Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
 
  • MD5 : d40fe282c90704e304511969ecbf99c2
 
  • Major Detection Name : Trojan.Ransom.Stop (ALYac), Trojan-Ransom.Win32.Stop.dr (Kaspersky)
 
  • Encrypted File Pattern : .kvag
 
  • Malicious File Creation Location :
     - C:\SystemID
     - C:\SystemID\PersonalID.txt
     - C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>
     - C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>\4.exe
     - C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>\5.exe
     - C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>\updatewin.exe
     - C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>\updatewin1.exe
     - C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>\updatewin2.exe
     - C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>\<Random>.tmp.exe
     - C:\Users\%UserName%\AppData\Local\Temp\<Random>.tmp.exe
     - C:\Users\%UserName%\AppData\Local\Temp\MpCmdRun.log
     - C:\Users\%UserName%\AppData\Local\script.ps1
     - C:\Windows\System32\drivers\etc\hosts
     - C:\Windows\System32\Tasks\Time Trigger Task
 
  • Payment Instruction File : _readme.txt
 
  • Major Characteristics :
     - Offline Encryption
     - Create a fake "Windows Update" message
     - Modifies Windows Host file (C:\Windows\System32\drivers\etc\hosts) to block security web sites.
     - Disable and Blocks Task Manager (DisableTaskmgr)
     - Disable Windows Defender (Set-MpPreference -DisableRealtimeMonitoring $true, "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all)
     - Reruns by adding "Time Trigger Task" in Task Scheduler to run "%LocalAppData%\<Random>-<Random>-<Random>-<Random>-<Random>\<Random>.tmp.exe --Task" for every 5 minutes.
     - Generates additional an info stealer malwares

List

위로