Analysis
-
max time kernel
129s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28-12-2020 17:21
Static task
static1
Behavioral task
behavioral1
Sample
windows-update-cve-wfw.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
windows-update-cve-wfw.exe
Resource
win10v20201028
General
-
Target
windows-update-cve-wfw.exe
-
Size
2.7MB
-
MD5
d3715ab62bb922b56fb64b38c3feae8f
-
SHA1
5f3442d9fddc111a8ee3de9e5fe243f259da52c6
-
SHA256
1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7
-
SHA512
8b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\READMEV1.txt
http://decryptu7o2cckt5.onion
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates VirtualBox DLL files 2 TTPs
-
Looks for VirtualBox drivers on disk 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
windows-update-CVE-wFW.exepid process 2040 windows-update-CVE-wFW.exe -
Looks for VMWare drivers on disk 2 TTPs
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1700 cmd.exe -
Drops startup file 1 IoCs
Processes:
windows-update-cve-wfw.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READMEV1.txt windows-update-cve-wfw.exe -
Loads dropped DLL 6 IoCs
Processes:
pid process 1268 1268 1268 1268 1268 1268 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
JavaScript code in executable 7 IoCs
Processes:
resource yara_rule \ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe js \ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe js \ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe js \ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe js \ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe js \ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe js C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe js -
Drops file in Program Files directory 6138 IoCs
Processes:
windows-update-cve-wfw.exewindows-update-CVE-wFW.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\whiteband.png windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14868_.GIF windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\b3JnLmVjbGlwc2UudXBkYXRlLmNvbmZpZ3VyYXRvci5ubF9qYV80LjQuMC52MjAxNDA2MjMwMjAwMDIuamFy.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\U0NIT0xfMDIuTUlE.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\U1BBQ0VfMDEuTUlE.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR11F.GIF windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ERROR.GIF windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\ZXBsLXYxMC5odG1s.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\b3JnLmVjbGlwc2UuZXF1aW5veC5wMi5xbF8yLjAuMTAwLnYyMDEzMTIxMS0xNTMxLmphcg==.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\b3JnLW5ldGJlYW5zLWNvcmUtaW8tdWkuamFy.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\QkQxMDg5MF8uR0lG.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv windows-update-CVE-wFW.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jre7\README.txt windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\b3JnLmVjbGlwc2UuY29yZS5uZXQud2luMzIueDg2XzY0Lm5sX3poXzQuNC4wLnYyMDE0MDYyMzAyMDAwMi5qYXI=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\SjAxMTU4NzUuR0lG.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\YWJvdXQuaHRtbA==.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\Y29tLXN1bi10b29scy12aXN1YWx2bS1ob3N0LXZpZXdzLmphcg==.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\VEhNQk5BSUwuUE5H.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\V0IwMTc1MF8uR0lG.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\VEFCX09OLkdJRg==.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt windows-update-cve-wfw.exe File created C:\Program Files\RGlzYWJsZUNvbm5lY3QuN3o=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\bGljZW5zZS5odG1s.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\YmdfVGV4dHVyZWRCbHVlLmdpZg==.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png windows-update-cve-wfw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar windows-update-cve-wfw.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\dWktaWNvbnNfZWY4YzA4XzI1NngyNDAucG5n.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_ON.GIF windows-update-cve-wfw.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\VmlzdWFsRWxlbWVudHNfNzAucG5n.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\TVMuQ0dN.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\QkQxNDU3OF8uR0lG.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.JPG windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\QkQxNDY3N18uR0lG.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\ConvertPop.ods windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14530_.GIF windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\PLUS.GIF windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\bGljZW5zZS5odG1s.