chimera | c577e52acd51c63f1313eadd17580a9d89995e6a9713d40d390e40dc2d7da404

Resubmissions

12/03/2025, 21:38

250312-1g2k8atybt 10

09/03/2025, 00:43

250309-a3c7mswkz5 10

09/03/2025, 00:40

250309-a1jxeawvbx 10

Analysis

max time kernel
117s
max time network
116s
platform
windows7_x64
resource
win7-20241010-ja
resource tags

arch:x64arch:x86image:win7-20241010-jalocale:ja-jpos:windows7-x64systemwindows
submitted
09/03/2025, 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan.Ransom.exe
Size

232KB
MD5

60fabd1a2509b59831876d5e2aa71a6b
SHA1

8b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA256

1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA512

3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
SSDEEP

3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKD:BMh5H7j5g54YZKXoxOuEEl64HZAi

Score

10^/10

chimera discovery ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\7-Zip\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Microsoft Games\Hearts\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\VideoLAN\VLC\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jre7\lib\ext\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jre7\lib\security\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Microsoft Games\Solitaire\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/2888-3-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Chimera family
chimera
Renames multiple (1983) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 37 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Public\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Program Files\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Trojan.Ransom.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Trojan.Ransom.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImageMask.bmp	Trojan.Ransom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\NEWS.txt	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\gadget.xml	Trojan.Ransom.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	Trojan.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml	Trojan.Ransom.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous.png	Trojan.Ransom.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi	Trojan.Ransom.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html	Trojan.Ransom.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_ButtonGraphic.png	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png	Trojan.Ransom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_ja.jar	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar	Trojan.Ransom.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_foggy.png	Trojan.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif	Trojan.Ransom.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png	Trojan.Ransom.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png	Trojan.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIcons.jpg	Trojan.Ransom.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\settings.js	Trojan.Ransom.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\gadget.xml	Trojan.Ransom.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous_partly-cloudy.png	Trojan.Ransom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar	Trojan.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single.png	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_ja_4.4.0.v20140623020002.jar	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\3.png	Trojan.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24ImagesMask.bmp	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_zh_4.4.0.v20140623020002.jar	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_Loading.png	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_zh_CN.jar	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler.jar	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar	Trojan.Ransom.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\localizedStrings.js	Trojan.Ransom.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_On.png	Trojan.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif	Trojan.Ransom.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_h.png	Trojan.Ransom.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\glow.png	Trojan.Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml	Trojan.Ransom.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.ui_1.1.200.v20130626-2037.jar	Trojan.Ransom.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\library.js	Trojan.Ransom.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png	Trojan.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_ja_4.4.0.v20140623020002.jar	Trojan.Ransom.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Ransom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DEA9F871-FC7F-11EF-9F88-5258AE25C632} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A941AB11-FC7F-11EF-9F88-5258AE25C632} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001ce990a22989db49804f30693678b5fd00000000020000000000106600000001000020000000758668db3bde457434ca7ed49b3b57e676a39d285f2886f6744344cebf34da1f000000000e8000000002000020000000b9c12695220136ae5d8c3ba2c15bbaf058ca98d88dd5c46ab4c23ea7a43d129a200000009cd87467f9f7b251c49d03225d01ed24172c11886fada171c1f0b05bd76bc2b640000000f7a7d5090f07cc16304a7308693aafea3378486c8e3a75cad89231a15cb92b8fb7ae1ff7a878d7a967f33ca1933db18cf24a16963b5903fef68d42e430ea0449	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001ce990a22989db49804f30693678b5fd0000000002000000000010660000000100002000000043468a31c59ab90fa979032553c57b1e37df9af136149075ef98536bc6debe3e000000000e8000000002000020000000aa541b1fdfcc306077c71a65c1b18d456126ed21e14f7961664a3da0e67bba5790000000dcac8585972f2bf32a43de49c344a3f7f101e77b67f6f870ade4b142ed1de87675aee9b9207cfc988cad319dbfcc901937e2276fd56a432b307ec4adc96c00d83f0458a5c3aed5c5f2858cb8fcda57ec1cdbab1322e012ccae714ae15bafc97099173e2299b30e61465884f414b86efaecd1778f2e5fae4cc4c917c6236afa0ed58f64e711c4f0b605b82edad0a348b4400000003b47b99ada1173a76a66c841084e5f66ec30e333b138b960fc146b396a2d4514b4c40624d0231d215c48e5d5cccb23017f5983fb4b31aaf40b07311880f4edeb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B795D1F1-FC7F-11EF-9F88-5258AE25C632} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 403d308a8c90db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2160	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	Trojan.Ransom.exe
Token: SeDebugPrivilege	2160	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2040	iexplore.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
340	iexplore.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2040	iexplore.exe
2040	iexplore.exe
332	IEXPLORE.EXE
332	IEXPLORE.EXE
340	iexplore.exe
340	iexplore.exe
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
2092	iexplore.exe
2092	iexplore.exe
2252	IEXPLORE.EXE
2252	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 332	2040	iexplore.exe	34
PID 2040 wrote to memory of 332	2040	iexplore.exe	34
PID 2040 wrote to memory of 332	2040	iexplore.exe	34
PID 2040 wrote to memory of 332	2040	iexplore.exe	34
PID 2888 wrote to memory of 340	2888	Trojan.Ransom.exe	38
PID 2888 wrote to memory of 340	2888	Trojan.Ransom.exe	38
PID 2888 wrote to memory of 340	2888	Trojan.Ransom.exe	38
PID 2888 wrote to memory of 340	2888	Trojan.Ransom.exe	38
PID 340 wrote to memory of 1760	340	iexplore.exe	39
PID 340 wrote to memory of 1760	340	iexplore.exe	39
PID 340 wrote to memory of 1760	340	iexplore.exe	39
PID 340 wrote to memory of 1760	340	iexplore.exe	39
PID 340 wrote to memory of 2924	340	iexplore.exe	40
PID 340 wrote to memory of 2924	340	iexplore.exe	40
PID 340 wrote to memory of 2924	340	iexplore.exe	40
PID 340 wrote to memory of 2924	340	iexplore.exe	40
PID 2092 wrote to memory of 2252	2092	iexplore.exe	44
PID 2092 wrote to memory of 2252	2092	iexplore.exe	44
PID 2092 wrote to memory of 2252	2092	iexplore.exe	44
PID 2092 wrote to memory of 2252	2092	iexplore.exe	44

