Ransom.Win32.AGENDA.YPEFR

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %Temp%\QLOG\ThreadId(Number).LOG → logs execution status
  

It adds the following processes:

• "cmd" /C fsutil behavior set SymlinkEvaluation R2R:1
• "cmd" /C fsutil behavior set SymlinkEvaluation R2L:1
• "cmd" /C net use
• "cmd" /C wmic service where name='vss' call ChangeStartMode Manual
• "cmd" /C net start vss
• "cmd" /C vssadmin.exe delete shadows /all /quiet
• "cmd" /C net stop vss
• "cmd" /C wmic service where name='vss' call ChangeStartMode Disabled
• "powershell" $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName ; ForEach ( $l in $logs | Sort | Get-Unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)}
• "powershell" -Command "Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -ExpandProperty DNSHostName"
• "powershell" -Command "ServerManagerCmd.exe -i RSAT-AD-PowerShell ; Install-WindowsFeature RSAT-AD-PowerShell ; Add-WindowsCapability -Online -Name 'RSAT.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0'"

It creates the following folders:

• %Temp%\QLOG

(Note: %Temp% is the Windows temporary folder, where it usually is C:\Windows\Temp on all Windows operating system versions.)

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
*vxvjgf = "{Malware file path}" --password {String} --no-admin

Other System Modifications

This Ransomware modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLinkedConnections = 1

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\LanmanServer\Parameters
MaxMpxCt = 65535

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\FileSystem
SymlinkRemoteToRemoteEvaluation = 1

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\FileSystem
SymlinkRemoteToLocalEvaluation = 1

Process Termination

This Ransomware terminates the following services if found on the affected system:

• vmms
• mepocs
• memtas
• veeam
• backup
• vss
• sql
• msexchange
• sophos
• msexchange
• msexchange\$
• wsbexchange
• pdvfsservice
• backupexecvssprovider
• backupexecagentaccelerator
• backupexecagentbrowser
• backupexecdivecimediaservice
• backupexecjobengine
• backupexecmanagementservice
• backupexecrpcservice
• gxblr
• gxvss
• gxclmrs
• gxcvd
• gxcimgr
• gxmmm
• gxvsshwprov
• gxfwd
• sapservice
• sap
• sap\$
• sapd\$
• saphostcontrol
• saphostexec
• qbcfmonitorservice
• qbdbmgrn
• qbidpservice
• acronisagent
• veeamnfssvc
• veeamdeploymentservice
• veeamtransportsvc
• mvarmor
• mvarmor64
• vsnapvss
• acrsch2svc
• (.*?)sql(.*?)

It terminates the following processes if found running in the affected system's memory:

• vmms
• vmwp
• vmcompute
• agntsvc
• dbeng50
• dbsnmp
• encsvc
• excel
• firefox
• infopath
• isqlplussvc
• sql
• msaccess
• mspub
• mydesktopqos
• mydesktopservice
• notepad
• ocautoupds
• ocomm
• ocssd
• onenote
• oracle
• outlook
• powerpnt
• sqbcoreservice
• steam
• synctime
• tbirdconfig
• thebat
• thunderbird
• visio
• winword
• wordpad
• xfssvccon
• bedbh
• vxmon
• benetns
• bengien
• pvlsvr
• beserver
• raw_agent_svc
• vsnapvss
• cagservice
• qbidpservice
• qbdbmgrn
• qbcfmonitorservice
• sap
• teamviewer_service
• teamviewer
• tv_w32
• tv_x64
• cvmountd
• cvd
• cvfwd
• cvods
• saphostexec
• saposcol
• sapstartsrv
• avagent
• avscc
• dellsystemdetect
• enterpriseclient
• veeamnfssvc
• veeamtransportsvc
• veeamdeploymentsvc
• mvdesktopservice

Other Details

This Ransomware does the following:

• It terminates itself if it detects that the sample is being executed within a virtual environment.
• It requires the correct input password to proceed in its intended routine.
• Impersonates the privileges of the following process:
  • wininit.exe
  • winlogon.exe
  • lsass.exe

It accepts the following parameters:

• --password {String} → password to enter before proceeding with its intended routine
• --paths {Directory} → defines the path that parses directories; if this flag is used and left empty, all directories will be scanned
• --ips {IP Addresses} → Allows for providiing IP addresses
• --excludes {directory} → exclude directory for encryption
• --timer → Sets a time delay before execution.
• --no-sandbox
• --no-escalate
• --impersonate
• --safe
• --no_priority
• --should_be_admin
• --no-local
• --no-domain
• --no-network
• --no-ef
• --no-ff
• --no-df
• --no-proc
• --no-services
• --no-vmkill-cluster
• --no-extension
• --no-wallpaper
• --no-note
• --no-destruct
• --no-zero
• --print-image
• --print-delay
• --force
• --spreads
• --debugspread
• --spread-vcenter
• --dry-run

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• desktop.ini
• autorun.ini
• ntldr
• bootsect.bak
• thumbs.db
• boot.ini
• ntuser.dat
• iconcache.db
• bootfont.bin
• ntuser.ini
• ntuser.dat.log
• autorun.inf
• bootmgr
• bootmgr.efi
• bootmgfw.efi
• #recycle
• autorun.inf
• boot.ini
• bootfont.bin
• bootmgr
• bootmgr.efi
• bootmgfw.efi
• desktop.ini
• iconcache.db
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• thumbs.db
• #recycle
• bootsect.bak

It avoids encrypting files with the following strings in their file path:

• windows
• system volume information
• intel
• admin$
• ipc$
• sysvol
• netlogon
• $windows.~ws
• application data
• mozilla
• program files (x86)
• program files
• $windows.~bt
• msocache
• tor browser
• programdata
• boot
• config.msi
• google
• perflogs
• appdata
• windows.old
• appdata
• boot
• windows
• windows.old
• $recycle.bin
• admin$

It appends the following extension to the file name of the encrypted files:

• {Original filename}.{Original Extension}.CcXB9wE4s7.{Random}

It drops the following file(s) as ransom note:

• {All Available Directories}\README-RECOVER-CcXB9wE4s7.txt
  

It avoids encrypting files with the following file extensions:

• themepack
• nls
• diapkg
• msi
• lnk
• exe
• scr
• bat
• drv
• rtp
• msp
• prf
• msc
• ico
• key
• ocx
• diagcab
• diagcfg
• pdb
• wpx
• hlp
• icns
• rom
• dll
• msstyles
• mod
• ps1
• ics
• hta
• bin
• cmd
• ani
• 386
• lock
• cur
• idx
• sys
• com
• deskthemepack
• shs
• theme
• mpa
• nomedia
• spl
• cpl
• adv
• icl
• msu
• CcXB9wE4s7