Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Installation via CobaltStrike malware
 
  • MD5 : 572fea5f025df78f2d316216fbeee52e
 
  • Major Detection Name : Win32/Filecoder.WastedLocker.A (ESET), Ransom.BinADS (Malwarebytes)
 
  • Encrypted File Pattern : .<2~3-Digit Random>wasted
 
  • Malicious File Creation Location :
     - C:\Users\%UserName%\AppData\Local\Temp\<Random>\system32
     - C:\Users\%UserName%\AppData\Local\Temp\<Random>\system32\winmm.dll
     - C:\Users\%UserName%\AppData\Local\Temp\<Random>\system32\winsat.exe
     - C:\Users\%UserName%\AppData\Local\Temp\<Random>.dmp
     - C:\Users\%UserName%\AppData\Local\Temp\<2-Digit Random>.dmp
     - C:\Users\%UserName%\AppData\Roaming\<2-Digit Random Filename>
     - C:\Users\%UserName%\AppData\Roaming\<2-Digit Random>:bin
     - C:\Users\%UserName%\AppData\Roaming\<Random Filename>
     - C:\Users\%UserName%\AppData\Roaming\<Random>:bin
     - C:\Windows\SysWOW64\<Random>.exe
     - C:\Windows\Temp\<Random>.dmp
     - C:\Windows\Temp\lck.log
 
  • Payment Instruction File : <Original Filename>.<Original Extension>.<2~3-Digit Random>wasted_info
 
  • Major Characteristics :
     - Offline Encryption
     - Use a YZCKUEONYQSURZWORG Digital Signatures
     - Create an ADS (Alternate Data Stream) file and encrypt the files.
     - Register ransomware malicious file as a service (C:\Windows\SysWOW64\<Random>.exe -s)
     - Disable system restore (vssadmin.exe Delete Shadows /All /Quiet)

List

위로