	364	WMIC.exe
Token: 34	364	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid	Process
1936	iexplore.exe
1884	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
1936	iexplore.exe
1936	iexplore.exe
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9.exehvqqcdtxsmaq.exeiexplore.exe

description	pid	Process	procid_target
PID 1664 wrote to memory of 2044	1664	43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9.exe	27
PID 1664 wrote to memory of 2044	1664	43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9.exe	27
PID 1664 wrote to memory of 2044	1664	43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9.exe	27
PID 1664 wrote to memory of 2044	1664	43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9.exe	27
PID 1664 wrote to memory of 1432	1664	43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9.exe	28
PID 1664 wrote to memory of 1432	1664	43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9.exe	28
PID 1664 wrote to memory of 1432	1664	43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9.exe	28
PID 1664 wrote to memory of 1432	1664	43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9.exe	28
PID 2044 wrote to memory of 1884	2044	hvqqcdtxsmaq.exe	30
PID 2044 wrote to memory of 1884	2044	hvqqcdtxsmaq.exe	30
PID 2044 wrote to memory of 1884	2044	hvqqcdtxsmaq.exe	30
PID 2044 wrote to memory of 1884	2044	hvqqcdtxsmaq.exe	30
PID 2044 wrote to memory of 220	2044	hvqqcdtxsmaq.exe	38
PID 2044 wrote to memory of 220	2044	hvqqcdtxsmaq.exe	38
PID 2044 wrote to memory of 220	2044	hvqqcdtxsmaq.exe	38
PID 2044 wrote to memory of 220	2044	hvqqcdtxsmaq.exe	38
PID 2044 wrote to memory of 1936	2044	hvqqcdtxsmaq.exe	39
PID 2044 wrote to memory of 1936	2044	hvqqcdtxsmaq.exe	39
PID 2044 wrote to memory of 1936	2044	hvqqcdtxsmaq.exe	39
PID 2044 wrote to memory of 1936	2044	hvqqcdtxsmaq.exe	39
PID 2044 wrote to memory of 364	2044	hvqqcdtxsmaq.exe	41
PID 2044 wrote to memory of 364	2044	hvqqcdtxsmaq.exe	41
PID 2044 wrote to memory of 364	2044	hvqqcdtxsmaq.exe	41
PID 2044 wrote to memory of 364	2044	hvqqcdtxsmaq.exe	41
PID 1936 wrote to memory of 1256	1936	iexplore.exe	42
PID 1936 wrote to memory of 1256	1936	iexplore.exe	42
PID 1936 wrote to memory of 1256	1936	iexplore.exe	42
PID 1936 wrote to memory of 1256	1936	iexplore.exe	42
PID 2044 wrote to memory of 580	2044	hvqqcdtxsmaq.exe	45
PID 2044 wrote to memory of 580	2044	hvqqcdtxsmaq.exe	45
PID 2044 wrote to memory of 580	2044	hvqqcdtxsmaq.exe	45
PID 2044 wrote to memory of 580	2044	hvqqcdtxsmaq.exe	45

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

hvqqcdtxsmaq.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hvqqcdtxsmaq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	hvqqcdtxsmaq.exe

C:\Users\Admin\AppData\Local\Temp\43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9.exe
"C:\Users\Admin\AppData\Local\Temp\43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\hvqqcdtxsmaq.exe
  C:\Windows\hvqqcdtxsmaq.exe
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Drops startup file
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2044
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1884
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:220
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1256
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\HVQQCD~1.EXE
    3⤵
    PID:580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\43FB7B~1.EXE
  2⤵
  - Deletes itself
  PID:1432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\RECOVERY.HTM

Filesize
11KB

MD5
96752c71cc69ac9b09a0ebffdb18fcc1

SHA1
0d5f7e97a11ee71e48b6f9558357a6133327ab00

SHA256
189fc08f0fb3e53a196f3de0d38dc5869515a373faa7ae4a7bab06f72436131a

SHA512
923469606163914d39a917c970633fe872c9c7dfde05a4d714a063efed61f8879d162b44c2a212fb918879fe519e3f6ae7eb082619853b4aa0c6a3255d8cfb5a

Download Submit
C:\Users\Admin\Desktop\RECOVERY.TXT

Filesize
1KB

MD5
ebdf74e5ffc30866e1dc6ebc0f0315a2

SHA1
74b00d9160424ce9fc92ae650bb58cd3896bcbdf

SHA256
a50b83f08bb0becb82b9cc0688ecb1065914f3185183b9b6ea0f6f168fd85dd8

SHA512
1a1e0b8bef808ac34f9bf65bb56a39c1a15067ef367f4aeb42c1d65a3af8f0db3a2d77e38ba393d2e5638e806bd606c0afd4706b52fb9b67c391b14b8a15926c

Download Submit
C:\Users\Admin\Desktop\RECOVERY.png

Filesize
64KB

MD5
16906bf67da589b17b3c448b2025644b

SHA1
57c99ed92abf276ddf05383e65f46ecba42f3e23

SHA256
9df976caf76085d27ec25f2e9fc708c05dc3d4ad18c0c436e5467c3b1cd029d4

SHA512
08c1e8de96abb6bfe01857adaab84bcb7b0253d78a1a770bf37a1804868b3ed0ac2800a8d9ac6e6cf925cf9bce7ce9f4d6f498154488fca2fdde03fd63593055

Download Submit
C:\Windows\hvqqcdtxsmaq.exe

Filesize
424KB

MD5
197ef937b8c32bec4f8a0db5b1e8df7f

SHA1
735102b45ca1e87ed6fbc045cc41483e795dbf21

SHA256
43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9

SHA512
0c24f36e6d466c19d4b20ebee30259a2e7d1cb3cd957708ab46b993433f510cc97d42bd192f6a9ceb0c517c88c56397189af3088083534a357ac017b4a4a1403

Download Submit
C:\Windows\hvqqcdtxsmaq.exe

Filesize
424KB

MD5
197ef937b8c32bec4f8a0db5b1e8df7f

SHA1
735102b45ca1e87ed6fbc045cc41483e795dbf21

SHA256
43fb7bf938736abced7de012b8395088752387ddccce4521af977410c3b4a1b9

SHA512
0c24f36e6d466c19d4b20ebee30259a2e7d1cb3cd957708ab46b993433f510cc97d42bd192f6a9ceb0c517c88c56397189af3088083534a357ac017b4a4a1403

Download Submit
memory/220-71-0x0000000000000000-mapping.dmp

Download
memory/364-75-0x0000000000000000-mapping.dmp

Download
memory/580-78-0x0000000000000000-mapping.dmp

Download
memory/1432-63-0x0000000000000000-mapping.dmp

Download
memory/1664-54-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download
memory/1664-59-0x0000000000670000-0x00000000006F5000-memory.dmp

Filesize
532KB

Download
memory/1664-55-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1884-70-0x0000000000000000-mapping.dmp

Download
memory/2044-68-0x0000000001E90000-0x0000000001F15000-memory.dmp

Filesize
532KB

Download
memory/2044-64-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2044-60-0x0000000000000000-mapping.dmp

Download