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\dXRpbGl0eWZ1bmN0aW9ucy5qcw==.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\BOMB.WAV windows-update-cve-wfw.exe File created C:\Program Files\7-Zip\Lang\bGlqLnR4dA==.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\Y29tLXN1bi10b29scy12aXN1YWx2bS10aHJlYWRkdW1wX2phLmphcg==.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files\Java\jre7\lib\anZtLmhwcm9mLnR4dA==.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\UEgwMjc1NFUuQk1Q.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\YnV0dG9uX21pZC5naWY=.lockedv1 windows-update-cve-wfw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR36F.GIF windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\Y29udGJpZy5naWY=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\b3JnLmVjbGlwc2UuZXF1aW5veC5wMi5hcnRpZmFjdC5yZXBvc2l0b3J5Lm5sX3poXzQuNC4wLnYyMDE0MDYyMzAyMDAwMi5qYXI=.lockedv1 windows-update-cve-wfw.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SjAxNDQ3NzMuSlBH.lockedv1 windows-update-cve-wfw.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1888 vssadmin.exe 1260 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings rundll32.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1792 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1308 vssvc.exe Token: SeRestorePrivilege 1308 vssvc.exe Token: SeAuditPrivilege 1308 vssvc.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
windows-update-cve-wfw.execmd.execmd.execmd.exewindows-update-CVE-wFW.execmd.execmd.exerundll32.exerundll32.exedescription pid process target process PID 784 wrote to memory of 1908 784 windows-update-cve-wfw.exe cmd.exe PID 784 wrote to memory of 1908 784 windows-update-cve-wfw.exe cmd.exe PID 784 wrote to memory of 1908 784 windows-update-cve-wfw.exe cmd.exe PID 784 wrote to memory of 1760 784 windows-update-cve-wfw.exe cmd.exe PID 784 wrote to memory of 1760 784 windows-update-cve-wfw.exe cmd.exe PID 784 wrote to memory of 1760 784 windows-update-cve-wfw.exe cmd.exe PID 1908 wrote to memory of 1780 1908 cmd.exe reg.exe PID 1908 wrote to memory of 1780 1908 cmd.exe reg.exe PID 1908 wrote to memory of 1780 1908 cmd.exe reg.exe PID 1760 wrote to memory of 1260 1760 cmd.exe vssadmin.exe PID 1760 wrote to memory of 1260 1760 cmd.exe vssadmin.exe PID 1760 wrote to memory of 1260 1760 cmd.exe vssadmin.exe PID 784 wrote to memory of 396 784 windows-update-cve-wfw.exe cmd.exe PID 784 wrote to memory of 396 784 windows-update-cve-wfw.exe cmd.exe PID 784 wrote to memory of 396 784 windows-update-cve-wfw.exe cmd.exe PID 784 wrote to memory of 1700 784 windows-update-cve-wfw.exe cmd.exe PID 784 wrote to memory of 1700 784 windows-update-cve-wfw.exe cmd.exe PID 784 wrote to memory of 1700 784 windows-update-cve-wfw.exe cmd.exe PID 1700 wrote to memory of 228 1700 cmd.exe PING.EXE PID 1700 wrote to memory of 228 1700 cmd.exe PING.EXE PID 1700 wrote to memory of 228 1700 cmd.exe PING.EXE PID 2040 wrote to memory of 2044 2040 windows-update-CVE-wFW.exe cmd.exe PID 2040 wrote to memory of 2044 2040 windows-update-CVE-wFW.exe cmd.exe PID 2040 wrote to memory of 2044 2040 windows-update-CVE-wFW.exe cmd.exe PID 2040 wrote to memory of 1424 2040 windows-update-CVE-wFW.exe cmd.exe PID 2040 wrote to memory of 1424 2040 windows-update-CVE-wFW.exe cmd.exe PID 2040 wrote to memory of 1424 2040 windows-update-CVE-wFW.exe cmd.exe PID 2044 wrote to memory of 1644 2044 cmd.exe reg.exe PID 2044 wrote to memory of 1644 2044 cmd.exe reg.exe PID 2044 wrote to memory of 1644 2044 cmd.exe reg.exe PID 1424 wrote to memory of 1888 1424 cmd.exe vssadmin.exe PID 1424 wrote to memory of 1888 1424 cmd.exe vssadmin.exe PID 1424 wrote to memory of 1888 1424 cmd.exe vssadmin.exe PID 2040 wrote to memory of 208 2040 windows-update-CVE-wFW.exe cmd.exe PID 2040 wrote to memory of 208 2040 windows-update-CVE-wFW.exe cmd.exe PID 2040 wrote to memory of 208 2040 windows-update-CVE-wFW.exe cmd.exe PID 972 wrote to memory of 1796 972 rundll32.exe NOTEPAD.EXE PID 972 wrote to memory of 1796 972 rundll32.exe NOTEPAD.EXE PID 972 wrote to memory of 1796 972 rundll32.exe NOTEPAD.EXE PID 224 wrote to memory of 276 224 rundll32.exe NOTEPAD.EXE PID 224 wrote to memory of 276 224 rundll32.exe NOTEPAD.EXE PID 224 wrote to memory of 276 224 rundll32.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe"C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe"1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.execmd /C vssadmin Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /C "rd /s /q C:\\$RECYCLE.BIN"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C ping 127.0.0.1 -n 10 > nul & del "C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 103⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READMEV1.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.execmd /C vssadmin Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /C "rd /s /q C:\\$RECYCLE.BIN"2⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READMEV1.txt1⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UmVzdGFydEdyYW50Lnhscw==.lockedv11⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UmVzdGFydEdyYW50Lnhscw==.lockedv12⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\TmV3TG9jay5tb3Y=.lockedv11⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\TmV3TG9jay5tb3Y=.lockedv12⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exeMD5
