Ransom.BAT.MEGACORTEX.A
Windows
Threat Type: Ransomware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Ransomware adds the following processes:
- taskinstall /im cmgrdian.exe /f
- taskinstall /im cntaosmgr.exe /f
- taskinstall /im collwrap.exe /f
- taskinstall /im comhost.exe /f
- taskinstall /im config_api_service.exe /f
- taskinstall /im console.exe /f
- taskinstall /im control_panel.exe /f
- taskinstall /im coreframeworkhost.exe /f
- taskinstall /im coreserviceshell.exe /f
- taskinstall /im cpd.exe /f
- taskinstall /im cpdclnt.exe /f
- taskinstall /im cpf.exe /f
- taskinstall /im cpntsrv.exe /f
- taskinstall /im cramtray.exe /f
- taskinstall /im crashrep.exe /f
- taskinstall /im crdm.exe /f
- taskinstall /im crssvc.exe /f
- taskinstall /im csacontrol.exe /f
- taskinstall /im csadmin.exe /f
- taskinstall /im csauth.exe /f
- taskinstall /im csdbsync.exe /f
- taskinstall /im csfalconservice.exe /f
- taskinstall /im csinject.exe /f
- taskinstall /im csinsm32.exe /f
- taskinstall /im csinsmnt.exe /f
- taskinstall /im cslog.exe /f
- taskinstall /im csmon.exe /f
- taskinstall /im csradius.exe /f
- taskinstall /im csrss_tc.exe /f
- taskinstall /im cssauth.exe /f
- taskinstall /im cstacacs.exe /f
- taskinstall /im ctdataload.exe /f
- taskinstall /im cwbunnav.exe /f
- taskinstall /im cylancesvc.exe /f
- taskinstall /im cylanceui.exe /f
- taskinstall /im dao_log.exe /f
- taskinstall /im dbeng50.exe /f
- taskinstall /im dbserv.exe /f
- taskinstall /im dbsnmp.exe /f
- taskinstall /im dbsrv9.exe /f
- taskinstall /im defwatch /f
- taskinstall /im defwatch.exe /f
- taskinstall /im deloeminfs.exe /f
- taskinstall /im deteqt.agent.exe /f
- taskinstall /im diskmon.exe /f
- taskinstall /im djsnetcn.exe /f
- taskinstall /im dlservice.exe /f
- taskinstall /im dltray.exe /f
- taskinstall /im dolphincharge.e /f
- taskinstall /im dolphincharge.exe /f
- taskinstall /im doscan.exe /f
- taskinstall /im dpmra.exe /f
- taskinstall /im dr_serviceengine.exe /f
- taskinstall /im drwagntd.exe /f
- taskinstall /im drwagnui.exe /f
- taskinstall /im drweb.exe /f
- taskinstall /im drweb32.exe /f
- taskinstall /im drweb32w.exe /f
- taskinstall /im drweb386.exe /f
- taskinstall /im drwebcgp.exe /f
- taskinstall /im drwebcom.exe /f
- taskinstall /im drwebdc.exe /f
- taskinstall /im drwebmng.exe /f
- taskinstall /im drwebscd.exe /f
- taskinstall /im drwebupw.exe /f
- taskinstall /im drwebwcl.exe /f
- taskinstall /im drwebwin.exe /f
- taskinstall /im drwinst.exe /f
- taskinstall /im dsmcad.exe /f
- taskinstall /im dsmcsvc.exe /f
- taskinstall /im dwarkdaemon.exe /f
- taskinstall /im dwengine.exe /f
- taskinstall /im dwhwizrd.exe /f
- taskinstall /im dwnetfilter.exe /f
