logo_SVG-01
✕
  • Platform
    • Rewterz XDR
    • Rewterz Defense
    • Rewterz Threat Intelligence
    • Managed Security Services
    • Managed Penetration Testing
  • Services
    • Assess
      • Compromise Assessment
      • Advanced Persistent Threats Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      • SOC Maturity Assessment
      • SOC Model Evaluation
      • SOC Gap Analysis
      • SIEM Gap Analysis
      • SIEM Optimization
      • SOC Content Pack
    • Train
      • Simulated Cyber Attack Exercise
      • Tabletop Exercise
      • Security Awareness and Training
    • Respond
      • Incident Analysis
      • Incident Response
  • Solutions
  • Resources
    • Blogs
    • Press Releases
    • Threat Insights
      • Threat Intelligence Reports
      • Threat Advisories
      • Monthly Threat Insights
  • Why Rewterz?
    • About Us
    • Careers
    • Contact
logo_SVG-01
  • Platform
    xdrLogo
    center_new
    Read More about XDR

    Platform

    • Rewterz XDR
    • Rewterz Defense
    • Rewterz Threat Intelligence
    Rewterz Threat Alert – Pots Ransomware Campaign – IoCs

    Managed Security Services

    • Managed Security Monitoring
    • Remote SOC
    • Onsite SOC
    • Hybrid SOC

    Managed Penetration Testing

    Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.

  • Services

    Assess

    • Compromise Assessment
    • APT Assessment
    • Penetration Testing
    • Architecture Design & Review
    • Red Team Assessment
    • Purple Team Assessment
    • Social Engineering
    • Source Code Review

    Transform

    • SOC Consultancy
    • SOC Maturity Assessment
    • SOC Model Evaluation
    • SOC Gap Analysis
    • SIEM Gap Analysis
    • SIEM Optimization
    • SOC Content Pack

    Train

    • Simulated Cyber Attack Exercise
    • Tabletop Exercise
    • Security Awareness and Training

    Respond

    • Incident Analysis
    • Incident Response
  • Solutions
  • Resources

    Resources

    • Blog
    • Press Releases
    March 19, 2023
    March 19, 2023
    Rewterz Threat Advisory – CVE-2022-42436 – IBM MQ Vulnerability
    Severity Medium Analysis Summary CVE-2022-42436 IBM MQ Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. Impact Indicators Of Compromise […]
    March 19, 2023
    March 19, 2023
    Rewterz Threat Advisory – ICS: Rockwell Automation Modbus TCP AOI Server Vulnerability
    Severity Medium Analysis Summary CVE-2023-0027 Rockwell Automation Modbus TCP AOI Server could allow a remote attacker to obtain sensitive information. By sending a malformed message, an […]
    March 17, 2023
    March 17, 2023
    Rewterz Threat Advisory – ICS: Multiple Schneider Electric IGSS Vulnerabilities
    Severity High Analysis Summary CVE-2023-27984 CVSS:7.8 Schneider Electric IGSS could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation […]

    Threat Insights

    16
    pdf-file (1)
    Annual Threat Intelligence Report 2022
    • Threat Advisories
    • Monthly Threat Insights
    • Threat Intelligence Reports
  • Why Rewterz?

    About Us

    Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.

    Read More

    play_btn_Smallplay_btn_hover_Small
    leadership

    Our Leadership

    Our leadership team brings together years of knowledge and experience in cybersecurity to drive our company's mission and vision. Our team is passionate about delivering high-quality products and services, leading by example and assisting our clients in securing their organization’s environment.
    help

    CSR

    At Rewterz, we believe that businesses have a responsibility to impact positively and contribute to the well-being of our communities as well as the planet. That's why we are committed to operating in a socially responsible and sustainable way.

    Connect with Us

    • Contact
    • Careers
Get in Touch
logo_SVG-01
  • Platform
    xdrLogo
    center_new
    Read More about XDR

    Platform

    • Rewterz XDR
    • Rewterz Defense
    • Rewterz Threat Intelligence
    Rewterz Threat Alert – Pots Ransomware Campaign – IoCs

    Managed Security Services

    • Managed Security Monitoring
    • Remote SOC
    • Onsite SOC
    • Hybrid SOC

    Managed Penetration Testing

    Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.

  • Services

    Assess

    • Compromise Assessment
    • APT Assessment
    • Penetration Testing
    • Architecture Design & Review
    • Red Team Assessment
    • Purple Team Assessment
    • Social Engineering
    • Source Code Review

    Transform

    • SOC Consultancy
    • SOC Maturity Assessment
    • SOC Model Evaluation
    • SOC Gap Analysis
    • SIEM Gap Analysis
    • SIEM Optimization
    • SOC Content Pack

    Train

    • Simulated Cyber Attack Exercise
    • Tabletop Exercise
    • Security Awareness and Training

    Respond

    • Incident Analysis
    • Incident Response
  • Solutions
  • Resources

    Resources

    • Blog
    • Press Releases
    March 19, 2023
    March 19, 2023
    Rewterz Threat Advisory – CVE-2022-42436 – IBM MQ Vulnerability
    Severity Medium Analysis Summary CVE-2022-42436 IBM MQ Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. Impact Indicators Of Compromise […]
    March 19, 2023
    March 19, 2023
    Rewterz Threat Advisory – ICS: Rockwell Automation Modbus TCP AOI Server Vulnerability
    Severity Medium Analysis Summary CVE-2023-0027 Rockwell Automation Modbus TCP AOI Server could allow a remote attacker to obtain sensitive information. By sending a malformed message, an […]
    March 17, 2023
    March 17, 2023
    Rewterz Threat Advisory – ICS: Multiple Schneider Electric IGSS Vulnerabilities
    Severity High Analysis Summary CVE-2023-27984 CVSS:7.8 Schneider Electric IGSS could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation […]

    Threat Insights

    16
    pdf-file (1)
    Annual Threat Intelligence Report 2022
    • Threat Advisories
    • Monthly Threat Insights
    • Threat Intelligence Reports
  • Why Rewterz?

    About Us

    Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.

    Read More

    play_btn_Smallplay_btn_hover_Small
    leadership

    Our Leadership

    Our leadership team brings together years of knowledge and experience in cybersecurity to drive our company's mission and vision. Our team is passionate about delivering high-quality products and services, leading by example and assisting our clients in securing their organization’s environment.
    help

    CSR

    At Rewterz, we believe that businesses have a responsibility to impact positively and contribute to the well-being of our communities as well as the planet. That's why we are committed to operating in a socially responsible and sustainable way.

    Connect with Us

    • Contact
    • Careers
Get in Touch
Rewterz
Rewterz threat Alert – SpeakUp Malware Infecting Linux Devices
March 11, 2019
Rewterz
Rewterz Threat Alert – Two Malspam Campaigns Detected
March 12, 2019

Rewterz Threat Alert – Pots Ransomware Campaign – IoCs

March 12, 2019

Severity

Medium

Analysis Summary

Discovered in January 2019, this ransomware is seen affecting Windows in multiple attacks. Ransom.Pots is a Trojan horse that encrypts files on the compromised computer and demands a payment to decrypt them. It appends its extensions after the encrypted file names and leaves a ransom note with instructions to be followed for the decryption procedure. 

When the Trojan is executed, it creates the following files:

  • %AppData%\[GUID]\1.exe
  • %AppData%\[GUID]\2.exe
  • %AppData%\[GUID]\3.exe
  • %AppData%\[GUID]\updatewin.exe
  • %AppData%\script.ps1

The Trojan also creates the following file in all folders where it encrypts files:

  • [PATH TO MALWARE]\_openme.txt

The Trojan creates the following registry entry so that it runs every time Windows starts:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”SysHelper” = “”%AppData%\c76335f4-3ef1-46c4-a9e2-49f4d190a4f3\[MALWARE NAME]” –AutoStart”

The Trojan also creates the following registry entries:

  • HKEY_LOCAL_MACHINE\software\Policies\Microsoft\Windows Defender\”DisableAntiSpyware” = “1”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableTaskMgr” = “1”
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\”ExecutionPolicy” = “RemoteSigned”

Next, the Trojan executes the following file to disable Windows Defender’s real-time monitoring:

  • %AppData%\script.ps1

The Trojan also executes the following file to modify the hosts file:

  • %AppData%\[GUID]\2.exe

Indicators of compromise are given below.

Impact

Pots Ransomware

Files Encryption

Indicators of Compromise

IP(s) / Hostname(s) 127[.]0[.]0[.]1
bana911[.]ru
morgem[.]ru
URLs bana911[.]ru
grovyroet[.]online
hxxp[:]//bana911[.]ru/004/get[.]php?pid=6D27C36D808D643FFA69ACAEFF8AD4B1
hxxp[:]//bana911[.]ru/004/get[.]php?pid=8585BA8504C2EBE0D147EFFF1E60C5C7
hxxp[:]//bana911[.]ru/1[.]exe
hxxp[:]//bana911[.]ru/2[.]exe
hxxp[:]//bana911[.]ru/666666/get[.]php?pid=2485E9F082250E269EA0EF635E0D382D
hxxp[:]//bana911[.]ru/6666662323232/get[.]php?pid=2E0A56D692DB85ABBAFDB89C7340910A
hxxp[:]//bana911[.]ru/66666623232329988/get[.]php
hxxp[:]//bana911[.]ru/66666623232329988/get[.]php?pid=854A7AB3FE26B183822D6FDA75462A8C
hxxp[:]//bana911[.]ru/xxx233232/updatedwin[.]exe
hxxp[:]//bana911[.]ru/xxx233232/updatewin[.]exe
hxxp[:]//grovyroet[.]online/66666623232329988399/get[.]php
hxxp[:]//grovyroet[.]online/66666623232329988399/get[.]php?pid=46662869E203E1189EE9E31C6EDF75B7
hxxp[:]//grovyroet[.]online/66666623232329988399/get[.]php?pid=753292965DBD0DCF5668ACA7E107EEB9
hxxp[:]//grovyroet[.]online/66666623232329988399/get[.]php?pid=9A952F08347B2468D7D2AB96FD55E680
hxxp[:]//grovyroet[.]online/66666623232329988399/get[.]php?pid=CFB9E1D13F3511F732BB484410812F00
hxxp[:]//grovyroet[.]online/xxx/2[.]exe
hxxp[:]//morgem[.]ru/cgi-sys/suspendedpage[.]cgi
hxxp[:]//morgem[.]ru/cgi-sys/suspendedpage[.]cgi?pid=%5Bmachine_id%5D
hxxp[:]//morgem[.]ru/cgi-sys/suspendedpage[.]cgi?pid=C338CC1F2EED1FBC1FA98988C16CD4BE
hxxp[:]//morgem[.]ru/test/get[.]php?pid=BA6B0E094A69F421C5A8CA214C57FA05
hxxp[:]//morgem[.]ru/test2/get[.]php?pid=6C607A125012B48A10CA4C9FBCDA0EF6
hxxp[:]//morgem[.]ru/xxx/2[.]exe
hxxp[:]//morgem[.]ru/xxx/3[.]exe
hxxp[:]//morgem[.]ru/xxx/39[.]exe
