1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7

General

Target

windows-update-cve-wfw.exe
Size

2.7MB
MD5

d3715ab62bb922b56fb64b38c3feae8f
SHA1

5f3442d9fddc111a8ee3de9e5fe243f259da52c6
SHA256

1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7
SHA512

8b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439

Score

10^/10

evasion ransomware spyware trojan

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\READMEV1.txt

Ransom Note

How to decrypt: Download Tor Browser (https://www.torproject.org/dist/torbrowser/10.0.7/torbrowser-install-10.0.7_en-US.exe) and install. Open http://decryptu7o2cckt5.onion with Tor Browser. Paste yor KEY 03b76-1c61afa6b-ca44645589-e266e and follow instructions Your KEY 03b76-1c61afa6b-ca44645589-e266e

URLs

http://decryptu7o2cckt5.onion

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Enumerates VirtualBox DLL files 2 TTPs

File and Directory Discovery
T1083

Virtualization/Sandbox Evasion
T1497
Looks for VirtualBox drivers on disk 2 TTPs
evasion

File and Directory Discovery
T1083

Virtualization/Sandbox Evasion
T1497
Looks for VMWare drivers on disk 2 TTPs
evasion

File and Directory Discovery
T1083

Virtualization/Sandbox Evasion
T1497
Drops startup file 1 IoCs

Processes:

windows-update-cve-wfw.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READMEV1.txt windows-update-cve-wfw.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READMEV1.txt	windows-update-cve-wfw.exe

Drops file in Program Files directory 7557 IoCs

Processes:

windows-update-cve-wfw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock@2x.png	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\THMBNAIL.PNG	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil.png	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\cs-cz\ui-strings.js	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-down_32.svg	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ui-strings.js	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\Y2lyY2xlXzJ4LnBuZw==.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\aWNvbnMucG5n.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files\7-Zip\Lang\YWYudHh0.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-execution.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js	windows-update-cve-wfw.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\UFJFVklFVy5HSUY=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\dWktc3RyaW5ncy5qcw==.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\dWktc3RyaW5ncy5qcw==.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\vi_get.svg	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\ui-strings.js	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\ui-strings.js	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ko-kr\ui-strings.js	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\Y2xvdWRfaWNvbi5wbmc=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\b3JnLmVjbGlwc2UuaGVscC5iYXNlLm5sX2phXzQuNC4wLnYyMDE0MDYyMzAyMDAwMi5qYXI=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\RXhjZWxMb2dvLmNvbnRyYXN0LXdoaXRlX3NjYWxlLTEwMC5wbmc=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\dWktc3RyaW5ncy5qcw==.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\UkVBRE1FX3RoX2VuX0NBX3YyLnR4dA==.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\PREVIEW.GIF	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\QTEyX0Nyb3NzbWFya19XaGl0ZUAxeC5wbmc=.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt	windows-update-cve-wfw.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Q2FuY2VsR2x5cGguMTYuR3JheUYucG5n.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\Y29yZV9pY29uc19yZXRpbmEucG5n.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\cmVkdWNlZF9tb2RlLTJ4LnBuZw==.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\ui-strings.js	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\b3JnLnNhdDRqLnBiXzIuMy41LnYyMDE0MDQwNzE3MzMuamFy.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\Y2hhbm5lbC1wcmVmcy5qcw==.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\c19mb2xkZXItZG93bl8zMi5zdmc=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\dWktc3RyaW5ncy5qcw==.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.png	windows-update-cve-wfw.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\UG93ZXJQbnRMb2dvLnNjYWxlLTE4MC5wbmc=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\YmFjay1hcnJvdy1kaXNhYmxlZC5zdmc=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\Y3Jvc3MucG5n.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\ui-strings.js	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\anNzZS5qYXI=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\UFJFVklFVy5HSUY=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\ZXhhbXBsZV9pY29uczJ4LnBuZw==.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_invite_18.svg	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\b3JnLmVjbGlwc2UuZXF1aW5veC5wMi5xbC5ubF9qYV80LjQuMC52MjAxNDA2MjMwMjAwMDIuamFy.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\dWktc3RyaW5ncy5qcw==.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\dWktc3RyaW5ncy5qcw==.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\dWktc3RyaW5ncy5qcw==.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\ui-strings.js	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\PlayStore_icon.svg	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\ui-strings.js	windows-update-cve-wfw.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\Rmlyc3RSdW5Mb2dvU21hbGwuY29udHJhc3Qtd2hpdGVfc2NhbGUtMTQwLnBuZw==.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ZG93bmxvYWQuc3Zn.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\dWktc3RyaW5ncy5qcw==.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\RWRpdEAzeC5wbmc=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\ZXhwb3J0cGRmdXBzZWxsLWFwcC10b29sLXZpZXcuanM=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\YWRvYmVfbG9nby5wbmc=.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\dWktc3RyaW5ncy5qcw==.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\PREVIEW.GIF	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\am_get.svg	windows-update-cve-wfw.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3580 vssadmin.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3612 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1880 PING.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 4200 vssvc.exe
Token: SeRestorePrivilege 4200 vssvc.exe
Token: SeAuditPrivilege 4200 vssvc.exe