- taskinstall /im dwrcst.exe /f
- taskinstall /im dwwin.exe /f
- taskinstall /im edisk.exe /f
- taskinstall /im eeyeevnt.exe /f
- taskinstall /im egui.exe /f
- taskinstall /im ehttpsrv.exe /f
- taskinstall /im ekrn.exe /f
- taskinstall /im elogsvc.exe /f
- taskinstall /im emlibupdateagentnt.exe /f
- taskinstall /im emlproui.exe /f
- taskinstall /im ahnsdsv.exe /f
- taskinstall /im alert.exe /f
- taskinstall /im alertsvc.exe /f
- taskinstall /im almon.exe /f
- taskinstall /im alogserv.exe /f
- taskinstall /im alsvc.exe /f
- taskinstall /im alunotify.exe /f
- taskinstall /im alupdate.exe /f
- taskinstall /im aluschedulersvc.exe /f
- taskinstall /im amsvc.exe /f
- taskinstall /im amswmagt /f
- taskinstall /im aphost.exe /f
- taskinstall /im appsvc32.exe /f
- taskinstall /im aps.exe /f
- taskinstall /im apvxdwin.exe /f
- taskinstall /im ashbug.exe /f
- taskinstall /im ashchest.exe /f
- taskinstall /im ashcmd.exe /f
- taskinstall /im ashdisp.exe /f
- taskinstall /im ashenhcd.exe /f
- taskinstall /im ashlogv.exe /f
- taskinstall /im ashmaisv.exe /f
- taskinstall /im ashpopwz.exe /f
- taskinstall /im ashquick.exe /f
- taskinstall /im ashserv.exe /f
- taskinstall /im ashsimp2.exe /f
- taskinstall /im ashsimpl.exe /f
- taskinstall /im ashskpcc.exe /f
- taskinstall /im ashskpck.exe /f
- taskinstall /im ashupd.exe /f
- taskinstall /im ashwebsv.exe /f
- taskinstall /im asupport.exe /f
- taskinstall /im aswdisp.exe /f
- taskinstall /im aswregsvr.exe /f
- taskinstall /im aswserv.exe /f
- taskinstall /im aswupdsv.exe /f
- taskinstall /im aswwebsv.exe /f
- taskinstall /im atrshost.exe /f
- taskinstall /im atwsctsk.exe /f
- taskinstall /im aupdrun.exe /f
- taskinstall /im aus.exe /f
- taskinstall /im auth8021x.exe /f
- taskinstall /im autoup.exe /f
- taskinstall /im avcenter.exe /f
- taskinstall /im avconfig.exe /f
- taskinstall /im avconsol.exe /f
- taskinstall /im avengine.exe /f
- taskinstall /im avesvc.exe /f
- taskinstall /im avfwsvc.exe /f
- taskinstall /im avkproxy.exe /f
- taskinstall /im avkservice.exe /f
- taskinstall /im avktray.exe /f
- taskinstall /im avkwctl.exe /f
- taskinstall /im avltmain.exe /f
- taskinstall /im avmailc.exe /f
- taskinstall /im avmcdlg.exe /f
- taskinstall /im avnotify.exe /f
- taskinstall /im avscan.exe /f
- taskinstall /im avscc.exe /f
- taskinstall /im avserver.exe /f
- taskinstall /im avshadow.exe /f
- taskinstall /im avsynmgr.exe /f
- taskinstall /im avtask.exe /f
- taskinstall /im avwebgrd.exe /f
- taskinstall /im basfipm.exe /f
- taskinstall /im bavtray.exe /f
- taskinstall /im bcreporter.exe /f
- taskinstall /im bcrservice.exe /f
- taskinstall /im bdagent.exe /f
- taskinstall /im bdc.exe /f