hxxp[:]//morgem[.]ru/xxx/updatewin[.]exe
hxxp[:]//mx[.]rosalos[.]ug//asdsfsghtyuAssdffgASdYDIUysiySdtfyewy73465o7yafihduaouirty7old/
hxxp[:]//mx[.]rosalos[.]ug//kuaofkzmdjhfqeoruSDIhfvbSdew66sdjfvsjHweuywoafhdjSdhfbuntuold/
hxxp[:]//rosalos[.]ug/kuSidwkKSdjnVjdnYDfSDfCJSDoiSDfpkSfFUISDASdJSHdubuntuold/get[.]php?pid=8191A331D30AB3860E4E30ACD8643907
hxxp[:]//rosalos[.]ug/trtasdgvgpoidfg87gs7df754ad4asdxzffdfasdfreer/update[.]exe
hxxp[:]//rosalos[.]ug/YTtyusdftsGHJBVxcvxcvRT98789old/get[.]php?pid=4EB8EBDDCA3D4FC9135AEBD602FB7A00
rosalos[.]ug
Filename 0A80000.ex
dump-2228224.mem
315e6ed36fd5953de34b5486f92c5eb135ac32c06789971be3a21a61fce7dc7f.bin
44DE.TMP.EXE
1.exe
updatewin.exe
2.exe
Copy of _00920000.mem9
Extension .djvu
.rumba
.tfudet
.tro
Malware Hash (MD5/SHA1/SH256) 24e781ea90b71c782164d998006a050d88e6dc040b30b34ad6229f7a51f4c7eb
a78ccb4babd8f76e17366e0c34c9cc9d
2bae2122ae0e4b3f61132ad93d109f6a17171fc0b82286d23d1103cc115ecc81
9840be8b3721f996afcaf27c76120e4e
315e6ed36fd5953de34b5486f92c5eb135ac32c06789971be3a21a61fce7dc7f
7aa8eb034a46d81d86f7abd6342b0923
48586462fb24005bcf8139ac2a8af0873b9bb99cb544fccaa24ac124c099beb9
734210184c461f58f6983644b1cb0c87
4f6d6e3f4e722f276ba448373ca4012e2436e3fdc38b5eb6edf453b6abec662b
2479673beacb567ed2a8885d435de40e
6966599b3a7786f81a960f012d540866ada63a1fef5be6d775946a47f6983cb7
dcb9cb3abc689f8c0eb39af6429c1c2f
6b9d282c01a5b20bea3183bf71ff8d2f97f0f7313ba57ce833a7b0418cf519c3
a72199bf14763fff60dd2b50e3d9a081
74949570d849338b3476ab699af78d89a5afa94c4529596cc0f68e4675a53c37
44fbfadb6a088da850f521dd8b783344
91a1122ed7497815e96fdbb70ea31b381b5243e2b7d81750bf6f6c5ca12d3cee
4009ee32ad44697619cee80616220782
b22a4ee6962714dad7adda4f93d1281185c1e2c8eabb1ba09725cb4cdedc550a
31977515894aad33f8e07f7d7fbf3cf7

Affected Products

Windows

Remediation

Block the threat indicators at their respective controls. 

Platform

  • Rewterz XDR
  • Rewterz Defense
  • Rewterz Threat Intelligence

Managed Security Services

  • Managed Security Monitoring
  • Remote SOC
  • Onsite SOC
  • Hybrid SOC

Assess

  • Compromise Assessment
  • APT Assessment
  • Penetration Testing
  • Architecture Design & Review
  • Red Team Assessment
  • Purple Team Assessment
  • Social Engineering
  • Source Code Review

Transform

  • SOC Consultancy
  • SOC Maturity Assessment
  • SOC Model Evaluation
  • SOC Gap Analysis
  • SIEM Gap Analysis
  • SIEM Optimization
  • SOC Content Pack

Train

  • Simulated Cyber Attack Exercise
  • Tabletop Exercise
  • Security Awareness and Training

Respond

  • Incident Analysis
  • Incident Response

Threat Insights

  • Threat Advisories
  • Monthly Threat Insights
  • Threat Intelligence Reports

Resources

  • Blog
  • Press Releases

Connect With Us

  • Contact
  • Careers
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.
Get a Demo