Ransom.Win32.TARGETCOMP.YXCKCZ

2023年8月22日

分(fēn)析者: Raymart Christian Yambot

Win32:RansomX-gen [Ransom] (AVAST)

平台:

Windows

总體(tǐ)风险等级:

潜在破坏:

潜在分(fēn)布:

感染次数:

信息暴露:

恶意软件类型:
Ransomware
有(yǒu)破坏性？:
没有(yǒu)
加密？:
In the Wild:
是的

概要

感染途徑: 从互联网上下载, 下载了其他(tā)恶意软件

它以文(wén)件的形式出现在系统中(zhōng)，可(kě)能(néng)是其他(tā)恶意软件投放的，或者是用(yòng)户在访问恶意网站时无意中(zhōng)下载的。

技(jì )术详细信息

文(wén)件大小(xiǎo): 143,872 bytes

报告日期: EXE

内存驻留: 没有(yǒu)

初始樣本接收日期: 2022年11月3日

Payload: 连接到 URL/Ip, 收集系统信息, 显示消息/消息框

新(xīn)病毒详细信息

它以文(wén)件的形式出现在系统中(zhōng)，可(kě)能(néng)是其他(tā)恶意软件投放的，或者是用(yòng)户在访问恶意网站时无意中(zhōng)下载的。

安(ān)装(zhuāng)

它添加下列进程：

"%System%\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
"%System%\cmd.exe" /c bcdedit /set {current} recoveryenabled no
"%Windows%\sysnative\vssadmin.exe" delete shadows /all /quiet
taskill -f -im {Stopped Processes}
sc delete {Deleted Services}

(注意: %Windows% 是 Windows 文(wén)件夹，通常位于 C:\WINDOWS 或 C:\WINNT。)

其他(tā)系统修改

它修改下列注册表项：

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
PolicyManager\default\Start\
HideShutDown
value = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
PolicyManager\default\Start\
HideRestart
value = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
PolicyManager\default\Start\
HideSignOut
value = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
shutdownwithoutlogon = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\Terminal Services
MaxConnectionTime = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\Terminal Services
MaxDisconnectionTime = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\Terminal Services
MaxIdleTime = 0

它删除下列注册表键值:

HKEY_CURRENT_USER\SOFTWARE\Raccine

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\EventLog\Application\
Raccine

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
vssadmin.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
wmic.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
wbadmin.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bcdedit.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
powershell.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
diskshadow.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
net.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
taskkill.exe

进程终止

它终止在受感染的系统内存中(zhōng)运行的下列进程：

sqlserv.exe
oracle.exe
ntdbsmgr.exe
sqlservr.exe
sqlwriter.exe
MsDtsSrvr.exe
msmdsrv.exe
ReportingServecesService.exe
fdhost.exe
fdlauncher.exe
mysql.exe

where (Stopped Processes}

sqlwriter.exe
sqlservr.exe
msmdsrv.exe
MsDtsSrvr.exe
sqlceip.exe
fdlauncher.exe
Ssms.exe
SQLAGENT.EXE
fdhost.exe
fdlauncher.exe
sqlservr.exe
ReportingServicesService.exe
msftesql.exe
pg_ctl.exe
postgres.exe

信息窃取

它收集下列数据:

Computer Name
Product Name
OS Architecture
Application Privilege

窃取信息

它通过 HTTP POST 将收集的信息发送到下列 URL：

http://{BLOCKED}.{BLOCKED}.191.141/QWEwqdsvsf/ap.php

其他(tā)详细信息

该程序执行以下操作(zuò)：

It encrypts files from local drives, removable drives, and network shares.
It DOES NOT continue to routine if User Default Language ID of the system is any of the following:

Russian (0x419)
Kazakh (0x43F)
Belarusian (0x423)
Ukrainian (0x422)
Tatar (0x444)

