Ransom.Win64.HORUSKRYPT.THIAGBD

它以文件的形式出现在系统中，可能是其他恶意软件投放的，或者是用户在访问恶意网站时无意中下载的。

新病毒详细信息

它以文件的形式出现在系统中，可能是其他恶意软件投放的，或者是用户在访问恶意网站时无意中下载的。

安装

它在受感染的系统中植入下列自身副本：

• %User Startup%\{32 random alphanumeric}.exe

(注意: %User Startup% 是当前用户的启动文件夹，通常位于 C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup (Windows 98 和 ME)、C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup (Windows NT)、C:\Documents and Settings\{User name}\Start Menu\Programs\Startup (Windows 2003(32-bit)、XP、2000(32-bit)) 和 C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit))。)

它植入下列文件：

• %ProgramData%\{32 random alphanumeric}.ico → icon of encrypted files
• %ProgramData%\{32 random alphanumeric}.bmp → desktop wallpaper after encryption

它添加下列进程：

• vssadmin Delete Shadows /All /Quiet
• bcdedit /set {default} recoveryenabled No
• bcdedit /set {default} bootstatuspolicy ignoreallfailures
• wmic SHADOWCOPY /nointeractive

它添加下列互斥条目，确保一次只会运行一个副本：

• 51A301AD-3CCF-413A-AD80-A507DDCFF34C

其他系统修改

它添加下列注册表项：

HKEY_CLASSES_ROOT\.h0rus13\DefaultIcon
{default} = %ProgramData%\{32 random alphanumeric}.ic

HKEY_CURRENT_USER\Software\Krypt
public = {hex values}

HKEY_CURRENT_USER\Software\Krypt
full = {hex values}

它修改下列注册表项：

HKEY_LOCAL_MACHINESoftware\Policies\Microsoft\
Windows Defender
DisableAntiSpyware = 1

HKEY_LOCAL_MACHINESoftware\Policies\Microsoft\
Windows Defender
DisableRealtimeMonitoring = 1

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows NT\SystemRestore
DisableSR = 1

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows NT\SystemRestore
DisableConfig = 1

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows\WinRE
DisableSetup = 1

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows\Backup\
Client
DisableRestoreUI = 1

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows\Backup\
Client
DisableBackupLauncher = 1

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows\Backup\
Client
DisableSystemBackupUI = 1

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows\Backup\
Client
DisableBackupUI = 1

它将系统的桌面壁纸设置为下列图像：

进程终止

它终止在受感染的系统上运行的下列服务：

• wrapper
• DefWatch
• ccEvtMgr
• ccSetMgr
• SavRoam
• Sqlservr
• sqlagent
• sqladhlp
• Culserver
• RTVscan
• sqlbrowser
• SQLADHLP
• QBIDPService
• Intuit.QuickBooks.FCS
• QBCFMonitorService
• msmdsrv
• tomcat6
• zhudongfangyu
• vmware-usbarbitator64
• vmware-converter
• dbsrv12
• dbeng8
• MSSQL$MICROSOFT##WID
• MSSQL$VEEAMSQL2012
• SQLAgent$VEEAMSQL2012
• SQLBrowser
• SQLWriter
• FishbowlMySQL
• MSSQL$MICROSOFT##WID
• MySQL57
• MSSQL$KAV_CS_ADMIN_KIT
• MSSQLServerADHelper100
• SQLAgent$KAV_CS_ADMIN_KIT
• msftesql-Exchange
• MSSQL$MICROSOFT##SSEE
• MSSQL$SBSMONITORING

它终止在受感染的系统内存中运行的下列进程：

• wxserver
• wxserverview
• sqlmangr
• ragui
• supervise
• culture
• defwatch
• winword
• qbw32
• qbdbmgr
• qbupdate
• axlbridge
• httpd
• fdlauncher
• msdtsrvr
• java
• 360se
• 360doctor
• wdswfsafe
• fdhost
• gdscan
• zhudongfangyu
• qbdbmgrn
• mysqld
• autodeskdesktopapp
• acwebbrowser
• creative cloud
• adobe desktop service
• coresync
• adobe cef
• helper
• node
• adobeipcbroker
• sync-taskbar
• sync-worker
• inputpersonalization
• adobecollabsync
• brctrlcntr
• brccuxsys
• simplyconnectionmanager
• simply.systemtrayicon
• fbguard
• fbserver
• onenotem
• wsa_service
• koaly-exp-engine-service
• teamviewer_service
• teamviewer
• tv_w32
• tv_x64
• titanv
• ssms
• notepad
• rdrcef
• sam
• oracle
• ocssd
• dbsnmp
• synctime
• agntsvc
• isqlplussvc
• xfssvccon
• mydesktopservice
• ocautoupds
• encsvc
• tbirdconfig
• mydesktopqos
• ocomm
• dbeng50
• sqbcoreservice
• exce
• infopath
• msaccess
• mspub
• onenote
• outlook
• powerpnt
• steam
• thebat
• thunderbird
• visio
• wordpad
• bedbh
• vxmon
• benetns
• bengien
• pvlsvr
• beserver
• raw_agent_svc
• vsnapvss
• cagservice
• dellsystemdetect
• enterpriseclient
• processhacker
• procexp64
• procexp
• glasswire
• gwctlsrv
• wireshark
• dumpcap
• j0gnjko1
• autoruns
• autoruns64a
• autorunsc
• autorunsc64a
• sysmon
• sysmon64
• procexp64a
• procmon
• procmon64
• procmon64a
• adexplorer
• adexplorer64
• adexplorer64a
• tcpview
• tcpview64
• tcpview64a
• avz
• tdsskiller
• raccineelevatedcfg
• raccinesettings
• raccine_x86
• raccine
• sqlservr
• rtvscan
• sqlbrowser
• tomcat6
• qbidpservice
• notepad++
• systemexplorer
• systemexplorerservice
• systemexplorerservice64
• totalcmd
• totalcmd64
• veeamdeploymentsvc
• notepad

信息窃取

它收集下列数据:

• Volume Information

其他详细信息

它添加下列注册表键值:

HKEY_CURRENT_USER\Software\Krypt

HKEY_CLASSES_ROOT\.h0rus13

HKEY_CLASSES_ROOT\.h0rus13\DefaultIcon

HKEY_CURRET_USER\.h0rus13

HKEY_CURRET_USER\.h0rus13\DefaultIcon

该程序执行以下操作：

• It encrypts local, removable, and network drives.
• It empties the recycle bin.
• It terminates itself if the keyboard layout of the infected machine is the following:
  • Persian/Iran
• It terminates itself if the GUID was found in the system:
  • 51A301AD-3CCF-413A-AD80-A507DDCFF34C
• It changes the encrypted file icon to the following image: