Ransom.MSIL.HARDBIT.THAODBC

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• %User Profile%\DOCUMENTS\hrdb.ico → icon used for all encrypted files
• %Desktop%\HARDBIT.jpg → image used as system wallpaper after encryption
• %User Temp%\lsm.exe → detected as TROJ_GEN.R002H09HJ23
• %User Temp%\is64.txt → identifies the OS architecture
• %User Temp%\is64.bat
• %User Temp%\is64.fil → contains the path to the 64-bit cmd.exe

(Nota: %User Profile% es la carpeta de perfil del usuario activo, que en el caso de Windows 98 y ME suele estar en C:\Windows\Profiles\{nombre de usuario}, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario}, en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) en C:\Documents and Settings\{nombre de usuario} y en el caso de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}).

Agrega los procesos siguientes:

• cmd.exe /C sc delete VSS
• cmd.exe /C wbadmin delete catalog -quiet
• cmd.exe /C vssadmin delete shadows /all /quiet & wmic shadowcopy deletee
• cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
• "powershell" Get-MpPreference -verbose
• net.exe stop avpsus /y
• net.exe stop McAfeeDLPAgentService /y
• net.exe stop mfewc /y
• net.exe stop BMR Boot Service /y
• net.exe stop NetBackup BMR MTFTP Service /y
• net.exe stop DefWatch /y
• net.exe stop ccEvtMgr /y
• net.exe stop ccSetMgr /y
• net.exe stop SavRoam /y
• net.exe stop RTVscan /y
• net.exe stop QBFCService /y
• net.exe stop QBIDPService /y
• net.exe stop IntuitQuickBooksFCS /y
• net.exe stop QBCFMonitorService /y
• net.exe stop YooBackup /y
• net.exe stop YooIT /y
• net.exe stop zhudongfangyu /y
• net.exe stop stc_raw_agent /y
• net.exe stop VSNAPVSS /y
• net.exe stop VeeamTransportSvc /y
• net.exe stop VeeamDeploymentService /y
• net.exe stop VeeamNFSSvc /y
• net.exe stop veeam /y
• net.exe stop PDVFSService /y
• net.exe stop BackupExecVSSProvider /y
• net.exe stop BackupExecAgentAccelerator /y
• net.exe stop BackupExecAgentBrowser /y
• net.exe stop BackupExecDiveciMediaService /y
• net.exe stop BackupExecJobEngine /y
• net.exe stop BackupExecManagementService /y
• net.exe stop BackupExecRPCService /y
• net.exe stop AcrSch2Svc /y
• net.exe stop AcronisAgent /y
• net.exe stop CASAD2DWebSvc /y
• net.exe stop CAARCUpdateSvc /y
• net.exe stop sophos /y
• net.exe stop -n apache24
• net.exe stop mysql57
• net.exe wrapper
• net.exe DefWatch
• net.exe stop SavRoam /y
• net.exe stop Sqlservr /y
• net.exe stop sqlagent /y
• net.exe stop sqladhlp /y
• net.exe stop Culserver /y
• net.exe stop sqlbrowser /y
• net.exe stop QLADHLP /y
• net.exe stop Intuit /y
• net.exe stop QuickBooks /y
• net.exe stop FCS /y
• net.exe stop msmdsrv /y
• net.exe stop tomcat6 /y
• net.exe stop vmware /y
• net.exe stop vmware-converter /y
• net.exe stop dbsrv12 /y
• net.exe stop dbeng8 /y
• net.exe stop MSSQL$MICROSOFT /y
• net.exe stop ##WID /y
• net.exe stop MSSQL$VEEAMSQL2012 /y
• net.exe stop SQLAgent$VEEAMSQL2012 /y
• net.exe stop SQLBrowser /y
• net.exe stop SQLWriter /y
• net.exe stop FishbowlMySQL /y
• net.exe stop MySQL57 /y
• net.exe stop MSSQL$KAV_CS_ADMIN_KIT /y
• net.exe stop MSSQLServerADHelper100 /y!
• net.exe stop SQLAgent$KAV_CS_ADMIN_KIT /y
• net.exe stop msftesql /y
• net.exe stop Exchange /y
• net.exe stop MSSQL$MICROSOFT##SSEE /y
• net.exe stop MSSQL$SBSMONITORING /y
• net.exe stop MSSQL$SHAREPOINT /y
• net.exe stop MSSQLFDLauncher$SBSMONITORING /y
• net.exe stop SQLAgent$SBSMONITORING /y
• net.exe stop SQLAgent$SHAREPOINT /y
• net.exe stop QBVSS /y
• net.exe stop vss /y
• net.exe stop sql /y
• net.exe stop svc$ /y
• net.exe stop MSSQL /y
• net.exe stop MSSQL$ /y
• net.exe stop memtas /y
• net.exe stop mepocs /y
• net.exe stop backup /y
• net.exe stop bedbg /y
• net.exe stop MVArmor /y
• net.exe stop MVarmor64 /y
• net.exe stop ARSM /y
• net.exe stop WSBExchange /y
• net.exe stop MSExchange /y
• net.exe stop MSExchange$ /y
• %User Temp%\lsm.exe
• %User Temp%\is64.bat
• "%System%\mshta.exe" "%User Temp%\readme-warning.hta"

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Crea las carpetas siguientes:

• %User Temp%\myfiles
• %User Temp%\wxy

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Otras modificaciones del sistema

Agrega las siguientes entradas de registro:

HKEY_USERS\{SID}_CLASSES\.hardbit2\
DefaultIcon
(Default) = %User Profile%\Documents\hrdb.ico

Agrega las siguientes claves de registro como parte de la rutina de instalación:

HKEY_USERS\{SID}_CLASSES\.hardbit2

HKEY_USERS\{SID}_CLASSES\.hardbit2\
DefaultIcon

Modifica las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
DisableAntiSpyware = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableBehaviorMonitoring = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableOnAccessProtection = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableScanOnRealtimeEnable = 1

(Note: The default value data of the said registry entry is 0.)

