Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Remote access through Remote Desktop Protocol(RDP) or Terminal Services
- MD5 : 315aaf1f0128e50999fd5b82949a9267
- Major Detection Name : Ransom.FileCryptor (Malwarebytes), Trojan:MSIL/AgentTesla.KA!MTB (Microsoft)
- Encrypted File Pattern : .mallox
- Malicious File Creation Location :
- C:\Users\%UserName%\AppData\Local\Temp\AdvancedRun.exe
- C:\Users\%UserName%\AppData\Local\Temp\Blffpekna.vbs
- C:\Users\%UserName%\AppData\Local\Temp\MSBuild.exe
- C:\Users\%UserName%\AppData\Local\Temp\Yubhigusnhbrkitykwictqkill$.bat
- Payment Instruction File : HOW TO RECOVER !!.TXT / RECOVERY INFORMATION.txt
- Major Characteristics :
- Offline Encryption
- Oppo Ransomware series
- File encryption using Microsoft .NET Framework clean file "%Temp%\MSBuild.exe"
- Disable a Windows Defender
- Block processes execution (fdhost.exe, httpd.exe, java.exe, reportingservicesservice.exe, softmgrlite.exe, sqlservr.exe etc.)
- Delete multi services (MSSQLFDLauncher, QcSoftService, SQLBrowser, SQLSERVERAGENT, SQLWriter, VMTools etc.)
- Stop multi services (Apache2.4, HaoZipSvc, igfxCUIService2.0.0.0, memcached Server, MSComplianceAudit, U8WorkerService1 etc.)
- Disable system restore (vssadmin.exe delete shadows /all /quiet, bcdedit /set {current} bootstatuspolicy ignoreallfailures, bcdedit /set {current} recoveryenabled no)