Ransom.Win64.NUBIAS.THDBIBE.go

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• %ProgramData%\icon.ico → icon of encrypted files
• %ProgramData%\wall.jpg → desktop wallpaper

Agrega los procesos siguientes:

• vssadmin delete shadows /for=norealvolume /all /quiet → deletes shadow copies
• reg add \"HKEY_LOCAL_MACHINE\SOFTWARE\Microsft\Windows\CurrentVersion\Policies\System\" /v Wallpaper /t REG_SZ /d \"%ProgramData%\wall.jpg" /f → change desktop wallpaper

Finalización del proceso

Finaliza los servicios siguientes si los detecta en el sistema afectado:

• SQLPBDMS
• SQLPBENGINE
• MSSQLFDLauncher
• SQLSERVERAGENT
• MSSQLServerOLAPService
• SSASTELEMETRY
• SQLBrowser
• SQL Server Distributed Replay Client
• SQL Server Distributed Replay Controlle
• MsDtsServer150
• SSISTELEMETRY150
• SSISScaleOutMaster150
• SSISScaleOutWorker150
• MSSQLLaunchpad
• SQLWriter
• SQLTELEMETRY
• MSSQLSERVER
• AcronisAgent
• AcrSch2Svc
• backup
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExecDiveciMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• BackupExecVSSProvider
• CAARCUpdateSvc
• CASAD2DWebSvc
• ccEvtMgr
• ccSetMgr
• DefWatch
• GxBlr
• GxCIMgr
• GxCVD
• GxFWD
• GxVss
• Intuit.QuickBooks.FCS
• memtas
• mepocs
• PDVFSService
• QBCFMonitorService
• QBFCService
• QBIDPService
• RTVscan
• SavRoam
• sophos
• sql
• stc_raw_agent
• svc$
• veeam
• VeeamDeploymentService
• VeeamNFSSvc
• VeeamTransportSvc
• VSNAPVSS
• vss
• YooBackup
• Yoo

Finaliza los procesos siguientes si detecta que se ejecutan en la memoria del sistema afectado:

• wxServer.exe
• wxServerView.exe
• sqlmangr.exe
• RAgui.exe
• supervise.exe
• Culture.exe
• Defwatch.exe
• httpd.exe
• sync-taskbar
• sync-worker
• wsa_service.exe
• synctime.exe
• vxmon.exe
• sqlbrowser.exe
• tomcat6.exe
• Sqlservr.exe
• AcronisAgent
• AcrSch2Svc
• agntsvc.exe
• BackExecRPCService
• backup
• BackupExecAgentAccelerator
• BackupExecDiveciMediaService
• BackupExecJobEngine
• bedbg
• CAARCUpdateSvc
• ccEvtMgr
• Culserver
• dbeng50.exe
• dbeng8
• dbsnmp.exe
• dbsrv12.exe
• DefWatch
• encsvc.exe
• excel.exe
• firefox.exe
• infopath.exe
• Intuit.QuickBooks.FCS
• isqlplussvc.exe
• memtas
• mepocs
• msaccess.exe
• MSExchange
• msftesql-Exchange
• msmdsrv
• mspub.exe
• MSSQL
• mydesktopqos.exe
• mydesktopservice.exe
• ocautoupds.exe
• ocomm.exe
• ocssd.exe
• onenote.exe
• oracle.exe
• outlook.exe
• PDVFSService
• powerpnt.exe
• QBCFMonitorService
• QBFCService
• QBIDPService
• SavRoam
• sophos
• sqbcoreservice.exe
• sql.exe
• sqladhlp
• SQLADHLP
• sqlagent
• SQLAgent
• SQLAgent$SHAREPOINT
• SQLBrowser
• SQLWriter
• synctime.exe
• tbirdconfig.exe
• thebat.exe
• thunderbird.exe
• tomcat6
• veeam
• VeeamDeploymentService
• VeeamNFSSvc
• VeeamTransportSvc
• visio.exe
• vmware-converter
• vmware-usbarbitator64
• WinSAT.exe
• winword.exe
• wordpad.exe
• WSBExchange
• xfssvccon.exe
• YooBackup

Robo de información

Acepta los siguientes parámetros:

• /KEY={launch string} → required to proceed to its encryption routine
  • /elevated → execute the program with admin privileges
  • /WIPEMODE → delete the contents of a file
  • /PFAD= → specify directories to be excluded from encryption
  • /PATH={directory} → path to encrypt

Otros detalles

Hace lo siguiente:

• It checks if the malware was executed with admin privileges.
• It erases the contents of files if /WIPEMODE parameter has been applied.
• It changes the file icon of the encrypted files into the following image: