1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7

General

Target

windows-update-cve-wfw.exe
Size

2.7MB
Sample

201228-w8s6w2cpm2
MD5

d3715ab62bb922b56fb64b38c3feae8f
SHA1

5f3442d9fddc111a8ee3de9e5fe243f259da52c6
SHA256

1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7
SHA512

8b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439

Score

10^/10

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\READMEV1.txt

Ransom Note

How to decrypt: Download Tor Browser (https://www.torproject.org/dist/torbrowser/10.0.7/torbrowser-install-10.0.7_en-US.exe) and install. Open http://decryptu7o2cckt5.onion with Tor Browser. Paste yor KEY 03b76-1c61afa6b-ca44645589-e266e and follow instructions Your KEY 03b76-1c61afa6b-ca44645589-e266e

URLs

http://decryptu7o2cckt5.onion

Targets

- Target
  
  windows-update-cve-wfw.exe
- Size
  
  2.7MB
- MD5
  
  d3715ab62bb922b56fb64b38c3feae8f
- SHA1
  
  5f3442d9fddc111a8ee3de9e5fe243f259da52c6
- SHA256
  
  1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7
- SHA512
  
  8b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439
Score

10^/10

evasion ransomware spyware trojan
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Enumerates VirtualBox DLL files
- Looks for VirtualBox drivers on disk
  evasion
- Executes dropped EXE
- Looks for VMWare drivers on disk
  evasion
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- JavaScript code in executable
behavioral1 behavioral2