Home / malware

PDF

Ransom:Win32/Hiptkript.A

First posted on 15 August 2016.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Hiptkript.A.

Explanation :

Installation

This ransomware drops the following files in the %TEMP% folder:

• extratools.bat (driver)
• erone.vbs (message)
• firefox32.exe (deletes file in targeted directory)
• chrst.exe (pictures and button only no ransom code)

Payload

Pretends to encrypt your files

We have seen this ransomware target the following directory and remove all extensions of files (pretend encryption):

• C:\Users\Public\Pictures\Sample Pictures
• C:\Users\Public\Music\Sample Music
• C:\Users\Public\Videos\Sample Videos
• %userprofile%\Pictures
• %userprofile%\Documents
• %userprofile%\Downloads
• %userprofile%\Music
• %userprofile%\Videos
• %userprofile%\Contacts
• %userprofile%\Links
• %userprofile%\Desktop

Example:

• File1.png is renamed to file1.
• file.bin is renamed to file.

Analysis by Carmen Liang

Last update 15 August 2016

 

TOP