Ransom.Win32.MIMIC.A

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Löscht Registrierungseinträge, so dass einige Anwendungen und Programme nicht ordnungsgemäß ausgeführt werden.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Schleust die folgenden Dateien ein:

• %User Temp%\7ZipSfx.000\7za.exe
• %User Temp%\7ZipSfx.000\Everything.exe
• %User Temp%\7ZipSfx.000\Everything32.dll
• %User Temp%\7ZipSfx.000\Everything64.dll
• %User Temp%\7ZipSfx.000\Everything.ini
• %User Temp%\7ZipSfx.000\Everything2.ini
• %User Temp%\7ZipSfx.000\Horsesperm.exe
• %User Temp%\7ZipSfx.000\sdel.exe
• %User Temp%\7ZipSfx.000\sdel64.exe
• %User Temp%\7ZipSfx.000\session.tmp
• %User Temp%\7ZipSfx.000\Defender.exe
• %AppDataLocal%\{GUID}\7za.exe → Copy file
• %AppDataLocal%\{GUID}\Everything.exe → Copy file
• %AppDataLocal%\{GUID}\Everything32.dll → Copy file
• %AppDataLocal%\{GUID}\Everything64.dll → Copy file
• %AppDataLocal%\{GUID}\Everything.ini → Copy file
• %AppDataLocal%\{GUID}\Everything2.ini → Copy file
• %AppDataLocal%\{GUID}\Horsesperm.exe → Copy file
• %AppDataLocal%\{GUID}\sdel.exe → Copy file
• %AppDataLocal%\{GUID}\sdel64.exe → Copy file
• %AppDataLocal%\{GUID}\session.tmp → Copy file
• %AppDataLocal%\{GUID}\Defender.exe → Copy file
• {All affected directories}\Bigspermhorseballs_Decryption.txt
• %UserTemp%\session.tmp
• %UserTemp%\{Random Letters}.{Random Letters}.ps1 → It Deletes after
• %UserTemp%\{Random Letters}.{Random Letters}.psm1 → It Deletes after

(Hinweis: %User Temp% ist der Ordner 'Temp' des aktuellen Benutzers, normalerweise C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Temp unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Local\Temp unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).)

Fügt die folgenden Prozesse hinzu:

• "%UserTemp%\7ZipSfx.000\7za.exe" x -y -p23980242011156913804 Everything64.dll
• "%UserTemp%\7ZipSfx.000\7za.exe" i
• cmd.exe /c DC.exe /D
• "%AppDataLocal%\{GUID}Defender.exe"
• "%AppDataLocal%\{GUID}Defender.exe" -e watch -pid {PID of Defender.exe} -!
• "%AppDataLocal%\{GUID}Defender.exe" -e ul1
• "%AppDataLocal%\{GUID}Defender.exe" -e ul2
• "%Program Files%\Everything\Everything.exe" -startup
• powercfg.exe -H off
• "powercfg.exe -SETACVALUEINDEX {Power scheme GUID 1} {GUID Group} {GUID Setting 1} 0"
• "powercfg.exe -SETACVALUEINDEX {Power scheme GUID 1} {GUID Group} {GUID Setting 2} 0"
• "powercfg.exe -SETACVALUEINDEX {Power scheme GUID 1} {GUID Group} {GUID Setting 3} 0"
• "powercfg.exe -SETACVALUEINDEX {Power scheme GUID 1} {GUID Group} {GUID Setting 1} 0"
• "powercfg.exe -SETACVALUEINDEX {Power scheme GUID 1} {GUID Group} {GUID Setting 2} 0"
• "powercfg.exe -SETACVALUEINDEX {Power scheme GUID 1} {GUID Group} {GUID Setting 3} 0"
• "powercfg.exe -SETACVALUEINDEX {Power scheme GUID 2} {GUID Group} {GUID Setting 1} 0"
• "powercfg.exe -SETACVALUEINDEX {Power scheme GUID 2} {GUID Group} {GUID Setting 2} 0"
• "powercfg.exe -SETACVALUEINDEX {Power scheme GUID 2} {GUID Group} {GUID Setting 3} 0"
• "powercfg.exe -SETACVALUEINDEX {Power scheme GUID 2} {GUID Group} {GUID Setting 1} 0"
• "powercfg.exe -SETACVALUEINDEX {Power scheme GUID 2} {GUID Group} {GUID Setting 2} 0"
• "powercfg.exe -SETACVALUEINDEX {Power scheme GUID 2} {GUID Group} {GUID Setting 3} 0"
• "powercfg.exe -S {Power scheme GUID 1}"
• "powercfg.exe -S {Power scheme GUID 2}"
• "powershell.exe -ExecutionPolicy Bypass ""Get-VM | Stop-VM"""
• "powershell.exe -ExecutionPolicy Bypass ""Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"""
• "powershell.exe -ExecutionPolicy Bypass ""Get-Volume | Get-DiskImage | Dismount-DiskImage"""