- taskinstall /im bdlite.exe /f
- taskinstall /im bdmcon.exe /f
- taskinstall /im bdredline.exe /f
- taskinstall /im bdss.exe /f
- taskinstall /im bdsubmit.exe /f
- taskinstall /im bhipssvc.exe /f
- taskinstall /im bka.exe /f
- taskinstall /im blackd.exe /f
- taskinstall /im blackice.exe /f
- taskinstall /im bluestripecollector.exe /f
- taskinstall /im blupro.exe /f
- taskinstall /im bmrt.exe /f
- taskinstall /im bwgo0000 /f
- taskinstall /im ca.exe /f
- taskinstall /im caantispyware.exe /f
- taskinstall /im caav.exe /f
- taskinstall /im caavcmdscan.exe /f
- taskinstall /im caavguiscan.exe /f
- taskinstall /im caf.exe /f
- taskinstall /im cafw.exe /f
- taskinstall /im caissdt.exe /f
- taskinstall /im calogdump.exe /f
- taskinstall /im capfaem.exe /f
- taskinstall /im capfasem.exe /f
- taskinstall /im capfsem.exe /f
- taskinstall /im capmuamagt.exe /f
- taskinstall /im cappactiveprotection.exe /f
- taskinstall /im casc.exe /f
- taskinstall /im casecuritycenter.exe /f
- taskinstall /im caunst.exe /f
- taskinstall /im cavrep.exe /f
- taskinstall /im cavrid.exe /f
- taskinstall /im cavscan.exe /f
- taskinstall /im cavtray.exe /f
- taskinstall /im ccap.exe /f
- taskinstall /im ccapp.exe /f
- taskinstall /im ccemflsv.exe /f
- taskinstall /im ccenter.exe /f
- taskinstall /im ccevtmgr.exe /f
- taskinstall /im ccflic0.exe /f
- taskinstall /im ccflic4.exe /f
- taskinstall /im cclaw.exe /f
- taskinstall /im ccm messaging.exe /f
- taskinstall /im ccnfagent.exe /f
- taskinstall /im ccprovsp.exe /f
- taskinstall /im ccproxy.exe /f
- taskinstall /im ccpxysvc.exe /f
- taskinstall /im ccschedulersvc.exe /f
- taskinstall /im ccsetmgr.exe /f
- taskinstall /im ccsmagtd.exe /f
- taskinstall /im ccsvchst.exe /f
- taskinstall /im ccsystemreport.exe /f
- taskinstall /im cctray.exe /f
- taskinstall /im ccupdate.exe /f
- taskinstall /im cdm.exe /f
- taskinstall /im certificateprovider.exe /f
- taskinstall /im certificationmanagerservicent.exe /f
- taskinstall /im cfftplugin.exe /f
- taskinstall /im cfnotsrvd.exe /f
- taskinstall /im cfp.exe /f
- taskinstall /im cfpconfg.exe /f
- taskinstall /im cfpconfig.exe /f
- taskinstall /im cfplogvw.exe /f
- taskinstall /im cfpsbmit.exe /f
- taskinstall /im cfpupdat.exe /f
- taskinstall /im cfsmsmd.exe /f
- taskinstall /im checkup.exe /f
- taskinstall /im chrome.exe /f
- taskinstall /im cis.exe /f
- taskinstall /im cistray.exe /f
- taskinstall /im cka.exe /f
- taskinstall /im clamscan.exe /f
- taskinstall /im clamtray.exe /f
- taskinstall /im clamwin.exe /f
- taskinstall /im client.exe /f
- taskinstall /im client64.exe /f
- taskinstall /im clps.exe /f
- taskinstall /im clpsla.exe /f
- taskinstall /im clpsls.exe /f
