Ransom.MSIL.AGENDA.THJCOBD

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Se ejecuta y, a continuación, se elimina.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Agrega las carpetas siguientes:

• %User Temp%\QLOG

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Infiltra los archivos siguientes:

• %User Temp%\atx.bat → script to rename the first rh*.exe file it finds in the current folder to rh111.exe before executing it with specified arguments
• %User Temp%\QLOG\ThreadId({Number}).LOG → contains embedded configuration and execution logs
• %User Temp%\{Random Letters}.jpg → image used as desktop wallpaper

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Agrega los procesos siguientes:

• cmd /c ""%User Temp%\atx.bat" "
• "cmd" /C fsutil behavior set SymlinkEvaluation R2R:1
• "cmd" /C fsutil behavior set SymlinkEvaluation R2L:1
• "cmd" /C net use
• "cmd" /C wmic service where name='vss' call ChangeStartMode Manual
• "cmd" /C net start vss
• "cmd" /C vssadmin.exe delete shadows /all /quiet
• "cmd" /C net stop vss
• "cmd" /C wmic service where name='vss' call ChangeStartMode Disabled
• "powershell" $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName ; ForEach ( $l in $logs | Sort | Get-Unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)} - clears all event logs
• "powershell" -Command "Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -ExpandProperty DNSHostName"
• "powershell" -Command "ServerManagerCmd.exe -i RSAT-AD-PowerShell ; Install-WindowsFeature RSAT-AD-PowerShell ; Add-WindowsCapability -Online -Name 'RSAT.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0'"
• "reg.exe" QUERY "HKEY_USERS"
• "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\.DEFAULT\Control Panel\Desktop' -Name Wallpaper -Value '%User Temp%\{Random Letters}.jpg'"
• "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\{LOCAL SERVICE SID}\Control Panel\Desktop' -Name Wallpaper -Value '%User Temp%\{Random Letters}.jpg'"
• "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\{NETWORK SERVICE SID}\Control Panel\Desktop' -Name Wallpaper -Value '%User Temp%\{Random Letters}.jpg'"
• "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\{USER SID}\Control Panel\Desktop' -Name Wallpaper -Value '%User Temp%\{Random Letters}.jpg'"
• "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\{USER CLSID}\Control Panel\Desktop' -Name Wallpaper -Value '%User Temp%\{Random Letters}.jpg'"
• "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\{SYSTEM SID}\Control Panel\Desktop' -Name Wallpaper -Value '%User Temp%\{Random Letters}.jpg'"
• "powershell" -Command " REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImagePath /t REG_SZ /d '%User Temp%\{Random Letters}.jpg' /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImageUrl /t REG_SZ /d '%User Temp%\{Random Letters}.jpg' /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImageStatus /t REG_DWORD /d 1 /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImagePath /t REG_SZ /d '%User Temp%\{Random Letters}.jpg' /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageUrl /t REG_SZ /d '%User Temp%\{Random Letters}.jpg' /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageStatus /t REG_DWORD /d 1 /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImagePath /t REG_SZ /d %User Temp%\{Random Letters}.jpg /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImageUrl /t REG_SZ /d %User Temp%\{Random Letters}.jpg /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImageStatus /t REG_DWORD /d 1 /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImagePath /t REG_SZ /d %User Temp%\{Random Letters}.jpg /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageUrl /t REG_SZ /d %User Temp%\{Random Letters}.jpg /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageStatus /t REG_DWORD /d 1 /f
• "cmd" /C timeout /T 10 & Del "{Malware Path}\{Malware Filename}"

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Se ejecuta y, a continuación, se elimina.

Agrega las siguientes exclusiones mutuas para garantizar que solo se ejecuta una de sus copias en todo momento:

• 32bcf09497d3a5a77fcea9740d3bd2b2c70760cfe3aef8b4c819adb509434ead

Técnica de inicio automático

Agrega las siguientes entradas de registro para permitir su ejecución automática cada vez que se inicia el sistema:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
*{Random Letters} = "{Malware Path}\{Malware Filename}" --password {Password} --no-admin

Otras modificaciones del sistema

Modifica las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\FileSystem
SymlinkRemoteToLocalEvaluation = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\FileSystem
SymlinkRemoteToRemoteEvaluation = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLinkedConnections = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\LanmanServer\Parameters
MaxMpxCt = 65535

(Note: The default value data of the said registry entry is {Default Value}.)

Cambia el fondo de escritorio mediante la modificación de las siguientes entradas de registro:

HKEY_CURRENT_USERS\Control Panel\Desktop
Wallpaper = %User Temp%\{Random Letters}.jpg

(Note: The default value data of the said registry entry is {Default Image}.)

HKEY_USERS\.DEFAULT\Control Panel\
Desktop
Wallpaper = %User Temp%\{Random Letters}.jpg

(Note: The default value data of the said registry entry is {Default Image}.)

HKEY_USERS\{LOCAL SERVICE SID}\Control Panel\
Desktop
Wallpaper = %User Temp%\{Random Letters}.jpg

(Note: The default value data of the said registry entry is {Default Image}.)

HKEY_USERS\{NETWORK SERVICE SID}\Control Panel\
Desktop
Wallpaper = %User Temp%\{Random Letters}.jpg

(Note: The default value data of the said registry entry is {Default Image}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Personalization
LockScreenImagePath = %User Temp%\{Random Letters}.jpg

(Note: The default value data of the said registry entry is {Default Image Path}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Personalization
LockScreenImageUrl = %User Temp%\{Random Letters}.jpg

(Note: The default value data of the said registry entry is {Default Image URL}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Personalization
LockScreenImageStatus = 1

(Note: The default value data of the said registry entry is {Default Value}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\PersonalizationCSP
LockScreenImagePath = %User Temp%\{Random Letters}.jpg

(Note: The default value data of the said registry entry is {Default Image Path}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\PersonalizationCSP
LockScreenImageUrl = %User Temp%\{Random Letters}.jpg

(Note: The default value data of the said registry entry is {Default Image URL}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\PersonalizationCSP
LockScreenImageStatus = 1

(Note: The default value data of the said registry entry is {Default Value}.)

Este malware establece la imagen siguiente como fondo de escritorio del sistema:

Finalización del proceso

Finaliza los servicios siguientes si los detecta en el sistema afectado:

• (.*?)sql(.*?)
• acronisagent
• acrsch2svc
• backup
• backupexecagentaccelerator
• backupexecagentbrowser
• backupexecdivecimediaservice
• backupexecjobengine
• backupexecmanagementservice
• backupexecrpcservice
• backupexecvssprovider
• gxblr
• gxcimgr
• gxclmgrs
• gxcvd
• gxfwd
• gxmmm
• gxvss
• gxvsshwprov
• memtas
• mepocs
• msexchange
• msexchange\$
• mvarmor
• mvarmor64
• pdvfsservice
• qbcfmonitorservice
• qbdbmgrn
• qbidpservice
• sap
• sap\$
• sapd\$
• saphostcontrol
• saphostexec
• sapservice
• sophos
• sql
• veeam
• veeamdeploymentservice
• veeamnfssvc
• veeamtransportsvc
• vsnapvss
• vss
• wsbexchange

Finaliza los procesos siguientes si detecta que se ejecutan en la memoria del sistema afectado:

• agntsvc
• avagent
• avscc
• bedbh
• benetns
• bengien
• beserver
• cagservice
• cvd
• cvfwd
• cvmountd
• cvods
• dbeng50
• dbsnmp
• dellsystemdetect
• encsvc
• enterpriseclient
• excel
• firefox
• infopath
• isqlplussvc
• msaccess
• mspub
• mvdesktopservice
• mydesktopqos
• mydesktopservice
• notepad
• ocautoupds
• ocomm
• ocssd
• onenote
• oracle
• outlook
• powerpnt
• pvlsvr
• qbcfmonitorservice
• qbdbmgrn
• qbidpservice
• raw_agent_svc
• sap
• saphostexec
• saposcol
• sapstartsrv
• sqbcoreservice
• sql
• steam
• synctime
• tbirdconfig
• teamviewer
• teamviewer_service
• thebat
• thunderbird
• tv_w32
• tv_x64
• veeamdeploymentsvc
• veeamnfssvc
• veeamtransportsvc
• visio
• vmcompute
• vmwp
• vsnapvss
• vxmon
• winword
• wordpad
• xfssvccon

Otros detalles

Hace lo siguiente:

• It enables the following privileges to allow access to restricted actions in the system:
  • SeDebugPrivilege
  • SeImpersonatePrivilege
  • SeIncreaseBasePriorityPrivilege
• It creates the following named pipe:
  • \.\pipe\__rust_anonymous_pipe1__.3860.{Number Count}
• It repeatedly clears all event logs in the system.
• It retrieves the DNS hostnames of all computers in an Active Directory domain before encrypting them.
• It deletes all shadow copies and disables automatic startup of Volume Shadow Copy Service