Ransom.Win32.AGENDA.E

该勒索软件通过两种途径侵入系统：一是被其他恶意软件作为文件植入，二是用户访问恶意网站时在不知情的情况下下载的文件。

它会先执行，然后自行删除。

它不具备任何传播功能。

它不具备任何后门功能。

它不具备任何信息窃取功能。

它会释放勒索说明文件作为赎金票据，并避免加密具有以下扩展名的文件：

Arrival Details

该勒索软件通过两种途径侵入系统：一是被其他恶意软件作为文件植入，二是用户访问恶意网站时在不知情的情况下下载的文件。

Installation

该勒索软件会创建以下文件夹：

• %User Temp%\QLOG

(Note: %User Temp% 是当前用户的临时文件夹,通常位于此路径 C:\Documents and Settings\{user name}\Local Settings\Temp 在Windows 2000（32位）、XP及Server 2003（32位）系统上，或 C:\Users\{user name}\AppData\Local\Temp 在Windows Vista、7、8、8.1、2008（64位）、2012（64位）及10（64位）系统上。）

它会释放以下文件：

• %User Temp%\QLOG\ThreadId({Number}).LOG → 内嵌配置与执行日志
• %User Temp%\{Random Letters}.jpg → image used as desktop wallpaper

(Note: %User Temp% 是当前用户的临时文件夹,通常位于此路径 C:\Documents and Settings\{user name}\Local Settings\Temp 在Windows 2000（32位）、XP及Server 2003（32位）系统上，或 C:\Users\{user name}\AppData\Local\Temp 在Windows Vista、7、8、8.1、2008（64位）、2012（64位）及10（64位）系统上。）

它会添加以下进程：

• fsutil behavior set SymlinkEvaluation R2R:1
• fsutil behavior set SymlinkEvaluation R2L:1
• net use
• wmic service where name='vss' call ChangeStartMode Manual
• net start vss
• vssadmin.exe delete shadows /all /quiet
• net stop vss
• wmic service where name='vss' call ChangeStartMode Disabled
• "powershell" $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName ; ForEach ( $l in $logs | Sort | Get-Unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)} - clears all event logs
• "powershell" -Command "Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -ExpandProperty DNSHostName"
• "powershell" -Command "ServerManagerCmd.exe -i RSAT-AD-PowerShell ; Install-WindowsFeature RSAT-AD-PowerShell ; Add-WindowsCapability -Online -Name 'RSAT.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0'"
• "reg.exe" QUERY "HKEY_USERS"
• "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\.DEFAULT\Control Panel\Desktop' -Name Wallpaper -Value '%User Temp%\{Random Letters}.jpg'"
• "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\{LOCAL SERVICE SID}\Control Panel\Desktop' -Name Wallpaper -Value '%User Temp%\{Random Letters}.jpg'"
• "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\{NETWORK SERVICE SID}\Control Panel\Desktop' -Name Wallpaper -Value '%User Temp%\{Random Letters}.jpg'"
• "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\{USER SID}\Control Panel\Desktop' -Name Wallpaper -Value '%User Temp%\{Random Letters}.jpg'"
• "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\{USER CLSID}\Control Panel\Desktop' -Name Wallpaper -Value '%User Temp%\{Random Letters}.jpg'"
• "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\{SYSTEM SID}\Control Panel\Desktop' -Name Wallpaper -Value '%User Temp%\{Random Letters}.jpg'"
• "powershell" -Command " REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImagePath /t REG_SZ /d '%User Temp%\{Random Letters}.jpg' /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImageUrl /t REG_SZ /d '%User Temp%\{Random Letters}.jpg' /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImageStatus /t REG_DWORD /d 1 /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImagePath /t REG_SZ /d '%User Temp%\{Random Letters}.jpg' /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageUrl /t REG_SZ /d '%User Temp%\{Random Letters}.jpg' /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageStatus /t REG_DWORD /d 1 /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImagePath /t REG_SZ /d %User Temp%\{Random Letters}.jpg /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImageUrl /t REG_SZ /d %User Temp%\{Random Letters}.jpg /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImageStatus /t REG_DWORD /d 1 /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImagePath /t REG_SZ /d %User Temp%\{Random Letters}.jpg /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageUrl /t REG_SZ /d %User Temp%\{Random Letters}.jpg /f
• "%System%\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageStatus /t REG_DWORD /d 1 /f
• "cmd" /C timeout /T 10 & Del "{Malware Fullpath}"

(Note: %User Temp% 是当前用户的临时文件夹,通常位于此路径 C:\Documents and Settings\{user name}\Local Settings\Temp 在Windows 2000（32位）、XP及Server 2003（32位）系统上，或 C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% 是Windows系统文件夹,通常位于此路径 C:\Windows\System32 适用于所有Windows操作系统版本。）

