Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
 
  • MD5 : ac670a35db27d7093667f801b254d407
 
  • Encrypted File Pattern : .venus
 
  • Malicious File Creation Location :
     - C:\Users\%UserName%\AppData\Local\Temp\<Number>.hta
     - C:\Windows\<Number>.png
     - C:\Windows\<Random>.exe
     - <Drive Letter>:\README.html
 
  • Message File : README.html / <Number>.hta
 
  • Major Characteristics :
     - Offline Encryption
     - TrinityLock Ransomware series
     - Recovery Partition (F:\) + EFI System Partition (G:\) drives are activate.
     - Allow Windows firewall rules (netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes)
     - Block processes execution (dbsnmp.exe, isqlplussvc.exe, msftesql.exe, oracle.exe, sqlagent.exe, sqlbrowser.exe etc.)
     - Disable system restore (wbadmin delete catalog -quiet, vssadmin.exe delete shadows /all /quiet, bcdedit.exe /set {current} nx AlwaysOff, wmic SHADOWCOPY DELETE)
     - Change encrypted file (.venus) icon (HKEY_CLASSES_ROOT\.venus\DefaultIcon = C:\Windows\<Number>.png)
     - Changes desktop background (C:\Users\%UserName%\AppData\Local\Temp\<숫자>.jpg)

List

위로