Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
 
  • MD5 : 5f8a07824e8a7b7f5f7fc71139ff41e6
 
  • Major Detection Name : a variant of Win32/Kryptik.GPAR (ESET), Ransom.Win32.STOP.THABIAI (Trend Micro)
 
  • Encrypted File Pattern : .adobee
 
  • Malicious File Creation Location :
     - C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>\updatewin.exe
     - C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>\updatewin1.exe
     - C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>\updatewin2.exe
     - C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>\<Random>.tmp.exe
     - C:\Users\%UserName%\AppData\Local\Temp\MpCmdRun.log
     - C:\Users\%UserName%\AppData\Local\Temp\<Random>.tmp.exe
     - C:\Users\%UserName%\AppData\Local\script.ps1
     - C:\Windows\System32\drivers\etc\hosts
     - C:\Windows\System32\Tasks\Time Trigger Task
 
  • Payment Instruction File : _openme.txt
 
  • Major Characteristics :
     - Offline Encryption
     - Create a fake "Windows Update" message
     - Modifies Windows Host file (C:\Windows\System32\drivers\etc\hosts) to block security web sites.
     - Disable and Blocks Task Manager (DisableTaskmgr)
     - Disable Windows Defender (Set-MpPreference -DisableRealtimeMonitoring $true, "C:\Program Files\Windows  Defender\mpcmdrun.exe" -removedefinitions -all)
     - Reruns by adding "Time Trigger Task" in Task Scheduler to run "%LocalAppData%\<Random>-<Random>-<Random>-<Random>-<Random>\<Random>.tmp.exe --Task" for every 5 minutes.

List

위로