1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7

Resubmissions

28-12-2020 17:21

201228-w8s6w2cpm2 10

28-12-2020 11:12

201228-bctexhqz8s 10

Analysis

max time kernel
129s
max time network
12s
platform
windows7_x64
resource
win7v20201028
submitted
28-12-2020 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows-update-cve-wfw.exe
Size

2.7MB
MD5

d3715ab62bb922b56fb64b38c3feae8f
SHA1

5f3442d9fddc111a8ee3de9e5fe243f259da52c6
SHA256

1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7
SHA512

8b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439

Score

10^/10

evasion ransomware spyware trojan

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\READMEV1.txt

Ransom Note

How to decrypt: Download Tor Browser (https://www.torproject.org/dist/torbrowser/10.0.7/torbrowser-install-10.0.7_en-US.exe) and install. Open http://decryptu7o2cckt5.onion with Tor Browser. Paste yor KEY 03b76-1c61afa6b-ca44645589-e266e and follow instructions Your KEY 03b76-1c61afa6b-ca44645589-e266e

URLs

http://decryptu7o2cckt5.onion

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Enumerates VirtualBox DLL files 2 TTPs

File and Directory Discovery
T1083

Virtualization/Sandbox Evasion
T1497
Looks for VirtualBox drivers on disk 2 TTPs
evasion

File and Directory Discovery
T1083

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 1 IoCs

Processes:

windows-update-CVE-wFW.exe

pid process

2040 windows-update-CVE-wFW.exe
Looks for VMWare drivers on disk 2 TTPs
evasion

File and Directory Discovery
T1083

Virtualization/Sandbox Evasion
T1497
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1700 cmd.exe
Drops startup file 1 IoCs

Processes:

windows-update-cve-wfw.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READMEV1.txt windows-update-cve-wfw.exe
Loads dropped DLL 6 IoCs

Processes:

pid process

1268
1268
1268
1268
1268
1268
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2040	windows-update-CVE-wFW.exe

pid	process
1700	cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READMEV1.txt	windows-update-cve-wfw.exe

pid	process
1268
1268
1268
1268
1268
1268

JavaScript code in executable 7 IoCs

Processes:

resource	yara_rule
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe	js
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe	js
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe	js
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe	js
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe	js
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe	js
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe	js

Drops file in Program Files directory 6138 IoCs

Processes:

windows-update-cve-wfw.exewindows-update-CVE-wFW.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\whiteband.png	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14868_.GIF	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\b3JnLmVjbGlwc2UudXBkYXRlLmNvbmZpZ3VyYXRvci5ubF9qYV80LjQuMC52MjAxNDA2MjMwMjAwMDIuamFy.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\U0NIT0xfMDIuTUlE.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\U1BBQ0VfMDEuTUlE.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR11F.GIF	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ERROR.GIF	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\ZXBsLXYxMC5odG1s.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\b3JnLmVjbGlwc2UuZXF1aW5veC5wMi5xbF8yLjAuMTAwLnYyMDEzMTIxMS0xNTMxLmphcg==.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\b3JnLW5ldGJlYW5zLWNvcmUtaW8tdWkuamFy.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\QkQxMDg5MF8uR0lG.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv	windows-update-CVE-wFW.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jre7\README.txt	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\b3JnLmVjbGlwc2UuY29yZS5uZXQud2luMzIueDg2XzY0Lm5sX3poXzQuNC4wLnYyMDE0MDYyMzAyMDAwMi5qYXI=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\SjAxMTU4NzUuR0lG.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\YWJvdXQuaHRtbA==.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\Y29tLXN1bi10b29scy12aXN1YWx2bS1ob3N0LXZpZXdzLmphcg==.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\VEhNQk5BSUwuUE5H.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\V0IwMTc1MF8uR0lG.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\VEFCX09OLkdJRg==.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt	windows-update-cve-wfw.exe
File created	C:\Program Files\RGlzYWJsZUNvbm5lY3QuN3o=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\bGljZW5zZS5odG1s.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\YmdfVGV4dHVyZWRCbHVlLmdpZg==.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar	windows-update-cve-wfw.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\dWktaWNvbnNfZWY4YzA4XzI1NngyNDAucG5n.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_ON.GIF	windows-update-cve-wfw.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\VmlzdWFsRWxlbWVudHNfNzAucG5n.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\TVMuQ0dN.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\QkQxNDU3OF8uR0lG.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.JPG	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\QkQxNDY3N18uR0lG.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\ConvertPop.ods	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14530_.GIF	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\PLUS.GIF	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\bGljZW5zZS5odG1s.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\dXRpbGl0eWZ1bmN0aW9ucy5qcw==.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\BOMB.WAV	windows-update-cve-wfw.exe
File created	C:\Program Files\7-Zip\Lang\bGlqLnR4dA==.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\Y29tLXN1bi10b29scy12aXN1YWx2bS10aHJlYWRkdW1wX2phLmphcg==.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jre7\lib\anZtLmhwcm9mLnR4dA==.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\UEgwMjc1NFUuQk1Q.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\YnV0dG9uX21pZC5naWY=.lockedv1	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR36F.GIF	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\Y29udGJpZy5naWY=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\b3JnLmVjbGlwc2UuZXF1aW5veC5wMi5hcnRpZmFjdC5yZXBvc2l0b3J5Lm5sX3poXzQuNC4wLnYyMDE0MDYyMzAyMDAwMi5qYXI=.lockedv1	windows-update-cve-wfw.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SjAxNDQ3NzMuSlBH.lockedv1	windows-update-cve-wfw.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1888 vssadmin.exe
1260 vssadmin.exe

pid	process
1888	vssadmin.exe
1260	vssadmin.exe

Modifies registry class 3 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings	rundll32.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1644 reg.exe
1780 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1792 NOTEPAD.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

