Ransom.Win32.SPOOSH.THGAGBC

2023年7月27日

分析者: John Rainier Navato

Generic.Ransom.DCRTR.7E80656D (BITDEFENDER)

平台:

Windows

总体风险等级:

潜在破坏:

潜在分布:

感染次数:

信息暴露:

恶意软件类型:
Ransomware
有破坏性？:
没有
加密？:
没有
In the Wild:
是的

概要

感染途徑: ???????, ?????????

它以文件的形式出现在系统中，可能是其他恶意软件投放的，或者是用户在访问恶意网站时无意中下载的。

????????,????????

技术详细信息

文件大小: 5,153,366 bytes

报告日期: EXE

内存驻留: 没有

初始樣本接收日期: 2023年7月18日

Payload: ??? URL/Ip, ??????, ???????, ????, ????

???????

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

???????:

%System%\cmd.exe /C "vssadmin delete shadows /all /quiet"
%System%\cmd.exe /C "rd /s /q %systemdrive%\$Recycle.bin"
%System%\WindowsPowershell\v1.0\powershell.exe -Command "New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name EnableLinkedConnections -Value 1 -PropertyType 'DWord'"
%System%\WindowsPowershell\v1.0\powershell.exe -Command "get-service LanmanWorkstation |Restart-Service –Force"
attrib.exe -R {Directory to Encrypt}\{File Name to Encrypt}.{File Extension to Encrypt}
mshta.exe %System Root%\Boot\cs-CZ\information.hta

(??: %System% ? Windows ? system ???,???? C:\Windows\System (Windows 98 ? ME)?C:\WINNT\System32 (Windows NT ? 2000) ? C:\WINDOWS\system32 (Windows 2000(32-bit)?XP?Server 2003(32-bit)?Vista?7?8?8.1?2008(64-bit),2012(64bit) ? 10(64-bit))?

(??: %System Root% ?????,???? C:\??????????????)

??????

?????????:

HKEY_CURRENT_USER\Printers\SettingsLow
DI = {8 Random Alphanumeric Characters}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLinkedConnections = 1

????????????????:

%AppDataLocal%\wallpaper.jpg

????

????????????????????:

Agntsvc.exe
Dbeng50.exe
Dbsnmp.exe
Encsvc.exe
Excel.exe
Firefox.exe
Infopath.exe
Isqlplussvc.exe
Msaccess.exe
Mspub.exe
Mydesktopqos.exe
Mydesktopservice.exe
Notepad.exe
Ocautoupds.exe
Ocomm.exe
Ocssd.exe
Onenote.exe
Oracle.exe
Outlook.exe
Powerpnt.exe
Sqbcoreservice.exe
Sql.exe
Steam.exe
Synctime.exe
Tbirdconfig.exe
Thebat.exe
Thunderbird.exe
Ut.exe
Utweb.exe
Visio.exe
Winword.exe
Wordpad.exe
Xfssvccon.exe

????

???????:

%AppDataLocal%\wallpaper.jpg

????

???????:

Processor Name
Memory
Internal IP Address
Manufacturer
OS Version
Computer Name
Product Name
External IP Address
Device ID

??????

??????????:

HKEY_CURRENT_USER\Printers\SettingsLow

????????,???????:

tcp://{BLOCKED}.{BLOCKED}.154.137:21119

?????????:

It terminates itself if the computer language is Russian
It downloads the desktop wallpaper to be set from the following url:
- https://i.{BLOCKED}g.cc/JzpfvBFf/wallapaper.jpg
It connects to the following url to identify the machine's external IP address:
- https://{BLOCKED}rnalip.com

解决方案

最小扫描引擎: 9.800

First VSAPI Pattern File: 18.582.02

VSAPI 第一样式发布日期: 2023年7月20日

VSAPI OPR样式版本: 18.583.00

VSAPI OPR样式发布日期: 2023年7月21日

Step 1

??Windows ME?XP??,????,????????????,??????????

Step 2

注意：在此恶意软件/间谍软件/灰色软件执行期间，并非所有文件、文件夹和注册表键值和项都会安装到您的计算机上。这可能是由于不完整的安装或其他操作系统条件所致。如果您没有找到相同的文件/文件夹/注册表信息，请继续进行下一步操作。

Step 3

???????

[ 更多 ]

????:????Windows???

[ 更多 ]

,????Microsoft??,????????????

In HKEY_CURRENT_USER\Printers\SettingsLow
- DI = {8 Random Alphanumeric Characters}
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- EnableLinkedConnections = 1

Step 4

????????

[ 更多 ]

????:????Windows???????????????????????????????????????????,????Microsoft??,????????????

In HKEY_CURRENT_USER\Printers
- SettingsLow

Step 5

????????

[ 更多 ]

??????????????????????????????????????,??????????????????

{Encrypted Directory}\information.hta
%AppDataLocal%\wallpaper.jpg

Step 6

?????????????,???????Ransom.Win32.SPOOSH.THGAGBC?? ????????????????????????,????????????????????????????????????????

Step 7