Analysis
-
max time kernel
150s -
max time network
92s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28-12-2020 11:12
Static task
static1
Behavioral task
behavioral1
Sample
windows-update-cve-wfw.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
windows-update-cve-wfw.exe
Resource
win10v20201028
General
-
Target
windows-update-cve-wfw.exe
-
Size
2.7MB
-
MD5
d3715ab62bb922b56fb64b38c3feae8f
-
SHA1
5f3442d9fddc111a8ee3de9e5fe243f259da52c6
-
SHA256
1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7
-
SHA512
8b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\READMEV1.txt
http://decryptu7o2cckt5.onion
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates VirtualBox DLL files 2 TTPs
-
Looks for VirtualBox drivers on disk 2 TTPs
-
Looks for VMWare drivers on disk 2 TTPs
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2032 cmd.exe -
Drops startup file 1 IoCs
Processes:
windows-update-cve-wfw.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READMEV1.txt windows-update-cve-wfw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 5641 IoCs
Processes:
windows-update-cve-wfw.exedescription ioc process File created C:\Program Files\7-Zip\Lang\dmEudHh0.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\b3JnLW5ldGJlYW5zLW1vZHVsZXMtc2FtcGxlcl9qYS5qYXI=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\VEhNQk5BSUwuUE5H.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SjAwOTkyMDMuR0lG.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\QkQyMTI5OF8uR0lG.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\Rk9STS5KUw==.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\b3JnLW9wZW5pZGUtdGV4dF9qYS5qYXI=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files\U3RhcnRFZGl0LnBocA==.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SjAzNDE0NTUuSlBH.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.0.2.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\b3JnLmVjbGlwc2UuZXF1aW5veC5wMi5lbmdpbmUubmxfemhfNC40LjAudjIwMTQwNjIzMDIwMDAyLmphcg==.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SjAzODI5NDQuSlBH.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115841.GIF windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SjAxNzk5NjMuSlBH.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\WlBESVIyRi5HSUY=.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\Y29tLmpyb2NraXQubWMudWkuamFfNS41LjAuMTY1MzAzLmphcg==.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\b3JnLmVjbGlwc2UuY29yZS5jb21tYW5kcy5ubF96aF80LjQuMC52MjAxNDA2MjMwMjAwMDIuamFy.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\b3JnLW9wZW5pZGUtY29tcGF0Lmphcg==.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR33F.GIF windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\b3JnLmVjbGlwc2UuZXF1aW5veC5wMi5hcnRpZmFjdC5yZXBvc2l0b3J5Lm5sX2phXzQuNC4wLnYyMDE0MDYyMzAyMDAwMi5qYXI=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\WlBESVIwMC5HSUY=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\QUcwMDE3NV8uR0lG.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SjAzODI5NTIuSlBH.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SjAzODI5NjEuSlBH.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\V0IwMTI0NF8uR0lG.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\WSSFilesToolHomePageBackground.jpg windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\include\anZtdGljbWxyLmg=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\VEhNQk5BSUwuUE5H.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\SjAxMTU4NDEuR0lG.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VklFV0JZLkdJRg==.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\d2luQ2xhc3NpY0hhbmRsZS5wbmc=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\b3JnLW5ldGJlYW5zLWNvcmUtdWkuamFy.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\QWxlcnRJbWFnZV9PZmZNYXNrLmJtcA==.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_ja_4.4.0.v20140623020002.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21481_.GIF windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SAVE.GIF windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\b3JnLW5ldGJlYW5zLWFwaS1zZWFyY2hfamEuamFy.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SjAzODI5MjcuSlBH.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\QkQxNDY1NV8uR0lG.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbytools.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right.gif windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\QkQxMDMwMl8uR0lG.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\SEVBREVSLkdJRg==.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\Rm9ybXNWaWV3QXR0YWNobWVudEljb25zTWFzay5ibXA=.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\b3JnLmVjbGlwc2Uub3NnaS5jb21wYXRpYmlsaXR5LnN0YXRlLm5sX2phXzQuNC4wLnYyMDE0MDYyMzAyMDAwMi5qYXI=.lockedv1 windows-update-cve-wfw.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1976 vssadmin.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1772 vssvc.exe Token: SeRestorePrivilege 1772 vssvc.exe Token: SeAuditPrivilege 1772 vssvc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
windows-update-cve-wfw.execmd.execmd.execmd.exedescription pid process target process PID 1008 wrote to memory of 2020 1008 windows-update-cve-wfw.exe cmd.exe PID 1008 wrote to memory of 2020 1008 windows-update-cve-wfw.exe cmd.exe PID 1008 wrote to memory of 2020 1008 windows-update-cve-wfw.exe cmd.exe PID 1008 wrote to memory of 1080 1008 windows-update-cve-wfw.exe cmd.exe PID 1008 wrote to memory of 1080 1008 windows-update-cve-wfw.exe cmd.exe PID 1008 wrote to memory of 1080 1008 windows-update-cve-wfw.exe cmd.exe PID 2020 wrote to memory of 1216 2020 cmd.exe reg.exe PID 2020 wrote to memory of 1216 2020 cmd.exe reg.exe PID 2020 wrote to memory of 1216 2020 cmd.exe reg.exe PID 1080 wrote to memory of 1976 1080 cmd.exe vssadmin.exe PID 1080 wrote to memory of 1976 1080 cmd.exe vssadmin.exe PID 1080 wrote to memory of 1976 1080 cmd.exe vssadmin.exe PID 1008 wrote to memory of 1312 1008 windows-update-cve-wfw.exe cmd.exe PID 1008 wrote to memory of 1312 1008 windows-update-cve-wfw.exe cmd.exe PID 1008 wrote to memory of 1312 1008 windows-update-cve-wfw.exe cmd.exe PID 1008 wrote to memory of 2032 1008 windows-update-cve-wfw.exe cmd.exe PID 1008 wrote to memory of 2032 1008 windows-update-cve-wfw.exe cmd.exe PID 1008 wrote to memory of 2032 1008 windows-update-cve-wfw.exe cmd.exe PID 2032 wrote to memory of 1828 2032 cmd.exe PING.EXE PID 2032 wrote to memory of 1828 2032 cmd.exe PING.EXE PID 2032 wrote to memory of 1828 2032 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe"C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe"1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.execmd /C vssadmin Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /C "rd /s /q C:\\$RECYCLE.BIN"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C ping 127.0.0.1 -n 10 > nul & del "C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 103⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1008-4-0x0000000000400000-0x00000000006E7000-memory.dmpFilesize
2.9MB
-
memory/1008-3-0x0000000000400000-0x00000000006E7000-memory.dmpFilesize
2.9MB
-
memory/1008-2-0x0000000000400000-0x00000000006E7000-memory.dmpFilesize
2.9MB
-
memory/1080-6-0x0000000000000000-mapping.dmp
-
memory/1216-7-0x0000000000000000-mapping.dmp
-
memory/1312-9-0x0000000000000000-mapping.dmp
-
memory/1828-11-0x0000000000000000-mapping.dmp
-
memory/1976-8-0x0000000000000000-mapping.dmp
-
memory/2020-5-0x0000000000000000-mapping.dmp
-
memory/2032-10-0x0000000000000000-mapping.dmp