Ransom.Win64.ENAMON.THACABD

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• {Malware File Path}\note.txt → deleted afterwards
• {Malware File Path}\ext.txt → deleted afterwards
• {Malware File Path}\SelfDelete.bat → used to delete itself
• {Encrypted File Path}\DECRYPTION_IDS.TXT→ contains decryption IDs

Agrega los procesos siguientes:

• "%System%\cmd.exe\" /C "{Malware File Path}\SelfDelete.bat"

(Nota: %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) y 10(64-bit) en C:\Windows\System32).

Finalización del proceso

Finaliza los procesos siguientes si detecta que se ejecutan en la memoria del sistema afectado:

• 105.5.5195.102_104.0.5112.81_chrome_updater.exe
• applicationframehost.exe
• audiodg.exe
• dashost.exe
• dllhost.exe
• fiddler.exe
• googlecrashhandler.exe
• googlecrashhandler64.exe
• googleupdate.exe
• microsoftedgeupdate.exe
• mpcmdrun.exe
• msascui.exe
• mscorsvw.exe
• nissrv.exe
• onedrive.exe
• plugin_host.exe
• processhacker.exe
• procmon.exe
• procmon64.exe
• ptsessionagent.exe
• ptwatchdog.exe
• searchindexer.exe
• setup.exe
• sublime_text.exe
• sysmon64.exe
• tabtip.exe
• tabtip32.exe
• taskeng.exe
• tcplogview.exe
• uiwatchdog.exe
• vdisk.exe
• vmacthelp.exe
• vm3dservice.exe
• vserver.exe

Otros detalles

Hace lo siguiente:

• Empties the Recycle Bin
• It displays the following GUI:
  • Actions → allows user to:
    • Terminate predefined processes.
    • Empty the Recycle Bin.
    • Select and search drives and folders for files to be encrypted.
    • Stop searching drives and folders for files to be encrypted.
    • Select encryption mode: FASTEST, FAST, SLOW, FULL.
    • Select if found files based on specifications set in the Criteria tab will be displayed.
    • Select whether to allow multithreaded encryption or not.
    • List found files based on specifications set in the Criteria tab.
    • Clear the list of found files based on specifications set in the Criteria tab.
    • Encrypt or erase found files based on specifications set in the Criteria tab.
    • Select if ransom note is to be dropped.
    • Delete the malware file after encryption or when the GUI is closed.
    • Hide the GUI.
    • Generate/Set WorkID for the ransom note.
    • Set a virtual key.
      
      
  • Criteria → allows user to:
    • Specify file extensions that will be encrypted.
    • Specify file extensions, file paths, and file names that will not be encrypted.
  
  
  
  • Note → allows user to:
    • Modify the contents of the ransom note to be dropped.
    • Save the contents of the ransom note as {Malware File path}\note.txt.
  
  
  
  • Log → allows user to:
    • View logs of the malware.