C:\Users\Admin\AppData\Local\Temp\Trojan.Ransom.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Ransom.exe"
1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:340
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:340 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1760
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:340 CREDAT:340994 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2924

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2160

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2040 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:332

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2272

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2972

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\EditApprove.xhtml
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2092 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
be50e72b4d1059c45921cca09b5fccf1

SHA1
7668fa079ae7d279f28d8e9b634120945b66f969

SHA256
264f4082b1d1449622600883481103b8a467cb26318471d4aaad707515d1395b

SHA512
6dc6dfafb84af6390e3b334a696cba4a253ce31b8e2d1ce8f1487d81db4692daf08efa5b588270fc6f0ca41de92b5483625b7d191faa6f4ff77520546511b84e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B795D1F1-FC7F-11EF-9F88-5258AE25C632}.dat

Filesize
5KB

MD5
2c3aa2bb593ade84e4dafabc7dcc51e8

SHA1
f167a33f5dad18c587caedcc7645dacd9711169b

SHA256
cea509ab0564bdeb6daf2229e435b0c1c7259e09a633898fb23adc3667c499ad

SHA512
f85b68eae177a7b935ebc6d53f6770e9d306465e6a80a09272b4a6ff7fff82e5f18a1bad26f5a9b055866b15d1920fbbbe7dda57f95a1c044aace95adca3bdc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{EE737ED0-86E5-11EF-B2CD-DAB21757C799}.dat

Filesize
5KB

MD5
626f67eb23015994caab9d4c6ea1f45e

SHA1
53099374e9d81cf8caa49e0a59feca0d44b5d7d8

SHA256
489d2d260db5f6ce2dd603d4a683fc59673acf1610b831c074f922fc0b156e50

SHA512
fe953ed65b4a3c37b01ce968630156eab45cf5ec658586251535f5d3da15dd87515d90c252a9f0a2eda0d55c107cfbbc7cd97d5b79265ecd88cc6eb7f20f4e25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{A941AB14-FC7F-11EF-9F88-5258AE25C632}.dat

Filesize
4KB

MD5
34dafa4d08275eb9fb7658b460334e4e

SHA1
3df3794fe42a6b6ea2d26bf7a1fb395055b83727

SHA256
392510e5c59336393adaf47324e7451095609bf5c7f34ef4437d5f40f055eed1

SHA512
2e50c429f513a1c9a57d6be1afec90aeef9835f232fa5a7c624ba149a2d79dbe0a955ec1388defce829ed26e9926f8ee86fe7783eded17d15a7aa231948bb02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF4B2E4CFD99DAB84B.TMP

Filesize
16KB

MD5
5e532e8398578bb9ec49e445b2be72fb

SHA1
e25a714064c55bf87c281e2995046b8fdbe33ddc

SHA256
e1796ee30e49600ca6ebb1b108a96d35bbfd47c4400fca3b95815957121d3954

SHA512
d813d0a5781c6cdf5ad6986af321dbae99281dfaa360063cd3f2aa25bf7a117dd0bf6de3202f43133fcca6604ece6ce42c08f6352c3ada412a9a8dd084c1b883

Download Submit
memory/2160-10-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2160-9-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2160-735-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2888-0-0x0000000074A61000-0x0000000074A62000-memory.dmp

Filesize
4KB

Download
memory/2888-11-0x0000000000460000-0x000000000047A000-memory.dmp

Filesize
104KB

Download
memory/2888-12-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-8-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-3-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2888-2-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-1-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download