Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

MrDec Ransomware (.[ID]<Random>[ID])

  • Distribution Method : Remote access through Remote Desktop Protocol(RDP) or Terminal Services
 
  • MD5 : f60aa176ab425b5ba491021c475a1cde
 
  • Major Detection Name : Win32/Filecoder.NPA (ESET), Trojan.Win32.Z.Antiav.11776 (ViRobot)
 
  • Encrypted File Pattern : .[ID]<Random>[ID]
 
  • Malicious File Creation Location :
     - C:\Windows\clerlog.bat
     - C:\Windows\searchfiles.exe
     - C:\Decoding help.hta
 
  • Payment Instruction File : Decoding help.hta
 
  • Major Characteristics :
     - Offline Encryption
     - DXXD / LockCrypt Ransomware series
     - Encryption starts after killing all process except listed in whitelist processes.
     - Turns off User Access Control (UAC)
     - Disable system restore (vssadmin delete shadows /all)
     - Deletes event log (wevtutil.exe cl "Analytic", wevtutil.exe cl "Application", wevtutil.exe cl "Security", wevtutil.exe cl "Setup", wevtutil.exe cl "System" etc.)
     - Displays ransom note (C:\Windows\SysWow64\mshta.exe "c:\Decoding help.hta") when user executes encrypted file (.[ID]<Random>[ID])

List

위로