Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-12-2020 11:12
Static task
static1
Behavioral task
behavioral1
Sample
windows-update-cve-wfw.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
windows-update-cve-wfw.exe
Resource
win10v20201028
General
-
Target
windows-update-cve-wfw.exe
-
Size
2.7MB
-
MD5
d3715ab62bb922b56fb64b38c3feae8f
-
SHA1
5f3442d9fddc111a8ee3de9e5fe243f259da52c6
-
SHA256
1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7
-
SHA512
8b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\READMEV1.txt
http://decryptu7o2cckt5.onion
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates VirtualBox DLL files 2 TTPs
-
Looks for VirtualBox drivers on disk 2 TTPs
-
Looks for VMWare drivers on disk 2 TTPs
-
Drops startup file 1 IoCs
Processes:
windows-update-cve-wfw.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READMEV1.txt windows-update-cve-wfw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 7557 IoCs
Processes:
windows-update-cve-wfw.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock@2x.png windows-update-cve-wfw.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\THMBNAIL.PNG windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil.png windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\cs-cz\ui-strings.js windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-down_32.svg windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ui-strings.js windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\Y2lyY2xlXzJ4LnBuZw==.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\aWNvbnMucG5n.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files\7-Zip\Lang\YWYudHh0.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-execution.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js windows-update-cve-wfw.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\UFJFVklFVy5HSUY=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\dWktc3RyaW5ncy5qcw==.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\dWktc3RyaW5ncy5qcw==.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\vi_get.svg windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\ui-strings.js windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\ui-strings.js windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ko-kr\ui-strings.js windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\Y2xvdWRfaWNvbi5wbmc=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\b3JnLmVjbGlwc2UuaGVscC5iYXNlLm5sX2phXzQuNC4wLnYyMDE0MDYyMzAyMDAwMi5qYXI=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\RXhjZWxMb2dvLmNvbnRyYXN0LXdoaXRlX3NjYWxlLTEwMC5wbmc=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\dWktc3RyaW5ncy5qcw==.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\UkVBRE1FX3RoX2VuX0NBX3YyLnR4dA==.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\PREVIEW.GIF windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\QTEyX0Nyb3NzbWFya19XaGl0ZUAxeC5wbmc=.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt windows-update-cve-wfw.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Q2FuY2VsR2x5cGguMTYuR3JheUYucG5n.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\Y29yZV9pY29uc19yZXRpbmEucG5n.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\cmVkdWNlZF9tb2RlLTJ4LnBuZw==.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\ui-strings.js windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\b3JnLnNhdDRqLnBiXzIuMy41LnYyMDE0MDQwNzE3MzMuamFy.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\Y2hhbm5lbC1wcmVmcy5qcw==.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\c19mb2xkZXItZG93bl8zMi5zdmc=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\dWktc3RyaW5ncy5qcw==.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.png windows-update-cve-wfw.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\UG93ZXJQbnRMb2dvLnNjYWxlLTE4MC5wbmc=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\YmFjay1hcnJvdy1kaXNhYmxlZC5zdmc=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\Y3Jvc3MucG5n.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\ui-strings.js windows-update-cve-wfw.exe File created C:\Program Files\Java\jre1.8.0_66\lib\anNzZS5qYXI=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\UFJFVklFVy5HSUY=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\ZXhhbXBsZV9pY29uczJ4LnBuZw==.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_invite_18.svg windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\b3JnLmVjbGlwc2UuZXF1aW5veC5wMi5xbC5ubF9qYV80LjQuMC52MjAxNDA2MjMwMjAwMDIuamFy.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\dWktc3RyaW5ncy5qcw==.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\dWktc3RyaW5ncy5qcw==.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\dWktc3RyaW5ncy5qcw==.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\ui-strings.js windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\PlayStore_icon.svg windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\ui-strings.js windows-update-cve-wfw.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\Rmlyc3RSdW5Mb2dvU21hbGwuY29udHJhc3Qtd2hpdGVfc2NhbGUtMTQwLnBuZw==.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ZG93bmxvYWQuc3Zn.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\dWktc3RyaW5ncy5qcw==.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\RWRpdEAzeC5wbmc=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\ZXhwb3J0cGRmdXBzZWxsLWFwcC10b29sLXZpZXcuanM=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\YWRvYmVfbG9nby5wbmc=.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html windows-update-cve-wfw.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\dWktc3RyaW5ncy5qcw==.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\PREVIEW.GIF windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\am_get.svg windows-update-cve-wfw.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3580 vssadmin.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 4200 vssvc.exe Token: SeRestorePrivilege 4200 vssvc.exe Token: SeAuditPrivilege 4200 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
windows-update-cve-wfw.execmd.execmd.execmd.exedescription pid process target process PID 4760 wrote to memory of 4968 4760 windows-update-cve-wfw.exe cmd.exe PID 4760 wrote to memory of 4968 4760 windows-update-cve-wfw.exe cmd.exe PID 4760 wrote to memory of 5056 4760 windows-update-cve-wfw.exe cmd.exe PID 4760 wrote to memory of 5056 4760 windows-update-cve-wfw.exe cmd.exe PID 5056 wrote to memory of 3580 5056 cmd.exe vssadmin.exe PID 5056 wrote to memory of 3580 5056 cmd.exe vssadmin.exe PID 4968 wrote to memory of 3612 4968 cmd.exe reg.exe PID 4968 wrote to memory of 3612 4968 cmd.exe reg.exe PID 4760 wrote to memory of 4192 4760 windows-update-cve-wfw.exe cmd.exe PID 4760 wrote to memory of 4192 4760 windows-update-cve-wfw.exe cmd.exe PID 4760 wrote to memory of 1668 4760 windows-update-cve-wfw.exe cmd.exe PID 4760 wrote to memory of 1668 4760 windows-update-cve-wfw.exe cmd.exe PID 1668 wrote to memory of 1880 1668 cmd.exe PING.EXE PID 1668 wrote to memory of 1880 1668 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe"C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe"1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.execmd /C vssadmin Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /C "rd /s /q C:\\$RECYCLE.BIN"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C ping 127.0.0.1 -n 10 > nul & del "C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 103⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1668-8-0x0000000000000000-mapping.dmp
-
memory/1880-9-0x0000000000000000-mapping.dmp
-
memory/3580-5-0x0000000000000000-mapping.dmp
-
memory/3612-6-0x0000000000000000-mapping.dmp
-
memory/4192-7-0x0000000000000000-mapping.dmp
-
memory/4760-2-0x0000000000C50000-0x0000000000F37000-memory.dmpFilesize
2.9MB
-
memory/4968-3-0x0000000000000000-mapping.dmp
-
memory/5056-4-0x0000000000000000-mapping.dmp