Ransom.Win32.AGENDA.E

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Se ejecuta y, a continuación, se elimina.

Este malware no tiene ninguna rutina de propagación.

Este malware no tiene ninguna rutina de puerta trasera.

Este malware no tiene ninguna capacidad para robar información.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Agrega las carpetas siguientes:

• %User Temp%\QLOG

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Infiltra los archivos siguientes:

• %User Temp%\QLOG\ThreadId({Number}).LOG → contains embedded configuration and execution logs
• %User Temp%\{Random Letters}.jpg → image used as desktop wallpaper

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Agrega los procesos siguientes:

• fsutil behavior set SymlinkEvaluation R2R:1
• fsutil behavior set SymlinkEvaluation R2L:1
• net use
• wmic service where name='vss' call ChangeStartMode Manual
• net start vss
• vssadmin.exe delete shadows /all /quiet
• net stop vss
• wmic service where name='vss' call ChangeStartMode Disabled
• "powershell" $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName ; ForEach ( $l in $logs | Sort | Get-Unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)} - clears all event logs
• "powershell" -Command "Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -ExpandProperty DNSHostName"
• "powershell" -Command "ServerManagerCmd.exe -i RSAT-AD-PowerShell ; Install-WindowsFeature RSAT-AD-PowerShell ; Add-WindowsCapability -Online -Name 'RSAT.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0'"
• "reg.exe" QUERY "HKEY_USERS"
• "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\.DEFAULT\Control Panel\Desktop' -Name Wallpaper -Value '%User Temp%\{Random Letters}.jpg'"
• "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\{LOCAL SERVICE SID}\Control Panel\Desktop' -Name Wallpaper -Value '%User Temp%\{Random Letters}.jpg'"
• "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\{NETWORK SERVICE SID}\Control Panel\Desktop' -Name Wallpaper -Value '%User Temp%\{Random Letters}.jpg'"
• "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\{USER SID}\Control Panel\Desktop' -Name Wallpaper -Value '%User Temp%\{Random Letters}.jpg'"
• "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\{USER CLSID}\Control Panel\Desktop' -Name Wallpaper -Value '%User Temp%\{Random Letters}.jpg'"
• "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\{SYSTEM SID}\Control Panel\Desktop' -Name Wallpaper -Value '%User Temp%\{Random Letters}.jpg'"
• "powershell" -Command " REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImagePath /t REG_SZ /d '%User Temp%\{Random Letters}.jpg' /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImageUrl /t REG_SZ /d '%User Temp%\{Random Letters}.jpg' /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImageStatus /t REG_DWORD /d 1 /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImagePath /t REG_SZ /d '%User Temp%\{Random Letters}.jpg' /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageUrl /t REG_SZ /d '%User Temp%\{Random Letters}.jpg' /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageStatus /t REG_DWORD /d 1 /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImagePath /t REG_SZ /d %User Temp%\{Random Letters}.jpg /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImageUrl /t REG_SZ /d %User Temp%\{Random Letters}.jpg /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImageStatus /t REG_DWORD /d 1 /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImagePath /t REG_SZ /d %User Temp%\{Random Letters}.jpg /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageUrl /t REG_SZ /d %User Temp%\{Random Letters}.jpg /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageStatus /t REG_DWORD /d 1 /f
• "cmd" /C timeout /T 10 & Del "{Malware Fullpath}"

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Se ejecuta y, a continuación, se elimina.

Técnica de inicio automático

Agrega las siguientes entradas de registro para permitir su ejecución automática cada vez que se inicia el sistema:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
*{Random Letters} = "{Malware Full Path}" --password {Password} --no-admin

Otras modificaciones del sistema

Modifica las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\FileSystem
SymlinkRemoteToLocalEvaluation = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\FileSystem
SymlinkRemoteToRemoteEvaluation = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLinkedConnections = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\LanmanServer\Parameters
MaxMpxCt = 65535

(Note: The default value data of the said registry entry is {Default Value}.)

Cambia el fondo de escritorio mediante la modificación de las siguientes entradas de registro:

HKEY_CURRENT_USERS\Control Panel\Desktop
Wallpaper = %User Temp%\{Random Letters}.jpg

(Note: The default value data of the said registry entry is {Default Image}.)

HKEY_USERS\.DEFAULT\Control Panel\
Desktop
Wallpaper = %User Temp%\{Random Letters}.jpg

(Note: The default value data of the said registry entry is {Default Image}.)

HKEY_USERS\{LOCAL SERVICE SID}\Control Panel\
Desktop
Wallpaper = %User Temp%\{Random Letters}.jpg

(Note: The default value data of the said registry entry is {Default Image}.)

HKEY_USERS\{NETWORK SERVICE SID}\Control Panel\
Desktop
Wallpaper = %User Temp%\{Random Letters}.jpg

(Note: The default value data of the said registry entry is {Default Image}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Personalization
LockScreenImagePath = %User Temp%\{Random Letters}.jpg

(Note: The default value data of the said registry entry is {Default Image Path}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Personalization
LockScreenImageUrl = %User Temp%\{Random Letters}.jpg

(Note: The default value data of the said registry entry is {Default Image URL}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Personalization
LockScreenImageStatus = 1

(Note: The default value data of the said registry entry is {Default Value}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\PersonalizationCSP
LockScreenImagePath = %User Temp%\{Random Letters}.jpg

(Note: The default value data of the said registry entry is {Default Image Path}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\PersonalizationCSP
LockScreenImageUrl = %User Temp%\{Random Letters}.jpg

(Note: The default value data of the said registry entry is {Default Image URL}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\PersonalizationCSP
LockScreenImageStatus = 1

(Note: The default value data of the said registry entry is {Default Value}.)