(Hinweis: %Program Files%ist der Standardordner 'Programme', normalerweise C:\Programme.)

Erstellt die folgenden Ordner:

• %AppDataLocal%\{GUID}
• %System Root%\temp

(Hinweis: %System Root% ist der Stammordner, normalerweise C:\. Dort befindet sich auch das Betriebssystem.)

Fügt die folgenden Mutexe hinzu, damit nur jeweils eine ihrer Kopien ausgeführt wird:

• oooiheWoeohohLeooho

Autostart-Technik

Fügt folgende Registrierungseinträge hinzu, um bei jedem Systemstart automatisch ausgeführt zu werden.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Defender = %AppDataLocal%\{GUID}\Defender.exe

Andere Systemänderungen

Ändert die folgenden Registrierungseinträge:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\VSS
Start = 4

(Note: The default value data of the said registry entry is 3.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\SDRSVC
Start = 4

(Note: The default value data of the said registry entry is 3.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\wbengine
Start = 4

(Note: The default value data of the said registry entry is 3.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\FileSystem
LongPathEnabled = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
DataCollection
AllowTelemetry = 0

(Note: The default value data of the said registry entry is 3.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
ConsentPromptBehaviorAdmin = 0

(Note: The default value data of the said registry entry is 5.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
ConsentPromptBehaviorAdmin = 0

(Note: The default value data of the said registry entry is 3.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
PromptOnSecureDesktop = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
shutdownwithoutlogon = 0

(Note: The default value data of the said registry entry is 1.)

Löscht die folgenden Registrierungseinträge:

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows
System = DisableCMD

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows
System = DisableCMD

Prozessbeendigung

Beendet die folgenden Dienste, wenn sie auf dem betroffenen System gefunden werden:

• AcronisAgent
• ARSM
• backup
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExerDiveciMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• BackupExecVSSProvider
• CASAD2DWebSvc
• ccEvtMgr
• ccSetMgr
• Culserver
• dbeng8
• dbsrv12
• DefWatch
• FishbowlMySQL
• GxBlr
• GxCIMgr
• GxCUD
• GxFWD
• GxVss
• memtas
• mepocs
• msexchange
• MSExchange$
• msftesql-Exchange
• msmdsrv
• MSSQL
• MSSQL$
• MSSQL$KAV_CS_ADMIN_KIT
• MSSQL$MICROSOFT##SSEE
• MSSQL$MICROSOFT##WID
• MSSQL$SBMONITORING
• MSSQL$SHAREPOINT
• MSSQL$VEAMSQL2012
• MSSQLFDLauncher$SBSMONITORING
• MSSQLFDLauncher$SHAREPOINT
• MSSQLServerADHelper100
• MVArmor
• MVarmor64
• svc$
• sophos
• RTVscan
• MySQL57
• PDVFSService
• QBCFMonitorService
• QBFCService
• QBIDService
• QBVSS
• SavRoam
• SQL
• SQLADHLP
• sqlagent
• SQLAgent$KAV_CS_ADMIN_KIT
• SQLAgent$SBSMONITORING
• SQLAgent$SHAREPOINT
• SQLAgent$VEEAMSQL2012
• sqlbrowser
• SqlServr
• SQLWriter
• stc_raw_agent
• tomcat6
• veeam
• VeeamDeploymentService
• VeamNFSSvc
• vmware-converter
• vmware-usbarbitator64
• VSNAPVSS
• vss
• wrapper
• WSBExchange
• YooBackup
• YooIT