pid	process
3580	vssadmin.exe

pid	process
3612	reg.exe

pid	process
1880	PING.EXE

description	pid	process
Token: SeBackupPrivilege	4200	vssvc.exe
Token: SeRestorePrivilege	4200	vssvc.exe
Token: SeAuditPrivilege	4200	vssvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

windows-update-cve-wfw.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4760 wrote to memory of 4968	4760	windows-update-cve-wfw.exe	cmd.exe
PID 4760 wrote to memory of 4968	4760	windows-update-cve-wfw.exe	cmd.exe
PID 4760 wrote to memory of 5056	4760	windows-update-cve-wfw.exe	cmd.exe
PID 4760 wrote to memory of 5056	4760	windows-update-cve-wfw.exe	cmd.exe
PID 5056 wrote to memory of 3580	5056	cmd.exe	vssadmin.exe
PID 5056 wrote to memory of 3580	5056	cmd.exe	vssadmin.exe
PID 4968 wrote to memory of 3612	4968	cmd.exe	reg.exe
PID 4968 wrote to memory of 3612	4968	cmd.exe	reg.exe
PID 4760 wrote to memory of 4192	4760	windows-update-cve-wfw.exe	cmd.exe
PID 4760 wrote to memory of 4192	4760	windows-update-cve-wfw.exe	cmd.exe
PID 4760 wrote to memory of 1668	4760	windows-update-cve-wfw.exe	cmd.exe
PID 4760 wrote to memory of 1668	4760	windows-update-cve-wfw.exe	cmd.exe
PID 1668 wrote to memory of 1880	1668	cmd.exe	PING.EXE
PID 1668 wrote to memory of 1880	1668	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe
"C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\system32\reg.exe
reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Modifies registry key
PID:3612

C:\Windows\system32\cmd.exe
cmd /C vssadmin Delete Shadows /All /Quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:3580

C:\Windows\system32\cmd.exe
cmd /C "rd /s /q C:\\$RECYCLE.BIN"
2⤵
PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C ping 127.0.0.1 -n 10 > nul & del "C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:1880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4200

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

File Deletion

2

T1107

Virtualization/Sandbox Evasion

3

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

File and Directory Discovery

3

T1083

Virtualization/Sandbox Evasion

3

T1497

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1668-8-0x0000000000000000-mapping.dmp

Download
memory/1880-9-0x0000000000000000-mapping.dmp

Download
memory/3580-5-0x0000000000000000-mapping.dmp

Download
memory/3612-6-0x0000000000000000-mapping.dmp

Download
memory/4192-7-0x0000000000000000-mapping.dmp

Download
memory/4760-2-0x0000000000C50000-0x0000000000F37000-memory.dmp

Filesize
2.9MB

Download
memory/4968-3-0x0000000000000000-mapping.dmp

Download
memory/5056-4-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing