chimera | 1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-09-2022 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
Size

232KB
MD5

60fabd1a2509b59831876d5e2aa71a6b
SHA1

8b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA256

1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA512

3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
SSDEEP

3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKD:BMh5H7j5g54YZKXoxOuEEl64HZAi

Score

10^/10

chimera ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	flow	ioc	Process
File created		C:\Program Files\VideoLAN\VLC\plugins\access\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Common Files\Microsoft Shared\Stationery\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification		C:\Program Files\7-Zip\Lang\zh-tw.txt	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Microsoft Office\Office14\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\VideoLAN\VLC\plugins\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
	3	bot.whatismyipaddress.com	Process not Found
File created		C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Microsoft.NET\RedistList\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Microsoft Games\Mahjong\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jre7\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\7-Zip\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Updater6\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jre7\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jre7\lib\security\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\VideoLAN\VLC\lua\http\dialogs\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Windows Sidebar\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\VideoLAN\VLC\lua\http\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\bin\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\VideoLAN\VLC\lua\http\requests\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/1788-56-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\SubmitStep.tiff	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File renamed	C:\Users\Admin\Pictures\SubmitStep.tiff => C:\Users\Admin\Pictures\SubmitStep.tiff.crypt	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File renamed	C:\Users\Admin\Pictures\BackupFind.tiff => C:\Users\Admin\Pictures\BackupFind.tiff.crypt	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File renamed	C:\Users\Admin\Pictures\UnregisterRevoke.png => C:\Users\Admin\Pictures\UnregisterRevoke.png.crypt	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Pictures\PingComplete.tiff	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File renamed	C:\Users\Admin\Pictures\PingComplete.tiff => C:\Users\Admin\Pictures\PingComplete.tiff.crypt	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File renamed	C:\Users\Admin\Pictures\LimitRead.png => C:\Users\Admin\Pictures\LimitRead.png.crypt	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File renamed	C:\Users\Admin\Pictures\GroupSwitch.crw => C:\Users\Admin\Pictures\GroupSwitch.crw.crypt	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Pictures\BackupFind.tiff	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 37 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\background.gif	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql70.xsl	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_rest.png	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\gadget.xml	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\utilityfunctions.js	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4.ssl_1.0.0.v20140827-1444.jar	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double.png	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Person.gif	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\localizedStrings.js	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\0.png	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\+NewSQLServerConnection.odc	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\sunec.jar	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-templates.xml	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\cpu.html	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\gadget.xml	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Perspective.xml	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodicon.gif	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\ehshellLogo.png	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\9.png	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\gadget.xml	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\flyout.html	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\7.png	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_rainy.png	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000adee911bc47c32ac8de6a495e5619418f458aa5d2340ae95ddac538e65b7c9c0000000000e8000000002000020000000e2073b218eda52fa9afecc30e9e866a8d8e7fdae194a5c03d2f3f8e17250e3dd9000000023f86f1cd13f6495371820af4d1e198e83e00a2f7da5e50cf38cf7a50e504b9e8169d6a44af9bb6b406eef41179be09816d8b519a7132e30720261e052669c7e6cc24c764a60ba1e2a748f8645d6b4a6a4c30d1931acc173d26b95b28af4d9fa9963dbc83d422a81c8bdf04bcca3688075515d6de061050557a162694749361368df4f7f48631600b1b11a05a7bd5f7e400000002f98c0cd5581cdd22729ae5a8e490c9843d170e2c9fe6e686aa8b2fa4ab505a9e1be5b893c2ca3382d508ebf7d8e95672846281f359c7fb69f13f957f9fa1049	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000de7da1e7f509a993e30d6086306cbdf842e8899a18e758fd9c1ee25c0e1af239000000000e8000000002000020000000b9199859b4233bf6d9575ad0a77880181be4914ca8021cc4ce1a029efa727db220000000ee56863536a248cfafe02bb812c0f4b60c1d27e658236d1b8d9855a7588b922340000000b096846de5b5aaf208dcb8a1845a71f57a60923804d5d560b42dfd19510052578d0732c1764068a04cbda28338d7768285a4d374d23782a1694591e156b633e0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371227254"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{50720D21-4004-11ED-B7B1-7ADD0904B6AC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 308a5a2611d4d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1152	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1152	iexplore.exe
1152	iexplore.exe
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1152	1788	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe	31
PID 1788 wrote to memory of 1152	1788	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe	31
PID 1788 wrote to memory of 1152	1788	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe	31
PID 1788 wrote to memory of 1152	1788	Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe	31
PID 1152 wrote to memory of 2012	1152	iexplore.exe	32
PID 1152 wrote to memory of 2012	1152	iexplore.exe	32
PID 1152 wrote to memory of 2012	1152	iexplore.exe	32
PID 1152 wrote to memory of 2012	1152	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Chimera.a-1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe"
1⤵
- Chimera
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1152 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
33456e74df262ee8486c55ce5f452a39

SHA1
97c92781cc78da49f1a56df2b6d622b8e53aa2c6

SHA256
2c63a0d264eb1595056c2c7c2673a329f3ddef0a2f44877e2ed279068a66b884

SHA512
2996c12377edcd4cbf7f0caaef4080fae4bcda6355389e7eb98e59b17df8429d0e887526e74603c2518f242bba2e548286508f6624c963db359f8e6402aff536

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CV8VYY2D.txt

Filesize
598B

MD5
9c93454b066e32a17748b369e5accb76

SHA1
8c7f00339b8e4211f2a333eefac1ae0bc5a48c23

SHA256
70e08ceeb7f05a565c64f3dc6c0e7a8341a2bfa62076143fb9635c0de916cf36

SHA512
d728923ef9fb429357b1174027cbca71f9546f7d77f76a6a386c4ec350140a990f712e1afc896adf5488422a8f5f1c2732b75632a67f1f8d28a45c937c9e450b

Download Submit
C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
7eb7e07fd8214b0e9eee98e6ddc9c243

SHA1
4c667eb17eab8e9aace80682f69be837e671c2bd

SHA256
7b57a90660d80fe8aaec4c0de81a44fb10e27960b123d05893caf95b8a6503ca

SHA512
7872ff6919dae87cb1fcc0870dba9d00c9ddf2428f479cc3a146dfc0cbdc4edfedf73ee96cb2c01c9e6ecc4542f27a9f9f8327bb0d93b00b2c251b517af4462f

Download Submit
memory/1788-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1788-55-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-56-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1788-60-0x0000000000504000-0x000000000051B000-memory.dmp

Filesize
92KB

Download
memory/1788-61-0x0000000000470000-0x000000000048A000-memory.dmp

Filesize
104KB

Download
memory/1788-62-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-63-0x0000000000504000-0x000000000051B000-memory.dmp

Filesize
92KB

Download
memory/1788-64-0x0000000000470000-0x000000000048A000-memory.dmp

Filesize
104KB

Download