Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Mail attachment file
 
  • MD5 : b7520da4c2efbe27a2a194fd7d822c26
 
  • Major Detection Name : Trojan.Ransom.Filecoder (ALYac), Ransom.FileCryptor (Malwarebytes)
 
  • Encrypted File Pattern : .docm
 
  • Malicious File Creation Location :
     - C:\Users\%UserName%\AppData\Local\Temp\backup.ps1
     - C:\Users\%UserName%\AppData\Local\Temp\LIST_DECRYPTED_FILE.txt
     - C:\Users\%UserName%\AppData\Local\Temp\LIST_ENCRYPTED_FILE.txt
     - C:\Users\%UserName%\AppData\Local\Temp\LOG_DECRYPT.log
     - C:\Users\%UserName%\AppData\Local\Temp\LOG_ENCRYPT.log
 
  • Payment Instruction File : README_RECOVERY.txt
 
  • Major Characteristics :
     - Offline Encryption
     - Disable Microsoft Defender (powershell -NoP -NonI -W Hidden -Exec Bypass Set-MpPreference -EnableControlledFolderAccess Disabled)
     - Block processes execution (cmd.exe, kingengine.exe)
     - Stop multi services (Sophos MCS Client, SQLAgent$SQL_2008, SQLSafeOLRService, sqlserv, tomcat6, W3Svc etc.)
     - Disable system restore (vssadmin.exe Delete Shadows /All /Quiet, bcdedit.exe /set {default} recoveryenabled No, bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures, wmic.exe SHADOWCOPY /nointeractive)
     - Delete KingEngine task scheduler value
     - Deletes event log (Analytic, Application, HardwareEvents, Internet Explorer, Security, System etc.)
     - Changes desktop background (C:\Users\%UserName%\AppData\Local\Temp\meme.jpg)

List

위로