Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
 
  • MD5 : 3ae9816b7103b1842ad6ab464ebc2c6e
 
  • Major Detection Name : DeepScan:Generic.Ransom.Spora.498E39DD (BitDefender), W32/Filecoder.OIE!tr.ransom (Fortinet)
 
  • Encrypted File Pattern : .<4-Digit Random Extension>
 
  • Malicious File Creation Location :
     - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\<6자리 Random> ReadMe.txt
     - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe
     - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<6자리 Random> ReadMe.txt
     - C:\Users\%UserName%\AppData\f__d_d.sys
     - C:\Users\%UserName%\AppData\h4_svc.bat
     - C:\Users\%UserName%\AppData\Renc.sys
     - C:\Users\%UserName%\AppData\t2_svc.bat
     - C:\Users\%UserName%\AppData\v9_svc.vbs
     - C:\Users\ReadMe.hta
     - C:\Users\<Random> ReadMe.txt
     - C:\Windows\System32\Tasks\Microsoft_Auto_Scheduler
     - C:\<Random> ReadMe.txt
 
  • Payment Instruction File : ReadMe.hta / <6자리 Random> ReadMe.txt
 
  • Major Characteristics :
     - Offline Encryption
     - Turns off User Access Control (UAC)
     - Turns off Windows Firewall (netsh advfirewall set currentprofile state off, netsh firewall set opmode mode=disable)
     - Allow Windows firewall rules (netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes)
     - Block processes execution (dbeng50.exe, msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, visio.exe etc.)
     - Disable system restore (vssadmin.exe Delete Shadows /All /Quiet, wmic shadowcopy delete, wbadmin delete catalog -quiet)
     - Adds the Microsoft_Auto_Scheduler task scheduler to automatically run the file "C:\Users\%UserName%\AppData\t2_svc.bat" every 6 minutes.

List

위로