1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7

General

Target

windows-update-cve-wfw.exe
Size

2.7MB
MD5

d3715ab62bb922b56fb64b38c3feae8f
SHA1

5f3442d9fddc111a8ee3de9e5fe243f259da52c6
SHA256

1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7
SHA512

8b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439

Score

10^/10

evasion ransomware spyware trojan

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\READMEV1.txt

Ransom Note

How to decrypt: Download Tor Browser (https://www.torproject.org/dist/torbrowser/10.0.7/torbrowser-install-10.0.7_en-US.exe) and install. Open http://decryptu7o2cckt5.onion with Tor Browser. Paste yor KEY 03b76-1c61afa6b-ca44645589-e266e and follow instructions Your KEY 03b76-1c61afa6b-ca44645589-e266e

URLs

http://decryptu7o2cckt5.onion

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Enumerates VirtualBox DLL files 2 TTPs

File and Directory Discovery
T1083

Virtualization/Sandbox Evasion
T1497
Looks for VirtualBox drivers on disk 2 TTPs
evasion

File and Directory Discovery
T1083

Virtualization/Sandbox Evasion
T1497
Looks for VMWare drivers on disk 2 TTPs
evasion

File and Directory Discovery
T1083

Virtualization/Sandbox Evasion
T1497
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2032 cmd.exe
Drops startup file 1 IoCs

Processes:

windows-update-cve-wfw.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READMEV1.txt windows-update-cve-wfw.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2032	cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READMEV1.txt	windows-update-cve-wfw.exe

Drops file in Program Files directory 5641 IoCs

Processes:

windows-update-cve-wfw.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\dmEudHh0.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\b3JnLW5ldGJlYW5zLW1vZHVsZXMtc2FtcGxlcl9qYS5qYXI=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\VEhNQk5BSUwuUE5H.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SjAwOTkyMDMuR0lG.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\QkQyMTI5OF8uR0lG.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\Rk9STS5KUw==.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\b3JnLW9wZW5pZGUtdGV4dF9qYS5qYXI=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files\U3RhcnRFZGl0LnBocA==.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SjAzNDE0NTUuSlBH.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.0.2.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\b3JnLmVjbGlwc2UuZXF1aW5veC5wMi5lbmdpbmUubmxfemhfNC40LjAudjIwMTQwNjIzMDIwMDAyLmphcg==.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SjAzODI5NDQuSlBH.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115841.GIF	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SjAxNzk5NjMuSlBH.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\WlBESVIyRi5HSUY=.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\Y29tLmpyb2NraXQubWMudWkuamFfNS41LjAuMTY1MzAzLmphcg==.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\b3JnLmVjbGlwc2UuY29yZS5jb21tYW5kcy5ubF96aF80LjQuMC52MjAxNDA2MjMwMjAwMDIuamFy.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\b3JnLW9wZW5pZGUtY29tcGF0Lmphcg==.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR33F.GIF	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\b3JnLmVjbGlwc2UuZXF1aW5veC5wMi5hcnRpZmFjdC5yZXBvc2l0b3J5Lm5sX2phXzQuNC4wLnYyMDE0MDYyMzAyMDAwMi5qYXI=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\WlBESVIwMC5HSUY=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\QUcwMDE3NV8uR0lG.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SjAzODI5NTIuSlBH.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SjAzODI5NjEuSlBH.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\V0IwMTI0NF8uR0lG.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\WSSFilesToolHomePageBackground.jpg	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\anZtdGljbWxyLmg=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\VEhNQk5BSUwuUE5H.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\SjAxMTU4NDEuR0lG.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VklFV0JZLkdJRg==.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\d2luQ2xhc3NpY0hhbmRsZS5wbmc=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\b3JnLW5ldGJlYW5zLWNvcmUtdWkuamFy.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\QWxlcnRJbWFnZV9PZmZNYXNrLmJtcA==.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_ja_4.4.0.v20140623020002.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21481_.GIF	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SAVE.GIF	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\b3JnLW5ldGJlYW5zLWFwaS1zZWFyY2hfamEuamFy.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SjAzODI5MjcuSlBH.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\QkQxNDY1NV8uR0lG.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbytools.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right.gif	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\QkQxMDMwMl8uR0lG.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\SEVBREVSLkdJRg==.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\Rm9ybXNWaWV3QXR0YWNobWVudEljb25zTWFzay5ibXA=.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\b3JnLmVjbGlwc2Uub3NnaS5jb21wYXRpYmlsaXR5LnN0YXRlLm5sX2phXzQuNC4wLnYyMDE0MDYyMzAyMDAwMi5qYXI=.lockedv1	windows-update-cve-wfw.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1976 vssadmin.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1216 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1828 PING.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1772 vssvc.exe
Token: SeRestorePrivilege 1772 vssvc.exe
Token: SeAuditPrivilege 1772 vssvc.exe

pid	process
1976	vssadmin.exe

pid	process
1216	reg.exe

pid	process
1828	PING.EXE

description	pid	process
Token: SeBackupPrivilege	1772	vssvc.exe
Token: SeRestorePrivilege	1772	vssvc.exe
Token: SeAuditPrivilege	1772	vssvc.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

windows-update-cve-wfw.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1008 wrote to memory of 2020	1008	windows-update-cve-wfw.exe	cmd.exe
PID 1008 wrote to memory of 2020	1008	windows-update-cve-wfw.exe	cmd.exe
PID 1008 wrote to memory of 2020	1008	windows-update-cve-wfw.exe	cmd.exe
PID 1008 wrote to memory of 1080	1008	windows-update-cve-wfw.exe	cmd.exe
PID 1008 wrote to memory of 1080	1008	windows-update-cve-wfw.exe	cmd.exe
PID 1008 wrote to memory of 1080	1008	windows-update-cve-wfw.exe	cmd.exe
PID 2020 wrote to memory of 1216	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1216	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1216	2020	cmd.exe	reg.exe
PID 1080 wrote to memory of 1976	1080	cmd.exe	vssadmin.exe
PID 1080 wrote to memory of 1976	1080	cmd.exe	vssadmin.exe
PID 1080 wrote to memory of 1976	1080	cmd.exe	vssadmin.exe
PID 1008 wrote to memory of 1312	1008	windows-update-cve-wfw.exe	cmd.exe
PID 1008 wrote to memory of 1312	1008	windows-update-cve-wfw.exe	cmd.exe
PID 1008 wrote to memory of 1312	1008	windows-update-cve-wfw.exe	cmd.exe
PID 1008 wrote to memory of 2032	1008	windows-update-cve-wfw.exe	cmd.exe
PID 1008 wrote to memory of 2032	1008	windows-update-cve-wfw.exe	cmd.exe
PID 1008 wrote to memory of 2032	1008	windows-update-cve-wfw.exe	cmd.exe
PID 2032 wrote to memory of 1828	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 1828	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 1828	2032	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe
"C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\reg.exe
reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Modifies registry key
PID:1216

C:\Windows\system32\cmd.exe
cmd /C vssadmin Delete Shadows /All /Quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1976

C:\Windows\system32\cmd.exe
cmd /C "rd /s /q C:\\$RECYCLE.BIN"
2⤵
PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C ping 127.0.0.1 -n 10 > nul & del "C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:1828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

File Deletion

2

T1107

Virtualization/Sandbox Evasion

3

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

File and Directory Discovery

3

T1083

Virtualization/Sandbox Evasion

3

T1497

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1008-4-0x0000000000400000-0x00000000006E7000-memory.dmp

Filesize
2.9MB

Download
memory/1008-3-0x0000000000400000-0x00000000006E7000-memory.dmp

Filesize
2.9MB

Download
memory/1008-2-0x0000000000400000-0x00000000006E7000-memory.dmp

Filesize
2.9MB

Download
memory/1080-6-0x0000000000000000-mapping.dmp

Download
memory/1216-7-0x0000000000000000-mapping.dmp

Download
memory/1312-9-0x0000000000000000-mapping.dmp

Download
memory/1828-11-0x0000000000000000-mapping.dmp

Download
memory/1976-8-0x0000000000000000-mapping.dmp

Download
memory/2020-5-0x0000000000000000-mapping.dmp

Download
memory/2032-10-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing