Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
 
  • MD5 : e32a5b8a153ae7bd3acec7b1cdb879e0
 
  • Major Detection Name : Troj/Ransom-EWQ (Sophos), Ransom.Win32.NMoreira.THDOGBO (Trend Micro)
 
  • Encrypted File Pattern : .NMoreira
 
  • Malicious File Creation Location :
     - C:\Users\%UserName%\AppData\Roaming\Setup_1301.exe
     - C:\Windows\System32\Tasks\Reggie
     - C:\YOUR_DRIVE_HAS_BEEN_ENCRYPTED.TXT
 
  • Payment Instruction File : YOUR_DRIVE_HAS_BEEN_ENCRYPTED.TXT
 
  • Major Characteristics :
     - Offline Encryption
     - NM4 / Xpan Ransomware series
     - Automatically reboots Windows (C:\Windows\system32\shutdown.exe /r /f) through the Reggie in Task Scheduler After 30 minutes of running the ransomware file. → Modifying the MBR
     - Disable system restore (vssadmin Delete Shadows /all /quiet)
     - Deletes event log (wevtutil cl Setup, wevtutil cl System, wevtutil cl Security, wevtutil cl Application)

List

위로