Cambia el fondo de escritorio mediante la modificación de las siguientes entradas de registro:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = %Desktop%\HARDBIT.jpg

Este malware establece la imagen siguiente como fondo de escritorio del sistema:

• %Desktop%\HARDBIT.jpg
  

Finalización del proceso

Finaliza los servicios siguientes si los detecta en el sistema afectado:

• avpsus
• McAfeeDLPAgentService
• mfewc
• BMR Boot Service
• NetBackup BMR MTFTP Service
• DefWatch
• ccEvtMgr
• ccSetMgr
• SavRoam
• RTVscan
• QBFCService
• QBIDPService
• IntuitQuickBooksFCS
• QBCFMonitorService
• YooBackup
• YooIT
• zhudongfangyu
• stc_raw_agent
• VSNAPVSS
• VeeamTransportSvc
• VeeamDeploymentService
• VeeamNFSSvc
• veeam
• PDVFSService
• BackupExecVSSProvider
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExecDiveciMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• AcrSch2Svc
• AcronisAgent
• CASAD2DWebSvc
• CAARCUpdateSvc
• sophos
• apache24
• mysql57
• SavRoam
• Sqlservr
• sqlagent
• sqladhlp
• Culserver
• sqlbrowser
• QLADHLP
• Intuit
• QuickBooks
• FCS
• msmdsrv
• tomcat6
• vmware
• vmware-converter
• dbsrv12
• dbeng8
• MSSQL$MICROSOFT
• ##WID
• MSSQL$VEEAMSQL2012
• SQLAgent$VEEAMSQL2012
• SQLBrowser
• SQLWriter
• FishbowlMySQL
• MySQL57
• MSSQL$KAV_CS_ADMIN_KIT
• MSSQLServerADHelper100!
• SQLAgent$KAV_CS_ADMIN_KIT
• msftesql
• Exchange
• MSSQL$MICROSOFT##SSEE
• MSSQL$SBSMONITORING
• MSSQL$SHAREPOINT
• MSSQLFDLauncher$SBSMONITORING
• SQLAgent$SBSMONITORING
• SQLAgent$SHAREPOINT
• QBVSS
• vss
• sql
• svc$
• MSSQL
• MSSQL$
• memtas
• mepocs
• backup
• bedbg
• MVArmor
• MVarmor64
• ARSM
• WSBExchange
• MSExchange
• MSExchange$

Finaliza los procesos siguientes si detecta que se ejecutan en la memoria del sistema afectado:

• 360Doctor
• 360Se
• acwebbrowser
• ADExplorer
• ADExplorer64
• ADExplorer64a
• Adobe
• AdobeCollabSync
• AdobeIPCBroker
• agntsvc
• AutodeskDesktopApp
• Autoruns
• Autoruns64
• Autoruns64a
• Autorunsc
• Autorunsc64
• Autorunsc64a
• avz
• axlbridge
• bedbh
• benetns
• bengien
• beserver
• BrCcUxSys
• BrCtrlCntr
• CagService
• calc
• CEF
• Cloud
• CoreSync
• Creative
• Culture
• dbeng50
• dbsnmp
• Defwatch
• DellSystemDetect
• dumpcap
• encsvc
• EnterpriseClient
• excel
• fbguard
• fbserver
• fdhost
• fdlauncher
• firefox
• GDscan
• GlassWire
• GWCtlSrv
• Helper
• httpd
• infopath
• InputPersonalization
• isqlplussvc
• j0gnjko1
• java
• koaly-exp-engine-service
• msaccess
• mspub
• mydesktopqos
• mydesktopservice
• mysqld
• node
• notepad
• notepad++
• ocautoupds
• ocomm
• ocssd
• onedrive
• onenote
• ONENOTEM
• oracle
• outlook
• powerpnt
• ProcessHacker
• Procexp
• Procexp64
• procexp64a
• procmon
• procmon64
• procmon64a
• pvlsvr
• QBDBMgr
• QBDBMgrN
• QBIDPService
• qbupdate
• QBW32
• Raccine
• Raccine_x86
• RaccineElevatedCfg
• RaccineSettings
• RAgui
• raw_agent_svc
• RdrCEF
• RTVscan
• sam
• Service
• SimplyConnectionManager
• SimplySystemTrayIcon
• sqbcoreservice
• sqlbrowser
• sqlmangr
• Sqlservr
• Ssms
• steam
• supervise
• sync
• synctime
• Sysmon
• Sysmon64
• SystemExplorer
• SystemExplorerService
• SystemExplorerService64
• taskbar
• tbirdconfig
• tcpview
• tcpview64
• tcpview64a
• tdsskiller
• TeamViewer
• TeamViewer_Service
• thebat
• thunderbird
• TitanV
• tomcat6
• Totalcmd
• Totalcmd64
• tv_w32
• tv_x64
• VeeamDeploymentSvc
• visio
• vsnapvss
• vss
• vxmon
• wdswfsafe
• winword
• WireShark
• wordpad
• worker
• wsa_service
• wuauclt
• wxServer
• wxServerView
• xfssvccon
• ZhuDongFangYu

Robo de información

Recopila los siguientes datos:

• Hardware information (CPU, Disk Drives, Graphics Card, Manufacturer, BIOS)
• Network adapter settings (IP configuration, MAC address)
• Username
• Computer Name
• Timezone Information

Otros detalles

Hace lo siguiente:

• It changes the encrypted file icon to the following image:
  
• %User Temp%\lsm.exe shows the following message box: