Threat Analysis Unit - Threat Intelligence Notification
Title: DoNex Ransomware
Summary
DoNex ransomware was first discovered in March 2024. It has recently been seen in the wild targeting European and U.S. companies. The ransomware has been used in double extortion attacks, including file encryption and data exfiltration.
Behavioral Summary
Upon execution, the analyzed DoNex ransomware sample drops a file named “1.bat” in the C:\ProgramData directory. This Batch script contains commands that kill several applications and services via taskkill, as shown in Figure 1.
:start
ping 127.0.0.1 -n 2 >nul & taskkill /f /im sql* &
taskkill /f /im oracle* & taskkill /f /im mysq* &
taskkill /f /im chrome* & taskkill /f /im veeam* &
taskkill /f /im firefox* & taskkill /f /im excel* &
taskkill /f /im msaccess* & taskkill /f /im onenote* &
taskkill /f /im outlook* & taskkill /f /im powerpnt* &
taskkill /f /im winword* & taskkill /f /im wuauclt*
goto start
Figure 1: Contents of 1.bat file
Services stopped by DoNex ransomware are listed in Table 1.
| sql |
oracle |
onenote |
| mysq* |
chrome |
outlook |
| chrome |
firefox |
winword |
| excel |
msaccess |
powerpnt |
| wuauclt |
|
|
Table 1 : Services and processes stopped via taskkill.
DoNex ransomware attempts to delete volume shadow copies with two different commands using wmic and vssadmin as seen in Figure 2.
- cmd /c "vssadmin Delete Shadows /All /Quiet"
- cmd /c "wmic shadowcopy delete /nointeractive"
Figure 2: DoNex Ransomware’s process chart
DoNex ransomware assigns each victim with a victim identifier and renames encrypted files with it. It also creates a ransom note named “Readme.VictimID.txt” as shown in Figure 3. It changes some of the icons of encrypted applications to a logo for the MMORPG game Dragon Nest, appearing as a stylistic letter “D” as seen in Figure 4.
Figure 3: Screenshot of Ransom Note (Readme.VictimID.txt)
Figure 4: Screenshot of application with changed icon.
Customer Protection
DoNex Ransomware is blocked and detected by existing policies within VMware Carbon Black products. To learn more about further ransomware behavior, detection, and protection capabilities within the VMware Carbon Black suite of products against DoNex Ransomware, you may refer to the following blog post:
TAU-TIN - Ransomware Threats
MITRE ATT&CK TIDs
| T1486 |
Impact |
Data Encrypted for Impact |
| T1064 |
Execution |
Command and Scripting Interpreter Execution |
| T1082 |
Discovery |
File and Directory Discovery |
| T1490 |
Impact |
Inhibit System Recovery |
Indicators of Compromise (IOCs)
| 0adde4246aaa9fb3964d1d6cf3c29b1b13074015b250eb8e5591339f92e1e3ca |
SHA256 |
DoNex Ransomware |
| 21eae7e488b145fa3618627da99c3234696c0f15 |
SHA-1 |
DoNex Ransomware |
| 8a23347b733420472a1ec0a1eeada597 |
MD5 |
DoNex Ransomware |
| 1.bat |
File name |
File Dropped by DoNex Ransomware |
About TAU-TIN
TAU-TIN (Threat Analysis Unit - Threat Intelligence Notification) is a report by Carbon Black's TAU (Threat Analysis Unit) to help customers detect and prevent emerging threats.
To receive future notifications, navigate to the TAU-TIN label on UeX and then click Subscribe.
Attachment(s): 29922_iocs.csv#TAU-TIN