它会先执行，然后自行删除。

Autostart Technique

该勒索软件会添加以下注册表项，以实现每次系统启动时自动执行：

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
*{Random Letters} = "{Malware Full Path}" --password {Password} --no-admin

其他系统修改

This Ransomware modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\FileSystem
SymlinkRemoteToLocalEvaluation = 1

注：该注册表项的默认值为 0.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\FileSystem
SymlinkRemoteToRemoteEvaluation = 1

注：该注册表项的默认值为 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLinkedConnections = 1

注：该注册表项的默认值为 0.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\LanmanServer\Parameters
MaxMpxCt = 65535

注：该注册表项的默认值为 {Default Value}.)

它通过修改以下注册表项来更改桌面壁纸：

HKEY_CURRENT_USERS\Control Panel\Desktop
Wallpaper = %User Temp%\{Random Letters}.jpg

注：该注册表项的默认值为 {Default Image}.)

HKEY_USERS\.DEFAULT\Control Panel\
Desktop
Wallpaper = %User Temp%\{Random Letters}.jpg

注：该注册表项的默认值为 {Default Image}.)

HKEY_USERS\{LOCAL SERVICE SID}\Control Panel\
Desktop
Wallpaper = %User Temp%\{Random Letters}.jpg

注：该注册表项的默认值为 {Default Image}.)

HKEY_USERS\{NETWORK SERVICE SID}\Control Panel\
Desktop
Wallpaper = %User Temp%\{Random Letters}.jpg

注：该注册表项的默认值为 {Default Image}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Personalization
LockScreenImagePath = %User Temp%\{Random Letters}.jpg

注：该注册表项的默认值为 {Default Image Path}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Personalization
LockScreenImageUrl = %User Temp%\{Random Letters}.jpg

注：该注册表项的默认值为 {Default Image URL}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Personalization
LockScreenImageStatus = 1

注：该注册表项的默认值为 {Default Value}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\PersonalizationCSP
LockScreenImagePath = %User Temp%\{Random Letters}.jpg

注：该注册表项的默认值为 {Default Image Path}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\PersonalizationCSP
LockScreenImageUrl = %User Temp%\{Random Letters}.jpg

注：该注册表项的默认值为 {Default Image URL}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\PersonalizationCSP
LockScreenImageStatus = 1

注：该注册表项的默认值为 {Default Value}.)

它将系统桌面壁纸设置为以下图像：

Propagation

该勒索软件不具备任何传播功能。

Backdoor Routine

该勒索软件不具备任何后门功能。

Rootkit Capabilities

该勒索软件不具备Rootkit功能。

进程终止

若在受感染系统上发现以下服务，该勒索软件会将其终止：

• (.*?)sql(.*?)
• acronisagent
• acrsch2svc
• backup
• backupexecagentaccelerator
• backupexecagentbrowser
• backupexecdivecimediaservice
• backupexecjobengine
• backupexecmanagementservice
• backupexecrpcservice
• backupexecvssprovider
• gxblr
• gxcimgr
• gxclmgrs
• gxcvd
• gxfwd
• gxmmm
• gxvss
• gxvsshwprov
• memtas
• mepocs
• msexchange
• msexchange\$
• mvarmor
• mvarmor64
• pdvfsservice
• qbcfmonitorservice
• qbdbmgrn
• qbidpservice
• sap
• sap\$
• sapd\$
• saphostcontrol
• saphostexec
• sapservice
• sophos
• sql
• veeam
• veeamdeploymentservice
• veeamnfssvc
• veeamtransportsvc
• vsnapvss
• vss
• wsbexchange

若在受感染系统的内存中发现以下进程正在运行，该勒索软件会将其终止：

• agntsvc
• avagent
• avscc
• bedbh
• benetns
• bengien
• beserver
• cagservice
• cvd
• cvfwd
• cvmountd
• cvods
• dbeng50
• dbsnmp
• dellsystemdetect
• encsvc
• enterpriseclient
• excel
• firefox
• infopath
• isqlplussvc
• msaccess
• mspub
• mvdesktopservice
• mydesktopqos
• mydesktopservice
• notepad
• ocautoupds
• ocomm
• ocssd
• onenote
• oracle
• outlook
• powerpnt
• pvlsvr
• qbcfmonitorservice
• qbdbmgrn
• qbidpservice
• raw_agent_svc
• sap
• saphostexec
• saposcol
• sapstartsrv
• sqbcoreservice
• sql
• steam
• synctime
• tbirdconfig
• teamviewer
• teamviewer_service
• thebat
• thunderbird
• tv_w32
• tv_x64
• veeamdeploymentsvc
• veeamnfssvc
• veeamtransportsvc
• visio
• vmcompute
• vmwp
• vsnapvss
• vxmon
• winword
• wordpad
• xfssvccon

Information Theft

该勒索软件接受以下参数：

• --password {Password} → requires a password to run the ransomware
  • --debug → enables debugging mode
  • --dry-run → tests file encryption then restores files back to original
  • --escalated → run with elevated privileges
  • --exclude {Host to Exclude} → excludes specified hosts when self-propagating
  • --fde
  • --force
  • --impersonate {Account} → uses the specified account for impersonation
  • --ips {IP Addresses} → encrypts hosts with specified IP addresses
  • --kill-cluster → disables VM clusters
  • --logs → compresses the logs into a ZIP file and saves as {Malware Path}\QLOGS.zip
  • --no-admin → disables running as admin
  • --no-autostart → disables creating autostart
  • --no-delete → disables deleting folders
  • --no-destruct → disables self-destruct
  • --no-df → disables using the directory name filter
  • --no-domain → disables encrypting files on domain hosts
  • --no-ef → disables using the file extension filter
  • --no-escalate → disables privilege escalation
  • --no-extension → disables appending extension to the encrypted files
  • --no-ff → disables using a filename filter
  • --no-local → disables encrypting files on the local system
  • --no-logs → disables logging
  • --no-mounted → disables mounting drives for encryption
  • --no-network → disables encrypting files on network shares
  • --no-note → disables dropping ransom note
  • --no-priority → disables prioritization during encryption
  • --no-proc → disables process termination
  • --no-sandbox → disables the detection of running in a virtual machine
  • --no-services → disables stopping system services
  • --no-vm → disables stopping virtual machines
  • --no-wallpaper → disables setting the desktop wallpaper
  • --no-zero → disables free space cleanup of host disks
  • --parent-sid {SID} → passes the SID of the user of the parent process to the program
  • --paths {Directories} → encrypts files at specified paths
  • --print-delay {Seconds} → delay before printing
  • --print-image → enables printing the image
  • --safe → reboots into safe mode before encrypting files
  • --spread → enables self-propagation
  • --spread-process → indicates the program that it is running in self-propagation
  • --spread-vcenter → self-propagate using vCenter
  • --timer {Seconds} → sets the waiting time in seconds before encryption and other actions are performed

它不具备任何信息窃取功能。

其他信息

该勒索软件会执行以下操作：

• It enables the following privileges to allow access to restricted actions in the system:
  • SeDebugPrivilege
  • SeImpersonatePrivilege
  • SeIncreaseBasePriorityPrivilege
• It repeatedly clears all event logs in the system.
• It retrieves the DNS hostnames of all computers in an Active Directory domain before encrypting them.
• It deletes all shadow copies and disables automatic startup of Volume Shadow Copy Service

它不会利用任何漏洞。

Ransomware Routine

该勒索软件会避免加密文件名中包含以下字符串的文件：

• #recycle
• autorun.inf
• autorun.ini
• boot.ini
• bootfont.bin
• bootmgfw.efi
• bootmgr
• bootmgr.efi
• bootsect.bak
• desktop.ini
• iconcache.db
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• thumbs.db

它会避免加密以下文件夹中的文件：

• $recycle.bin
• $windows.~bt
• $windows.~ws
• admin$
• appdata
• application data
• boot
• config.msi
• google
• intel
• ipc$
• mozilla
• msocache
• netlogon
• perflogs
• program files
• program files (x86)
• programdata
• system volume information
• sysvol
• tor browser
• windows
• windows.old

它会为加密文件的文件名添加以下扩展名：

• .Pp47BxTX39

它会释放以下文件作为勒索信：

• {encrypted path}\README-RECOVER-Pp47BxTX39.txt
  

它会避免加密具有以下文件扩展名的文件：

• .386
• .adv
• .ani
• .bat
• .bin
• .cmd
• .com
• .cpl
• .cur
• .deskthemepack
• .diagcab
• .diagcfg
• .diapkg
• .dll
• .drv
• .exe
• .hlp
• .hta
• .icl
• .icns
• .ico
• .ics
• .idx
• .key
• .lnk
• .lock
• .mod
• .mpa
• .msc
• .msi
• .msp
• .msstyles
• .msu
• .nls
• .nomedia
• .ocx
• .pdb
• .prf
• .ps1
• .rom
• .rtp
• .scr
• .shs
• .spl
• .sys
• .theme
• .themepack
• .wpx
• .Pp47BxTX39