The SonicWall Capture Labs threat research team recently observed a new variant of StopCrypt ransomware.
The ransomware executes its malicious activities by utilizing multi-stage shellcodes before launching a final payload that contains the file encryption code. Infection Cycle At the start of execution, it creates a string of msim32.dll on the stack, and, using LoadLibrary, loads the Dll. The significance of why it is doing this is a mystery, as that is not used in the process.
Read more…
Source: SonicWall Security Centre