Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Remote access through Remote Desktop Protocol(RDP) or Terminal Services
 
  • MD5 : 7665499f2a1dfd55439c266831f1584d
 
  • Major Detection Name : A variant of Win64/Filecoder.Teslarvng.A (ESET), Ransom:Win32/LiquidCrypt.PA!MTB (Microsoft)
 
  • Encrypted File Pattern : <Original Filename>.<Original Extension> → id[<Random>].[unknownteam@criptext.com].<Original Filename>.<Original Filename>.Liquid
 
  • Malicious File Creation Location :
     - <Drive Letter>:\Liquid
     - <Drive Letter>:\Liquid\<Number>o
     - <Drive Letter>:\Liquid\<Number>s
     - <Drive Letter>:\Liquid\Liquid.hta
     - C:\ProgramData\Adobe
     - C:\ProgramData\Adobe\Extension Manager CC
     - C:\ProgramData\Adobe\Extension Manager CC\Logs
     - C:\ProgramData\Adobe\Extension Manager CC\Logs\<Drive Letter>.txt 
     - C:\ProgramData\Adobe\Extension Manager CC\Logs\disk 0(<Drive Letter>).txt
     - C:\ProgramData\Adobe\Extension Manager CC\Logs\disk -1(<Drive Letter>).txt
     - C:\ProgramData\Adobe\Extension Manager CC\Logs\fails.txt
     - C:\ProgramData\Adobe\Extension Manager CC\Logs\larges.txt
     - C:\ProgramData\Adobe\Extension Manager CC\Logs\lockeds.txt
     - C:\ProgramData\dat
     - C:\ProgramData\dat\<Number>o
     - C:\ProgramData\dat\<Number>s
     - C:\ProgramData\dat\hds
     - C:\ProgramData\dat\pos.txt
     - C:\ProgramData\dat\running.txt
     - C:\ProgramData\dat\runs.txt
     - C:\ProgramData\dat\st.xpi
     - C:\Users\%UserName%\AppData\Local\Temp\sdelete.exe
     - C:\Windows\System32\Tasks\logg
     - C:\Windows\logg.bat
     - C:\Liquid.hta
 
  • Payment Instruction File : Liquid.hta
 
  • Major Characteristics :
     - Offline Encryption
     - Teslarvng Ransomware series
     - Automatically run ransomware by adding defragsrv service.
     - Adding "logg" in Task Scheduler to delete event log through run "C:\Windows\logg.bat" file for every 10 minutes.
     - Disable system restore (vssadmin.exe Delete Shadows /All /Quiet, wbadmin.exe delete catalog -quiet, WMIC.exe shadowcopy delete)
     - Utilizes SDelete from SysInternals to purge empty disc drive space, disabling possible recovery by file recovery tool. ("%Temp%\sdelete.exe" -nobanner -z <Drive Letter>:)

List

위로