Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
 
  • MD5 : e5ee41b7ce337ff5cc3fd62ddec1567e
 
  • Major Detection Name : Ransom:Win64/Filecoder.DM!MTB (Microsoft), Ransom.Win64.VASHSORENA.A (Trend Micro)
 
  • Encrypted File Pattern : .Id-<Random>.secure
 
  • Malicious File Creation Location :
     - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Network Shortcuts\HELP_DECRYPT_YOUR_FILES.html
     - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Network Shortcuts\HELP_DECRYPT_YOUR_FILES.txt
     - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Watch-me.mp4
     - C:\Users\%UserName%\Desktop\Watch-me.mp4
     - C:\Users\Default\Desktop\Watch-me.mp4
     - C:\Users\Public\Desktop\Watch-me.mp4
     - C:\Users\Public\Music\clear.bat
     - C:\Users\Public\Music\End.exe
     - C:\Users\Public\Music\video.mp4
     - <Drive Letter>:\Watch-me.mp4
 
  • Payment Instruction File : HELP_DECRYPT_YOUR_FILES.html / HELP_DECRYPT_YOUR_FILES.txt
 
  • Major Characteristics :
     - Offline Encryption
     - Change a disk name (Encrypted)
     - Block processes execution (sqlceip.exe, sqlservr.exe, sqlwriter.exe)
     - Stop MSSQL$SQLEXPRESS service
     - Deletes event log (wevtutil.exe cl "Analytic", wevtutil.exe cl "Application", wevtutil.exe cl "HardwareEvents", wevtutil.exe cl "Internet Explorer", wevtutil.exe cl "Security", wevtutil.exe cl "System" etc.)
     - Empty the trash (rmdir <Drive Letter>:\$Recycle.Bin /s /q)
     - Change encrypted file (.Id-<Random>.secure) icon (reg add HKEY_CLASSES_ROOT\.secure\DefaultIcon /t REG_SZ /d %SystemRoot%\System32\SHELL32.dll,271 /f)

List

위로