It blocks any system shutdown and displays the following the message:
- "Do NOT shutdown OR reboot your PC: this might damage your files permanently !"
It reverts the following modified registries entries back to its default values after encryption:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSignOut
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Policies\System\shutdownwithoutlogon
It deletes the following services {Deleted Services}:
- MSSQLFDLauncher
- MSSQLSERVER
- SQLSERVERAGENT
- SQLBrowser
- SQLTELEMETRY
- MsDtsServer130
- SSISTELEMETRY130
- SQLWriter
- MSSQL$VEEAMSQL2012
- SQLAgent$VEEAMSQL2012
- MSSQL
- SQLAgent
- MSSQLServerADHelper100
- MSSQLServerOLAPService
- MsDtsServer100
- ReportServer
- SQLTELEMETRY$HL
- TMBMServer
- MSSQL$PROGID
- MSSQL$WOLTERSKLUWER
- SQLAgent$PROGID
- SQLAgent$WOLTERSKLUWER
- MSSQLFDLauncher$OPTIMA
- MSSQL$OPTIMA
- SQLAgent$OPTIMA
- ReportServer$OPTIMA
- msftesql$SQLEXPRESS
- postgresql-x64-9.4

解决方案

最小(xiǎo)扫描引擎: 9.800

First VSAPI Pattern File: 17.958.03

VSAPI 第一样式发布日期: 2022年11月25日

VSAPI OPR样式版本: 17.959.00

VSAPI OPR样式发布日期: 2022年11月26日

Step 2

对于Windows ME和XP用(yòng)户，在扫描前，请确认已禁用(yòng)系统还原功能(néng)，才可(kě)全面扫描计算机。

Step 3

注意：在此恶意软件/间谍软件/灰色软件执行期间，并非所有(yǒu)文(wén)件、文(wén)件夹和注册表键值和项都会安(ān)装(zhuāng)到您的计算机上。这可(kě)能(néng)是由于不完整的安(ān)装(zhuāng)或其他(tā)操作(zuò)系统条件所致。如果您没有(yǒu)找到相同的文(wén)件/文(wén)件夹/注册表信息，请继续进行下一步操作(zuò)。

Step 4

还原已修改注册表值。

[ 更多(duō) ]

I重要: 错误地编辑 Windows 注册表 会导致系统不能(néng)正常工(gōng)作(zuò)。该操作(zuò)需要在专业人士的指导下完成。或者遵照这篇微软文(wén)章对Windows注册表做相应修改。

In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
- MaxConnectionTime = 0
In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
- MaxDisconnectionTime = 0
In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
- MaxIdleTime = 0

Step 5

Restore these deleted registry keys/values from backup

*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.

In HKEY_CURRENT_USER\SOFTWARE\
- Raccine
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\
- Raccine
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\\CurrentVersion\Image File Execution Options\
- vssadmin.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\\CurrentVersion\Image File Execution Options\
- wmic.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\\CurrentVersion\Image File Execution Options\
- wbadmin.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\\CurrentVersion\Image File Execution Options\
- bcdedit.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\\CurrentVersion\Image File Execution Options\
- powershell.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\\CurrentVersion\Image File Execution Options\
- diskshadow.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\\CurrentVersion\Image File Execution Options\
- net.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\\CurrentVersion\Image File Execution Options\
- taskkill.exe

Step 6

搜索和删除这些文(wén)件

[ 更多(duō) ]

有(yǒu)些组件文(wén)件可(kě)能(néng)是隐藏的。请确认在"高级选项"中(zhōng)已选中(zhōng)搜索隐藏文(wén)件和文(wén)件夹复选框，使查找结果包括所有(yǒu)隐藏文(wén)件和文(wén)件夹。

{Drive Letter:}\FILE RECOVERY.txt
{Encrypted Directory:}\FILE RECOVERY.txt

DATA_GENERIC_FILENAME_1

在查找范围下拉列表中(zhōng)，选择

我的電(diàn)脑然后回車(chē)确认。

一旦找到，请选择文(wén)件，然后按下SHIFT+DELETE彻底删除文(wén)件。

对剩余的文(wén)件重复第2到4步： {Drive Letter:}\FILE RECOVERY.txt
{Encrypted Directory:}\FILE RECOVERY.txt

Step 7

使用(yòng)亚信安(ān)全产(chǎn)品扫描计算机，并删除检测到的Ransom.Win32.TARGETCOMP.YXCKCZ文(wén)件如果检测到的文(wén)件已被亚信安(ān)全产(chǎn)品清除、删除或隔离，则无需采取进一步措施。可(kě)以选择直接删除隔离的文(wén)件。请参阅知识库页(yè)面了解详细信息。

Step 8

Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.