d3715ab62bb922b56fb64b38c3feae8f
SHA15f3442d9fddc111a8ee3de9e5fe243f259da52c6
SHA2561fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7
SHA5128b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READMEV1.txtMD5
50262a247e047954224d62aeb1c8779e
SHA16479fd917fbc31cdca1e38d98d3fb154bb2d8b7d
SHA256455e9b9dfaeda6813dc5be5500057cd7d0aa09e64627fd77843ba75753945242
SHA5125ff02a8d94d0792265554fe6a7394edaf086dc04c39b29eee0b406fe276a21affdfb0a8d6a7a83240c55e1822f265f6c18f5f4018355162d291744b5d441f0a7
-
C:\Users\Admin\Desktop\READMEV1.txtMD5
50262a247e047954224d62aeb1c8779e
SHA16479fd917fbc31cdca1e38d98d3fb154bb2d8b7d
SHA256455e9b9dfaeda6813dc5be5500057cd7d0aa09e64627fd77843ba75753945242
SHA5125ff02a8d94d0792265554fe6a7394edaf086dc04c39b29eee0b406fe276a21affdfb0a8d6a7a83240c55e1822f265f6c18f5f4018355162d291744b5d441f0a7
-
C:\Users\Admin\Desktop\TmV3TG9jay5tb3Y=.lockedv1MD5
ea4b85c199dce2cabe7163e032594256
SHA113f780640355926a457f9b231f80a040facd8b35
SHA25640d0251bc29f1da42b01249896593502ffc5a608a90e7a1a35d91e2a4474da05
SHA512b3ab080297b078b4749690e068dfafca271804607adbc9db3ebe31a42b7acd9edcfb94db679b1785d6eeb6e10b4c1f256a7bb9d6c25229ebc06f50e5278d6c01
-
C:\Users\Admin\Desktop\UmVzdGFydEdyYW50Lnhscw==.lockedv1MD5
4aa93eb21f5f7c23e01b61543bf5717b
SHA1f21d764ee17db7aa56e204cf1ad677d1de82eace
SHA256d73b2c148cc82c81f29fc2498a230eb380f8da39e8a557a4b64d34411dc1686e
SHA5124f8542740036232d2b98ecc5b862192e0c5c8151ae87075cf128eef28af210801ee0b3d5fdeb8445e1a69ec86c5d1dd52d9d7ab7d9fc17dc6e4439b70540abde
-
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exeMD5
d3715ab62bb922b56fb64b38c3feae8f
SHA15f3442d9fddc111a8ee3de9e5fe243f259da52c6
SHA2561fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7
SHA5128b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439
-
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exeMD5
d3715ab62bb922b56fb64b38c3feae8f
SHA15f3442d9fddc111a8ee3de9e5fe243f259da52c6
SHA2561fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7
SHA5128b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439
-
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exeMD5
d3715ab62bb922b56fb64b38c3feae8f
SHA15f3442d9fddc111a8ee3de9e5fe243f259da52c6
SHA2561fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7
SHA5128b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439
-
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exeMD5
d3715ab62bb922b56fb64b38c3feae8f
SHA15f3442d9fddc111a8ee3de9e5fe243f259da52c6
SHA2561fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7
SHA5128b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439
-
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exeMD5
d3715ab62bb922b56fb64b38c3feae8f
SHA15f3442d9fddc111a8ee3de9e5fe243f259da52c6
SHA2561fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7
SHA5128b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439
-
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exeMD5
d3715ab62bb922b56fb64b38c3feae8f
SHA15f3442d9fddc111a8ee3de9e5fe243f259da52c6
SHA2561fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7
SHA5128b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439
-
memory/208-28-0x0000000000000000-mapping.dmp
-
memory/228-13-0x0000000000000000-mapping.dmp
-
memory/276-32-0x0000000000000000-mapping.dmp
-
memory/396-9-0x0000000000000000-mapping.dmp
-
memory/784-3-0x0000000000400000-0x00000000006E7000-memory.dmpFilesize
2.9MB
-
memory/784-2-0x0000000000400000-0x00000000006E7000-memory.dmpFilesize
2.9MB
-
memory/784-4-0x0000000000400000-0x00000000006E7000-memory.dmpFilesize
2.9MB
-
memory/1260-8-0x0000000000000000-mapping.dmp
-
memory/1424-25-0x0000000000000000-mapping.dmp
-
memory/1644-26-0x0000000000000000-mapping.dmp
-
memory/1700-12-0x0000000000000000-mapping.dmp
-
memory/1760-6-0x0000000000000000-mapping.dmp
-
memory/1780-7-0x0000000000000000-mapping.dmp
-
memory/1796-30-0x0000000000000000-mapping.dmp
-
memory/1848-11-0x000007FEF6A60000-0x000007FEF6CDA000-memory.dmpFilesize
2.5MB
-
memory/1888-27-0x0000000000000000-mapping.dmp
-
memory/1908-5-0x0000000000000000-mapping.dmp
-
memory/2040-23-0x0000000000400000-0x00000000006E7000-memory.dmpFilesize
2.9MB
-
memory/2040-22-0x0000000000400000-0x00000000006E7000-memory.dmpFilesize
2.9MB
-
memory/2044-24-0x0000000000000000-mapping.dmp