Ransom.Win32.HIDDENTEAR.B

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• %Temp%\update.{Random}.mwt
• %Program Data%\encryption.{10 Random Characters}.enc.key.plain
• %Program Data%\encryption.{10 Random Characters}.enc.key
• %Temp%\encryption.log → if already exist, it will not proceed to its malicious routine

(Nota: %Temp% es la carpeta de archivos temporales de Windows, que suele estar en C:\Windows\Temp o C:\WINNT\Temp).

Agrega los procesos siguientes:

• netsh advfirewall firewall add rule name="Port 80" dir=out action=block protocol=TCP remoteport=80
• netsh advfirewall firewall add rule name="Port 443" dir=out action=block protocol=TCP remoteport=443
• netsh advfirewall firewall add rule name="Port 4122out" dir=out action=block protocol=TCP remoteport=4122 localport=4122
• netsh advfirewall firewall add rule name="Port 4118-4119out" dir=out action=block protocol=TCP remoteport=4118-4119 localport=4118-4119
• netsh advfirewall firewall add rule name="Port 5274-5275out" dir=out action=block protocol=TCP remoteport=5274-5275 localport=5274-5275
• netsh advfirewall firewall add rule name="Port 4122in" dir=in action=block protocol=TCP remoteport=4122 localport=4122
• netsh advfirewall firewall add rule name="Port 4118-4119in" dir=in action=block protocol=TCP remoteport=4118-4119 localport=4118-4119
• netsh advfirewall firewall add rule name="Port 5274-5275in" dir=in action=block protocol=TCP remoteport=5274-5275 localport=5274-5275
• %Temp%\update.{Random}.mwt true %ProgramData%\encryption.{10 Random Characters}.enc.key.plain
• cmd /c "taskkill /F /IM {Target Process}"

Finalización del proceso

Finaliza los procesos siguientes si detecta que se ejecutan en la memoria del sistema afectado:

• via taskkill /F /IM:
  • pg_ctl.exe
  • postgres.exe
  • mysqld.exe
  • sqlservr.exe
  • sqlwriter.exe
  • sqlceip.exe

Otros detalles

Hace lo siguiente:

• It targets files and folders in local drives, network shares, and removable drives.
• It encrypts files related to Microsoft SQL which contain the following strings in their file path:
  • {Drive Letter}\Program Files\*MSSQL*
  • {Drive Letter}\Program Files (x86)\*MSSQL*
• It adds the following processes if these Windows Firewall rule exists:
  • netsh advfirewall firewall delete rule name="Port 80"
  • netsh advfirewall firewall delete rule name="Port 443"
  • netsh advfirewall firewall delete rule name="Port 4122in"
  • netsh advfirewall firewall delete rule name="Port 4118-4119in"
  • netsh advfirewall firewall delete rule name="Port 5274-5275in"
  • netsh advfirewall firewall delete rule name="Port 4122out"
  • netsh advfirewall firewall delete rule name="Port 4118-4119out"
  • netsh advfirewall firewall delete rule name="Port 5274-5275out"
• It requires a specific file name and path to proceed to its malicious routine. → "%Temp%\update.mwt"
  • When executed without this file name, it will repeatedly create %Temp%\update.{Random}.mwt until it crashed the system.
• It requires to be executed as an administrator.
  • When executed without admin privilege, it will encrypt network shares and will not create processes for Windows Firewall rules.

(Nota: %Temp% es la carpeta de archivos temporales de Windows, que suele estar en C:\Windows\Temp o C:\WINNT\Temp).