New Ransomware Charon Uses Earth Baxia APT Techniques To Target Enterprises
Indicators of Compromise

SHA1						Detection			Description
92750eb5990cdcda768c7cb7b654ab54651c058a	Ransom.Win64.CHARON.THGBCBE	Payload (Charon Ransomware)
a1c6090674f3778ea207b14b1b55be487ce1a2ab	Ransom.Win64.CHARON.A.enc	Shellcode (DumpStack.log)
21b233c0100948d3829740bd2d2d05dc35159ccb	Trojan.Win64.SWORDLDR.THGBCBE	SWORDLDR (msedge.dll)

Charon manipulates the following service names and process names:
Service names: 
AcronisAgent
AcrSch2Svc
backup
BackupExecAgentAccelerator
BackupExecAgentBrowser
BackupExecDiveciMediaService
BackupExecJobEngine
BackupExecManagementService
BackupExecRPCService
BackupExecVSSProvider
CAARCUpdateSvc
CASAD2DWebSvc
ccEvtMgr
ccSetMgr
DefWatch
GxBlr
GxCIMgr
GxCVD
GxFWD
GxVss
Intuit.QuickBooks.FCS
memtas
mepocs
PDVFSService
Process Name
QBCFMonitorService
QBFCService
QBIDPService
RTVscan
SavRoam
Service Name
Sophos
sql
stc_raw_agent
svc$
Veeam
Veeam
VeeamDeploymentService
VeeamNFSSvc
VeeamTransportSvc
VSNAPVSS
vss
YooBackup
YooIT
zhudongfangyu


Process names:
agentsvc.exe
dbeng50.exe
dbsnmp.exe
encsvc.exe
excel.exe
firefox.exe
infopath.exe
isqlplussvc.exe
msaccess.exe
mspub.exe
mydesktopqos.exe
mydesktopservice.exe
notepad.exe
ocautoupds.exe
ocomm.exe
ocssd.exe
onenote.exe
oracle.exe
outlook.exe
powerpnt.exe
sqbcoreservice.exe
sql.exe
steam.exe
synctime.exe
tbirdconfig.exe
thebat.exe
thunderbird.exe
visio.exe
winword.exe
wordpad.exe
xfssvccon.exe