- taskinstall /im clshield.exe /f
- taskinstall /im cmdagent.exe /f
- taskinstall /im cmdinstall.exe /f
- taskinstall /im emlproxy.exe /f
- taskinstall /im encsvc.exe /f
- taskinstall /im endpointsecurity.exe /f
- taskinstall /im engineserver.exe /f
- taskinstall /im entitymain.exe /f
- taskinstall /im epmd.exe /f
- taskinstall /im era.exe /f
- taskinstall /im erlsrv.exe /f
- taskinstall /im esecagntservice.exe /f
- taskinstall /im esecservice.exe /f
- taskinstall /im esmagent.exe /f
- taskinstall /im etagent.exe /f
- taskinstall /im etconsole3.exe /f
- taskinstall /im etcorrel.exe /f
- taskinstall /im etloganalyzer.exe /f
- taskinstall /im etreporter.exe /f
- taskinstall /im etrssfeeds.exe /f
- taskinstall /im a2service.exe /f
Other Details
This Ransomware does the following:
- It disables the following services:
- Acronis VSS Provider
- AcronisAgent
- AcrSch2Svc
- AdobeARMservice
- Alerter
- ARSM
- aswBcc
- avbackup
- BackupExecAgentAccelerator
- BackupExecAgentBrowser
- BackupExecDeviceMediaService
- BackupExecJobEngine
- BackupExecManagementService
- BackupExecRPCService
- BackupExecVSSProvider
- bcrservice
- bedbg
- BITS
- BlueStripeCollector
- BrokerInfrastructure
- ccEvtMgr
- ccSetMgr
- Cissesrv
- CpqRcmc3
- CSAdmin
- CSAuth
- CSDbSync
- CSLog
- CSMon
- CSRadius
- CSTacacs
- DB2
- DB2-0
- DB2DAS00
- DB2GOVERNOR_DB2COPY1
- DB2INST2
- DB2LICD_DB2COPY1
- DB2MGMTSVC_DB2COPY1
- DB2REMOTECMD_DB2COPY1
- DCAgent
- EhttpSrv
- ekrn
- Enterprise Client Service
- epag
- EPIntegrationService
- EPProtectedService
- epredline
- EPSecurityService
- EPUpdateService
- EraserSvc11710
- ERSvc
- EsgShKernel
- ESHASRV
- Eventlog
- FA_Scheduler
- GoogleChromeElevationService
- gupdate
- gupdatem
- HealthService
- IBMDataServerMgr
- IBMDSServer41
- IDriverT
- IISAdmin
- IMAP4Svc
- ImapiService
- It disables the following services:
- klnagent
- LogProcessorService
- LRSDRVX
- macmnsvc
- masvc
- MBAMService
- MBEndpointAgent
- McShield
- McTaskManager
- mfefire
- mfemms
- mfevtp
- mfewc
- MMS
- mozyprobackup
- MsDtsServer
- MsDtsServer100
- MsDtsServer110
- MsDtsServer130
- MSExchangeES
- MSExchangeIS
- MSExchangeMGMT
- MSExchangeMTA
- MSExchangeSA
- MSExchangeSRS
- msftesql$PROD
- MSMQ
- MSOLAP$SQL_2008
- MSOLAP$SYSTEM_BGC
- MSOLAP$TPS
- MSOLAP$TPSAMA
- MSSQL$BKUPEXEC
- MSSQL$CITRIX_METAFRAME
- MSSQL$ECWDB2
- MSSQL$EPOSERVER
- MSSQL$ITRIS
- MSSQL$NET2
- MSSQL$PRACTICEMGT
- MSSQL$PRACTTICEBGC
- MSSQL$PROD
- MSSQL$PROFXENGAGEMENT
- MSSQL$SBSMONITORING
- MSSQL$SHAREPOINT
- MSSQL$SQLEXPRESS
- MSSQL$SQL_2008
- MSSQL$SYSTEM_BGC
- MSSQL$TPS
- MSSQL$TPSAMA
- MSSQL$VEEAMSQL2008R2
- MSSQL$VEEAMSQL2012
- MSSQLFDLauncher
- MSSQLFDLauncher$ITRIS
