Ransom.Win32.RTMCOMMAND.THKBFBC

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %System%\imageres.dll ← Used to change desktop wallpaper

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following processes:

• Select * from Win32_ShadowCopy.ID={ShadowCopy ID} → deletes shadow copy
• %System%\cmd.exe" /c PING -n 5 127.0.0.1 > NUL && del "{Malware Full Path}" → deletes itself

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other System Modifications

This Ransomware adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon
{empty} = %System%\imageres.dll, -55

It changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = %User Temp%\img{4 Random Characters}.tmp

Process Termination

This Ransomware terminates the following services if found on the affected system:

• AcronisAgent
• AcrSch2Svc
• backup
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExecDiveciMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• BackupExecVSSProider
• CAARCUpdateSvc
• CASAD2DWebSvc
• ccEvtMgr
• ccSetMgr
• DefWatch
• GxBlr
• GxCIMgr
• GxCVD
• GxFWD
• GxVss
• Intuit.QuickBooks.FCS
• memtas
• mepocs
• PDVFSService
• QBCFMonitorService
• QBFCService
• QBIDPService
• RTVscan
• SavRoam
• Sophos
• sql
• Stc_raw_agent
• svc$
• torService
• veeam
• VeeamDeploymentService
• VeeamNFSSvc
• VeeamTransportSvc
• Vsnapvss
• vss
• YooBackup
• YooIT
• Zhudongfangyu

It terminates the following processes if found running in the affected system's memory:

• agntsvc.exe
• dbeng50.exe
• dbsnmp.exe
• encsvc.exe
• excel.exe
• firefox.exe
• infopath.exe
• isqlplussvc.exe
• msaccess.exe
• mspub.exe
• mydesktopqos.exe
• mydesktopservice.exe
• notepad.exe
• ocautoupds.exe
• ocomm.exe
• ocssd.exe
• onenote.exe
• oracle.exe
• outlook.exe
• powerpnt.exe
• sqbcoreservice.exe
• sql.exe
• steam.exe
• synctime.exe
• tbirdconfig.exe
• thebat.exe
• thunderbird.exe
• visio.exe
• winword.exe
• wordpad.exe
• xfssvccon.exe

Other Details

This Ransomware does the following:

• If not executed with admins rights, it will relaunch itself as admin using this command:
  • %System%\cmd.exe /c ECHO “You must restart the program to resolve a critical error” && start”” ” %System Root%\{Malware Full path}.exe”
• Empties Recycle Bin
• Encrypts network drive
• Clear event logs for the following:
  • System
  • Application
  • Security
• It can only encrypt up to 8000 bytes of content only
• It only encrypts files that has a file size that is greater than 512 bytes

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It accepts the following parameters:

• -debug: Display debug information

Ransomware Routine

This Ransomware avoids encrypting files found in the following folders:

• all users
• appdata
• application data
• boot
• default
• google
• intel
• mozilla
• msocache
• perflogs
• program files
• program files (x86)
• programdata
• public
• system volume information
• tor browser
• windows
• windows.old
• x64dbg

It appends the following extension to the file name of the encrypted files:

• .{64 Random Characters}

It drops the following file(s) as ransom note:

• {Encrypted Directory}\How To Restore Your Files.txt
  
• %User Temp%\img{4 Random Characters}.tmp