- Distribution Method : Unknown
- MD5 : bd20d8afabe658816d06301b8f367c7e
- Major Detection Name : Ransom:Win32/Pactelung.A (Microsoft), Ransom_AVCRYPT.A (Trend Micro)
- Encrypted File Pattern : +<Original Filename>.<Original Extension>
- Malicious File Creation Location :
- C:\Users\%UserName%\AppData\Local\Temp\+.bat
- C:\Users\%UserName%\AppData\Local\Temp\libeay32.dll
- C:\Users\%UserName%\AppData\Local\Temp\libevent-2-0-5.dll
- C:\Users\%UserName%\AppData\Local\Temp\libevent_core-2-0-5.dll
- C:\Users\%UserName%\AppData\Local\Temp\libevent_extra-2-0-5.dll
- C:\Users\%UserName%\AppData\Local\Temp\libgcc_s_sjlj-1.dll
- C:\Users\%UserName%\AppData\Local\Temp\libgmp-10.dll
- C:\Users\%UserName%\AppData\Local\Temp\libssp-0.dll
- C:\Users\%UserName%\AppData\Local\Temp\ssleay32.dll
- C:\Users\%UserName%\AppData\Local\Temp\t.bmp
- C:\Users\%UserName%\AppData\Local\Temp\tor.exe
- C:\Users\%UserName%\AppData\Local\Temp\zlib1.dll
- C:\Users\%UserName%\AppData\Local\Temp\t.zip
- C:\Users\%UserName%\AppData\Roaming\tor
- C:\Users\%UserName%\AppData\Roaming\<%UserName%>.exe
- Payment Instruction File : +HOW_TO_UNLOCK.txt
- Major Characteristics :
- Turns off Windows Security Center and User Access Control
- Turns off Windows notifications (EnableBalloonTips, FolderContentsInfoTip, ShowInfoTip, StartButtonBalloonTip)
- Changes Folder Option (Hidden, HideSCAHealth, ShowSuperHidden)
- Disable system restore (bcdedit /set {bootmgr} displaybootmenu no, bcdedit /set {default} bootems off, bcdedit /set {default} advancedoptions off, bcdedit /set {default} optionsedit off, bcdedit /set {default} bootstatuspolicy ignoreallfailures, bcdedit /set {default} recoveryenabled No, wbadmin delete catalog -quiet, wmic shadowcopy delete /nointeractive)
- Deletes event log (Application, Internet Explorer, Security, System)
- Stops and removes system and security application services (ESProtectionDriver, MBAMChameleon, MBAMFarflt, MBAMProtection, MBAMService, MBAMSwissArmy, MBAMWebProtection, MpsSvc, MsMpSvc, PcaSvc, RasMan, Schedule, SDRSVC, SharedAccess, srservice, swprv, TermService, VSS, WerSvc, WinDefend, WPDBusEnum, wscsvc, wuauserv)
- Disables Windows Defender and system security features
- Uninstalls Adobe and Malwarebytes applications
- Changes desktop background (C:\Users\%UserName%\AppData\Roaming\+<Random Number>.bmp)
List