- MSSQLFDLauncher$PROFXENGAGEMENT
- MSSQLFDLauncher$SBSMONITORING
- MSSQLFDLauncher$SHAREPOINT
- MSSQLFDLauncher$SQL_2008
- MSSQLFDLauncher$SYSTEM_BGC
- MSSQLFDLauncher$TPS
- MSSQLFDLauncher$TPSAMA
- MSSQLLaunchpad$ITRIS
- MSSQLSERVER
- MSSQLServerADHelper
- MSSQLServerADHelper100
- MSSQLServerOLAPService
- msvsmon90
- myAgtSvc
- MySQL57
- Net2ClientSvc
- NetDDE
- NetMsmqActivator
- NetSvc
- NimbusWatcherService
- NtLmSsp
- NtmsSvc
- ntrtscan
- odserv
- OracleClientCache80
- ose
- PDVFSService
- POP3Svc
- ProLiantMonitor
- ReportServer
- ReportServer$SQL_2008
- ReportServer$SYSTEM_BGC
- ReportServer$TPS
- ReportServer$TPSAMA
- RESvc
- RSCDsvc
- RumorServer
- sacsvr
- SamSs
- SAVService
- SDD_Service
- SDRSVC
- SentinelAgent
- SentinelHelperService
- SentinelStaticEngine
- SepMasterService
- SepMasterServiceMig
- ShMonitor
- Smcinst
- SmcService
- SMTPSvc
- SNAC
- SnowInventoryClient
- SntpService
- SQL Backups
- SQLAgent$BKUPEXEC
- SQLAgent$CITRIX_METAFRAME
- SQLAgent$CXDB
- SQLAgent$ECWDB2
- SQLAgent$EPOSERVER
- SQLAgent$ITRIS
- SQLAgent$NET2
- SQLAgent$PRACTTICEBGC
- SQLAgent$PRACTTICEMGT
- SQLAgent$PROD
- SQLAgent$PROFXENGAGEMENT
- SQLAgent$SBSMONITORING
- SQLAgent$SHAREPOINT
- SQLAgent$SQLEXPRESS
- SQLAgent$SQL_2008
- SQLAgent$SYSTEM_BGC
- SQLAgent$TPS
- SQLAgent$TPSAMA
- SQLAgent$VEEAMSQL2008R2
- SQLAgent$VEEAMSQL2012
- SQLBrowser
- SQLsafe Backup Service
- SQLsafe Filter Service
- SQLSafeOLRService
- SQLSERVERAGENT
- SQLTELEMETRY
- SQLTELEMETRY$ECWDB2
- SQLTELEMETRY$ITRIS
- SQLWriter
- SSISTELEMETRY130
- SstpSvc
- svcGenericHost
- swi_filter
- swi_service
- swi_update
- swi_update_64
- Symantec
- Symantec System Recovery
- sysdown
- System
- Telemetryserver
- TlntSvr
- TmCCSF
- tmlisten
- TmPfw
- TPAutoConnSvc
- tpautoconnsvc
- TPVCGateway
- TrueKey
- TrueKeyScheduler
- TrueKeyServiceHelper
- TSM
- UI0Detect
- Veeam Backup Catalog Data Service
- VeeamBackupSvc
- VeeamBrokerSvc
- VeeamCatalogSvc
- VeeamCloudSvc
- VeeamDeploymentService
- VeeamDeploySvc
- VeeamEnterpriseManagerSvc
- VeeamHvIntegrationSvc
- VeeamMountSvc
- VeeamNFSSvc
- VeeamRESTSvc
- VeeamTransportSvc
- VGAuthService
- VMTools
- VMware
- vmware-converter-agent
- vmware-converter-server
- vmware-converter-worker
- VMwareCAFCommAmqpListener
- VMwareCAFManagementAgentHost
- W3Svc
- wbengine
- WdNisSvc
- WebClient
- WinDefend
- WinVNC4
- WRSVC
- Zoolz 2 Service
SOLUTION
Step 1
Trend Micro products with the XGen technology detect this malware as
Step 2
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Step 3
Scan your computer with your Trend Micro product to delete files detected as Ransom.BAT.MEGACORTEX.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.