Beendet Prozesse oder Dienste, die einen oder mehrere dieser Zeichenfolgen enthalten, wenn sie im Speicher des betroffenen Systems ausgeführt werden:

• agentsvc.exe
• AutodeskDesktopApp.exe
• axlbridge.exe
• bedbh.exe
• benetns.exe
• bengien.exe
• beserver.exe
• CoreSync.exe
• Creative Cloud.exe
• dbeng50.exe
• dbsnmp.exe
• encsvc.exe
• EnterpriseClient.exe
• fbguard.exe
• fbserver.exe
• fdhost.exe
• fdlauncher.exe
• httpd.exe
• isqlplussvc.exe
• msaccess.exe
• MsDtSrvr.exe
• msftesql.exe
• mspub.exe
• mydesktopqos.exe
• mydesktopservice.exe
• mysqld.exe
• mysqld-nt.exe
• mysqld-opt.exe
• ocautoupds.exe
• ocomm.exe
• ocssd.exe
• oracle.exe
• pvlsvr.exe
• node.exe
• java.exe
• python.exe
• wpython.exe
• QBDBMgr.exe
• QBDBMgrN.exe
• QBIDService.exe
• qbupdate.exe
• QBW32.exe
• QBW64.exe
• Raccine.exe
• Raccine_x86.exe
• RaccineElevatedCfg.exe
• RaccineSettings.exe
• VeeamDeploymentSvc.exe
• RAgui.exe
• raw_agent_svc.exe
• SimplyConnectionManager.exe
• sqbcoreservice.exe
• sql.exe
• sqlagent.exe
• sqlbrowser.exe
• sqlmangr.exe
• sqlservr.exe
• sqlwriter.exe
• Ssms.exe
• Sysmon.exe
• Sysmon64.exe
• tbirdconfig.exe
• tomcat6.exe
• vsnapvss.exe
• vxmon.exe
• wdswfsafe.exe
• wsa_service.exe
• wxServer.exe
• wxServerView.exe
• xfssvccon.exe

Andere Details

Fügt die folgenden Registrierungsschlüssel hinzu:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
Image File Execution Options = {list of processes to be terminated}

HKEY_LOCAL_MACHINE\SOFTWARE
Classes = mimicfile

HKEY_LOCAL_MACHINE\SOFTWARE
Classes = .bigspermhorseballs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
HidePowerOptions = 1

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows\CurrentVersion\
Policies\Explorer
HidePowerOptions = 1

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows\CurrentVersion\
Policies\Explorer
NoClose = 1

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows\CurrentVersion\
Policies\Explorer
StartMenuLogOff = 1

Für ihre ordnungsgemäße Ausführung sind die folgenden zusätzlichen Komponenten erforderlich:

• Everything32.dll
• Everything64.dll

Es macht Folgendes:

• Activating anti-kill measures
• Activating anti-shutdown measures
• Bypassing User Account Control (UAC)
• Collecting system information
• Creating persistence via the RUN key
• Disabling Windows Defender
• Disabling Windows Telemetry
• Disabling sleep mode and shutdown of the system
• Inhibiting System Recovery
• Removing Indicators
• Terminating processes and services
• Unmounting Virtual Drives