SecurityHome.eu Ransom:Win32/Tovicrypt.A

Home / malware PDF

Ransom:Win32/Tovicrypt.A

First posted on 24 September 2016.
Source: Microsoft
Aliases :
There are no other names known for Ransom:Win32/Tovicrypt.A.
Explanation :
Installation

We have seen this ransomware share the same distribution used by Win32/Exxroute family of ransomware mainly through exploits.
This ransomware may arrive as a malicious DLL and run under the %TEMP% folder using the name rad[randomhex].tmp.dll through regsvr32.exe or a stand-alone executable file named rad[randomhex].tmp.exe.

Payload

Encrypts files

This ransomware can encrypt the files with the following extensions on your PC:

.3dm .cnv .faq .imd .mng .pgf .sch .usr .3ds .colz .fax .indd .mnr .pgm .sci .utf8 .3g2 .cpc .fb2 .info .mnt .phm .scm .utxt .3gp .cpd .fb3 .ini .mobi .php .sct .v12 .4db .cpg .fbl .ini0 .mos .pi1 .scv .vbr .4dl .cpp .fbx .ini4 .mov .pi2 .scw .vbs .4mp .cps .fcd .ini8 .mp3 .pi3 .sdb .vcf .a3d .cpt .fcf .inid .mp4 .pic .sdf .vct .abm .cpx .fdb .inih .mpa .pict .sdm .vcxproj .abs .crd .fdf .inil .mpf .pif .sdoc .vda .abw .crt .fdr .inip .mpg .pix .sdw .vdb .accdb .crwl .fds .init .mpo .pjpg .sep .vdi .act .crypt .fdt .inix .mrg .pjt .sfc .vec .adn .csr .fdx .ink .mrxs .plt .sfw .vff .adp .css .fdxt .ipf .ms11 .plugin .sgm .vmdk .aes .csv .fes .ipx .msg .pmg .sig .vml .af2 .csy .fft .itdb .msi .png .sitx .vmx .af3 .cue .fh10 .itw .mt9 .pni .sk1 .vnt .aft .cv5 .fh11 .iwi .mud .pnm .sk2 .vob .afx .cvg .fh3 .j2c .mwb .pntg .skm .vpd .agif .cvi .fh4 .j2k .mwp .pnz .sla .vpe .agp .cvs .fh5 .jar .mxl .pop .sld .vrml .ahd .cvx .fh6 .jas .myd .pot .sldx .vrp .aic .cwt .fh7 .java .myi .potm .slk .vsd .aif .cxf .fh8 .jb2 .myl .potx .sln .vsdm .aim .cyi .fic .jbmp .ncr .pp4 .sls .vsdx .albm .dad .fid .jbr .nct .pp5 .smf .vsm .alf .daf .fif .jfif .ndf .ppam .smil .vst .ani .db3 .fig .jia .nef .ppm .sms .vstx .ans .dbf .fil .jis .nfo .pps .sob .vue .apd .dbk .fla .jks .njx .ppsm .spa .wav .apk .dbt .fli .jng .nlm .ppsx .spe .wb1 .apm .dbv .flr .joe .note .ppt .sph .wbc .apng .dbx .flv .jp1 .now .pptm .spj .wbd .app .dca .fm5 .jp2 .nrw .pptx .spp .wbk .aps .dcb .fmv .jpe .ns2 .prf .spq .wbm .apt .dch .fodt .jpeg .ns3 .priv .spr .wbmp .apx .dcs .fol .jpg .ns4 .private .sqb .wbz .arc .dct .fp3 .jpg2 .nsf .prt .sql .wcf .art .dcu .fp4 .jps .nv2 .prw .sqlite3 .wdb .arw .dcx .fp5 .jpx .nyf .psd .sqlitedb .wdp .asc .ddl .fp7 .jrtf .nzb .psdx .sr2 .webp .ase .ddoc .fpos .jsp .obj .pse .srt .wgz .asf .dds .fpt .jtx .oc3 .psid .srw .wire .ask .ded .fpx .jwl .oc4 .psp .ssa .wks .asm .df1 .frm .jxr .oc5 .pspimage .ssk .wma .asp .dgn .frt .kdb .oce .psw .stc .wmdb .aspx .dgs .ft10 .kdbx .oci .ptg .std .wmf .asw .dhs .ft11 .kdc .ocr .pth .ste .wmv .asx .dib .ft7 .kdi .odb .ptx .sti .wp4 .asy .dif .ft8 .kdk .odg .pvj .stm .wp5 .aty .dip .ft9 .kes .odm .pvm .stn .wp6 .avi .diz .ftn .key .odo .pvr .stp .wp7 .awdb .djv .fwdn .kic .odp .pwa .str .wpa .awp .djvu .fxc .klg .ods .pwi .stw .wpd .awt .dm3 .fxg .kml .odt .pwr .sty .wpe .aww .dmi .fzb .kmz .ofl .pxr .sub .wpg .azz .dmo .fzv .knt .oft .pz3 .sumo .wpl .bad .dnc .gadget .kon .omf .pza .sva .wps .bay .dne .gbk .kpg .oplc .pzp .svf .wpt .bbs .doc .gbr .kwd .oqy .pzs .svg .wpw .bdb .docb .gcdp .lay .ora .qcow2 .svgz .wri .bdp .docm .gdb .lay6 .orf .qdl .swf .wsc .bdr .docx .gdoc .lbm .ort .qmg .sxc .wsd .bean .docz .ged .lbt .orx .qpx .sxd .wsf .bib .dot .gem .ldf .ota .qry .sxg .wsh .bm2 .dotm .geo .lgc .otg .qvd .sxi .wtx .bmp .dotx .gfb .lis .oti .rad .sxm .wvl .bmx .dp1 .ggr .lit .otp .rar .sxw .x3d .bna .dpp .gif .ljp .ots .ras .t2b .x3f .bnd .dpx .gih .lmk .ott .raw .tab .xar .boc .dqy .gim .lnt .ovp .rctd .tar .xcodeproj .bok .drw .gio .lp2 .ovr .rcu .tb0 .xdb .brd .drz .glox .lrc .owc .rdb .tbk .xdl .brk .dsk .gpd .lst .owg .rdds .tbn .xhtm .brn .dsn .gpg .ltr .oyx .rdl .tcx .xhtml .brt .dsv .gpn .ltx .ozb .rft .tdf .xlc .bss .dt2 .gpx .lua .ozj .rgb .tdt .xld .btd .dta .gro .lue .ozt .rgf .tex .xlf .bti .dtd .grob .luf .p12 .rib .text .xlgc .btr .dtsx .grs .lwo .p7s .ric .tfc .xlm .bz2 .dtw .gsd .lwp .p96 .riff .tg4 .xlr .c4d .dvi .gthr .lws .p97 .ris .tga .xls .cal .dvl .gtp .lyt .pages .rix .tgz .xlsb .cals .dwg .gwi .lyx .pal .rle .thm .xlsm .can .dxb .hbk .m3d .pan .rli .thp .xlsx .cd5 .dxf .hdb .m3u .pano .rng .tif .xlt .cdb .dxl .hdp .m4a .pap .rpd .tiff .xltm .cdc .eco .hdr .m4v .paq .rpf .tjp .xltx .cdg .ecw .hht .mac .pas .rpt .tlb .xlw .cdmm .ecx .his .man .pbm .rri .tlc .xml .cdmt .edb .hpg .map .pc1 .rsb .tm2 .xpm .cdr .efd .hpgl .maq .pc2 .rsd .tmd .xps .cdr3 .egc .hpi .mat .pc3 .rsr .tmp .xwp .cdr4 .eio .hpl .max .pcd .rss .tmv .xy3 .cdr6 .eip .htc .mbm .pcs .rst .tmx .xyp .cdt .eit .htm .mbox .pct .rtd .tne .xyw .cer .emd .html .mdb .pcx .rtf .tpc .yal .cfg .emf .hwp .mdf .pdb .rtx .tpi .ybk .cfm .eml .i3d .mdn .pdd .run .trm .yml .cfu .emlx .ibd .mdt .pdf .rw2 .tvj .ysp .cgi .epf .ibooks .mef .pdm .rwl .txt .yuv .cgm .epp .icn .mell .pdn .rzk .u3d .z3d .cimg .eps .icon .mfd .pds .rzn .u3i .zabw .cin .epsf .idc .mft .pdt .s2mv .udb .zdb .cit .eql .idea .mgcb .pe4 .s3m .ufo .zdc .ckp .erf .idx .mgmt .pef .saf .ufr .zif .class .err .iff .mgmx .pem .sai .uga .zip .clkw .etf .igt .mid .pff .sam .unx .zipx .cma .etx .igx .min .pfi .save .uof .zz .cmd .euc .ihx .mkv .pfs .sbf .uop .cmx .exr .iil .mmat .pfv .scad .uot .cnm .fal .iiq .mml .pfx .scc .upd It drops the following ransom notes files (README.bmp, README.html, and README.txt) in each folder after encrypting files:

This ransomware may also:

Delete shadow files to stop you from restoring your files from a local backup.

Set the default wallpaper to the ransom note image file.

Connects to a remote host

We have seen this ransomware connect and send information to the following addresses:

91.220.131.147 at TCP port 443

65.49.8.96 at TCP port 443

Analysis by Jireh Sanico
Last update 24 September 2016

TOP

Malware :

Last 20

Family:

Ransom:Win32/Tovicrypt.A