Derin Analiz — RansomComponent | Tehdit: KRITIK

Dosya Kimligi

SHA256ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a
Boyut102,400 byte (PE32 GUI x86, 6 sections)
Entropi6.403 (normal)

vssadmin Delete Shadows: Golge Kopya Yok Etme

RANSOMWARE BILESENI: Sistem geri yukleme noktalarini ve yedekleri yok ediyor!
/C vssadmin Delete Shadows /all /quiet\n\n-- "Delete Shadows /all": TUM golge kopyalari sil\n-- "/quiet": sessizce, kullanici bildirimi yok\n-- Etki: Windows Geri Yukle Noktalari yok edilir\n-- Kurban dosyalari geri alamaz (backup yok)\n-- Tum buyuk ransomware ailelerinin imzasi:\n  WannaCry, NotPetya, REvil, LockBit, Conti...

vssadmin resize shadowstorage: Yedek Alan Engelleme

/C vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB\n/C vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded\n/C vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB\n/C vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded\n/C vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB\n/C vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB\n/C vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded\n\n-- Her disk (d,e,g,h) icin iki adim:\n  1. maxsize=401MB: yedek alani minimize et\n  2. maxsize=unbounded: sinirsiz ayarla (anlamsiz gibi, ama VSS baglanti noktasi bozulur)\n-- Aslinda VSS yapilandirmasini bozuyor: yeni golge kopya olusturulamiyor

net stop + taskkill: Servis ve Surec Yok Etme

net stop (x5 referans)\ntaskkill /IM wordpad.exe /F\ntaskkill /IM msaess.exe /F\n\n-- net stop: yedekleme/AV servislerini durdur\n  net stop vss / net stop wbengine (Windows Backup Engine)\n  net stop mssqlserver / net stop mysql (veritabani)\n-- wordpad.exe: acik dosyalari kilitle kaldirmak icin\n-- msaess.exe: McAfee Agent (AV servisi) durdur

CreateRemoteThread: Surec Enjeksiyonu

CreateRemoteThread\n\n-- 100KB kucuk boyut: muhtemelen loader/injector modulu\n-- Asil ransomware payload baska bir surece inject ediliyor\n-- qnoI2DNO: x7 referans (mutex veya RC4 anahtar)\n-- Not: RC4 ile XOR sifrelenmis C2 endpoint iceriyor olabilir

IOC

SHA256ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a
VSS Silmevssadmin Delete Shadows /all /quiet
Servis Durtaskkill /IM msaess.exe (McAfee Agent)
StringqnoI2DNO (mutex/key)

RansomComponent — Malware Profile

Small (100KB) PE32 ransomware component. vssadmin Delete Shadows /all /quiet (shadow copy destruction). vssadmin resize shadowstorage (backup prevention). net stop x5 (service kill). taskkill /IM msaess.exe (McAfee Agent). CreateRemoteThread injection.

Malware Type
Ransomware
Programming Language
C/C++
C2 Protocol
Local
Target Systems
Küresel

Capabilities & Behavior

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

IOC List (1 indicators)

IOC — RansomComponent
# SHA256 ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a
TypeValueNote
sha256 ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a
Tags
ransomcomponentransomware-componentvssadmin-delete-shadows-all-quiet-shadow-copy-deletionvssadmin-resize-shadowstorage-401mb-unbounded-backup-preventionnet-stop-x5-service-termination-av-backuptaskkill-im-wordpad-msaess-process-terminationcreateremotethread-remote-process-injectionqnoI2DNO-mutex-anti-reinfectionsmall-100kb-component-loader-module