Este malware establece la imagen siguiente como fondo de escritorio del sistema:

Propagación

Este malware no tiene ninguna rutina de propagación.

Rutina de puerta trasera

Este malware no tiene ninguna rutina de puerta trasera.

Finalización del proceso

Finaliza los servicios siguientes si los detecta en el sistema afectado:

• (.*?)sql(.*?)
• acronisagent
• acrsch2svc
• backup
• backupexecagentaccelerator
• backupexecagentbrowser
• backupexecdivecimediaservice
• backupexecjobengine
• backupexecmanagementservice
• backupexecrpcservice
• backupexecvssprovider
• gxblr
• gxcimgr
• gxclmgrs
• gxcvd
• gxfwd
• gxmmm
• gxvss
• gxvsshwprov
• memtas
• mepocs
• msexchange
• msexchange\$
• mvarmor
• mvarmor64
• pdvfsservice
• qbcfmonitorservice
• qbdbmgrn
• qbidpservice
• sap
• sap\$
• sapd\$
• saphostcontrol
• saphostexec
• sapservice
• sophos
• sql
• veeam
• veeamdeploymentservice
• veeamnfssvc
• veeamtransportsvc
• vsnapvss
• vss
• wsbexchange

Finaliza los procesos siguientes si detecta que se ejecutan en la memoria del sistema afectado:

• agntsvc
• avagent
• avscc
• bedbh
• benetns
• bengien
• beserver
• cagservice
• cvd
• cvfwd
• cvmountd
• cvods
• dbeng50
• dbsnmp
• dellsystemdetect
• encsvc
• enterpriseclient
• excel
• firefox
• infopath
• isqlplussvc
• msaccess
• mspub
• mvdesktopservice
• mydesktopqos
• mydesktopservice
• notepad
• ocautoupds
• ocomm
• ocssd
• onenote
• oracle
• outlook
• powerpnt
• pvlsvr
• qbcfmonitorservice
• qbdbmgrn
• qbidpservice
• raw_agent_svc
• sap
• saphostexec
• saposcol
• sapstartsrv
• sqbcoreservice
• sql
• steam
• synctime
• tbirdconfig
• teamviewer
• teamviewer_service
• thebat
• thunderbird
• tv_w32
• tv_x64
• veeamdeploymentsvc
• veeamnfssvc
• veeamtransportsvc
• visio
• vmcompute
• vmwp
• vsnapvss
• vxmon
• winword
• wordpad
• xfssvccon

Robo de información

Acepta los siguientes parámetros:

• --password {Password} → requires a password to run the ransomware
  • --debug → enables debugging mode
  • --dry-run → tests file encryption then restores files back to original
  • --escalated → run with elevated privileges
  • --exclude {Host to Exclude} → excludes specified hosts when self-propagating
  • --fde
  • --force
  • --impersonate {Account} → uses the specified account for impersonation
  • --ips {IP Addresses} → encrypts hosts with specified IP addresses
  • --kill-cluster → disables VM clusters
  • --logs → compresses the logs into a ZIP file and saves as {Malware Path}\QLOGS.zip
  • --no-admin → disables running as admin
  • --no-autostart → disables creating autostart
  • --no-delete → disables deleting folders
  • --no-destruct → disables self-destruct
  • --no-df → disables using the directory name filter
  • --no-domain → disables encrypting files on domain hosts
  • --no-ef → disables using the file extension filter
  • --no-escalate → disables privilege escalation
  • --no-extension → disables appending extension to the encrypted files
  • --no-ff → disables using a filename filter
  • --no-local → disables encrypting files on the local system
  • --no-logs → disables logging
  • --no-mounted → disables mounting drives for encryption
  • --no-network → disables encrypting files on network shares
  • --no-note → disables dropping ransom note
  • --no-priority → disables prioritization during encryption
  • --no-proc → disables process termination
  • --no-sandbox → disables the detection of running in a virtual machine
  • --no-services → disables stopping system services
  • --no-vm → disables stopping virtual machines
  • --no-wallpaper → disables setting the desktop wallpaper
  • --no-zero → disables free space cleanup of host disks
  • --parent-sid {SID} → passes the SID of the user of the parent process to the program
  • --paths {Directories} → encrypts files at specified paths
  • --print-delay {Seconds} → delay before printing
  • --print-image → enables printing the image
  • --safe → reboots into safe mode before encrypting files
  • --spread → enables self-propagation
  • --spread-process → indicates the program that it is running in self-propagation
  • --spread-vcenter → self-propagate using vCenter
  • --timer {Seconds} → sets the waiting time in seconds before encryption and other actions are performed

Este malware no tiene ninguna capacidad para robar información.

Otros detalles

Hace lo siguiente:

• It enables the following privileges to allow access to restricted actions in the system:
  • SeDebugPrivilege
  • SeImpersonatePrivilege
  • SeIncreaseBasePriorityPrivilege
• It repeatedly clears all event logs in the system.
• It retrieves the DNS hostnames of all computers in an Active Directory domain before encrypting them.
• It deletes all shadow copies and disables automatic startup of Volume Shadow Copy Service