Home Malware Programs Trojans Trojan.Ransomcrypt.D

Trojan.Ransomcrypt.D

Posted: July 15, 2013

Threat Metric

Threat Level: 9/10
Infected PCs: 5
First Seen: July 15, 2013
Last Seen: March 15, 2022
OS(es) Affected: Windows

Trojan.Ransomcrypt.D is a Trojan that encrypts certain documents on the infected computer and locks the desktop. When Trojan.Ransomcrypt.D is executed, it creates a copy of itself to the certain locations. Trojan.Ransomcrypt.D creates the potentially malicious files. Trojan.Ransomcrypt.D then creates the specific file so that it can run automatically every time Windows is started. Trojan.Ransomcrypt.D then creates and modifies the registry entries so that it can run automatically every time Windows is started. Trojan.Ransomcrypt.D creates and modifies the registry entries in order to lower security settings. Trojan.Ransomcrypt.D then creates more registry entries. Trojan.Ransomcrypt.D may lock the affected computer and display an image/alert entitled 'DIRTY ALERT'. Trojan.Ransomcrypt.D will ask the victim to pay a ransom to unlock the affected computer using one of the payment methods Paysafecard, Ukash or Moneypak. Trojan.Ransomcrypt.D may also encrypt files on the corrupted PC. In order to conceal the infection, Trojan.Ransomcrypt.D may stop the processes used to trace system behavior. Trojan.Ransomcrypt.D may then connect to a number of web addresses.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%ProgramFiles%\Adobe\[RANDOM CHARACTERS].exe File name: %ProgramFiles%\Adobe\[RANDOM CHARACTERS].exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%ProgramFiles%\Dirty\DirtyDecrypt.exe File name: %ProgramFiles%\Dirty\DirtyDecrypt.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%Temp%\[RANDOM CHARACTERS].exe File name: %Temp%\[RANDOM CHARACTERS].exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%UserProfile%\Application Data\Dirty\DirtyDecrypt.exe File name: %UserProfile%\Application Data\Dirty\DirtyDecrypt.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%UserProfile%\Local Settings\Application Data\Identities\[RANDOM CHARACTERS].exe File name: %UserProfile%\Local Settings\Application Data\Identities\[RANDOM CHARACTERS].exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%UserProfile%\Application Data\Dirty\alertwall.jpg File name: %UserProfile%\Application Data\Dirty\alertwall.jpg
Mime Type: unknown/jpg
Group: Malware file
%UserProfile%\Local Settings\Application Data\Dirty\DirtyDecrypt.exe File name: %UserProfile%\Local Settings\Application Data\Dirty\DirtyDecrypt.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%UserProfile%\Start Menu\Programs\Startup\[RANDOM CHARACTERS].exe File name: %UserProfile%\Start Menu\Programs\Startup\[RANDOM CHARACTERS].exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\c454754cf8997ff64bf863f7a733297e_7d2d450e-594b-4214-a88e-adb179f21516 File name: %UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\c454754cf8997ff64bf863f7a733297e_7d2d450e-594b-4214-a88e-adb179f21516
Group: Malware file
%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\f841fc663738bb69a5edcfa7a046c624_7d2d450e-594b-4214-a88e-adb179f21516 File name: %UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\f841fc663738bb69a5edcfa7a046c624_7d2d450e-594b-4214-a88e-adb179f21516
Group: Malware file
%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\76c6693205311293dabe1dd1d619ff3d_7d2d450e-594b-4214-a88e-adb179f21516 File name: %UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\76c6693205311293dabe1dd1d619ff3d_7d2d450e-594b-4214-a88e-adb179f21516
Group: Malware file
%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\92bd0cb3bb654c3ca25f64427cd8bdff_7d2d450e-594b-4214-a88e-adb179f21516 File name: %UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\92bd0cb3bb654c3ca25f64427cd8bdff_7d2d450e-594b-4214-a88e-adb179f21516
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"DirtyDecrypt" = "\"\\?\%UserProfile%\Application Data\Dirty\DirtyDecrypt.exe\" \hide"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Local Settings\Application Data\Identities\[RANDOM CHARACTERS].exe"HKEY_LOCAL_MACHINE\SOFTWARE\{GUID}\"ID" = "[BINARY DATA]"HKEY_LOCAL_MACHINE\SOFTWARE\{GUID}\"PeriodDisabed" = "1"HKEY_CURRENT_USER\Software\{GUID}\"ID" = "[BINARY DATA]"HKEY_CURRENT_USER\Software\{GUID}\"PeriodDisabed" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"UacDisableNotify" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"AntiVirusOverride" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"FirewallOverride" = "1"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\"F" = "[BINARY DATA]"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\00000220\"C" = "[BINARY DATA]"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "%System%\userinit.exe,,%ProgramFiles%\Adobe\[RANDOM CHARACTERS].exe"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\Members\[SID]\000003ED\"(Default)" = "?\00?"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\"Start" = "4"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\"Start" = "4"
Loading...