228 PING.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1308 vssvc.exe
Token: SeRestorePrivilege 1308 vssvc.exe
Token: SeAuditPrivilege 1308 vssvc.exe

pid	process
1644	reg.exe
1780	reg.exe

pid	process
1792	NOTEPAD.EXE

pid	process
228	PING.EXE

description	pid	process
Token: SeBackupPrivilege	1308	vssvc.exe
Token: SeRestorePrivilege	1308	vssvc.exe
Token: SeAuditPrivilege	1308	vssvc.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

windows-update-cve-wfw.execmd.execmd.execmd.exewindows-update-CVE-wFW.execmd.execmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 784 wrote to memory of 1908	784	windows-update-cve-wfw.exe	cmd.exe
PID 784 wrote to memory of 1908	784	windows-update-cve-wfw.exe	cmd.exe
PID 784 wrote to memory of 1908	784	windows-update-cve-wfw.exe	cmd.exe
PID 784 wrote to memory of 1760	784	windows-update-cve-wfw.exe	cmd.exe
PID 784 wrote to memory of 1760	784	windows-update-cve-wfw.exe	cmd.exe
PID 784 wrote to memory of 1760	784	windows-update-cve-wfw.exe	cmd.exe
PID 1908 wrote to memory of 1780	1908	cmd.exe	reg.exe
PID 1908 wrote to memory of 1780	1908	cmd.exe	reg.exe
PID 1908 wrote to memory of 1780	1908	cmd.exe	reg.exe
PID 1760 wrote to memory of 1260	1760	cmd.exe	vssadmin.exe
PID 1760 wrote to memory of 1260	1760	cmd.exe	vssadmin.exe
PID 1760 wrote to memory of 1260	1760	cmd.exe	vssadmin.exe
PID 784 wrote to memory of 396	784	windows-update-cve-wfw.exe	cmd.exe
PID 784 wrote to memory of 396	784	windows-update-cve-wfw.exe	cmd.exe
PID 784 wrote to memory of 396	784	windows-update-cve-wfw.exe	cmd.exe
PID 784 wrote to memory of 1700	784	windows-update-cve-wfw.exe	cmd.exe
PID 784 wrote to memory of 1700	784	windows-update-cve-wfw.exe	cmd.exe
PID 784 wrote to memory of 1700	784	windows-update-cve-wfw.exe	cmd.exe
PID 1700 wrote to memory of 228	1700	cmd.exe	PING.EXE
PID 1700 wrote to memory of 228	1700	cmd.exe	PING.EXE
PID 1700 wrote to memory of 228	1700	cmd.exe	PING.EXE
PID 2040 wrote to memory of 2044	2040	windows-update-CVE-wFW.exe	cmd.exe
PID 2040 wrote to memory of 2044	2040	windows-update-CVE-wFW.exe	cmd.exe
PID 2040 wrote to memory of 2044	2040	windows-update-CVE-wFW.exe	cmd.exe
PID 2040 wrote to memory of 1424	2040	windows-update-CVE-wFW.exe	cmd.exe
PID 2040 wrote to memory of 1424	2040	windows-update-CVE-wFW.exe	cmd.exe
PID 2040 wrote to memory of 1424	2040	windows-update-CVE-wFW.exe	cmd.exe
PID 2044 wrote to memory of 1644	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 1644	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 1644	2044	cmd.exe	reg.exe
PID 1424 wrote to memory of 1888	1424	cmd.exe	vssadmin.exe
PID 1424 wrote to memory of 1888	1424	cmd.exe	vssadmin.exe
PID 1424 wrote to memory of 1888	1424	cmd.exe	vssadmin.exe
PID 2040 wrote to memory of 208	2040	windows-update-CVE-wFW.exe	cmd.exe
PID 2040 wrote to memory of 208	2040	windows-update-CVE-wFW.exe	cmd.exe
PID 2040 wrote to memory of 208	2040	windows-update-CVE-wFW.exe	cmd.exe
PID 972 wrote to memory of 1796	972	rundll32.exe	NOTEPAD.EXE
PID 972 wrote to memory of 1796	972	rundll32.exe	NOTEPAD.EXE
PID 972 wrote to memory of 1796	972	rundll32.exe	NOTEPAD.EXE
PID 224 wrote to memory of 276	224	rundll32.exe	NOTEPAD.EXE
PID 224 wrote to memory of 276	224	rundll32.exe	NOTEPAD.EXE
PID 224 wrote to memory of 276	224	rundll32.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe
"C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\system32\reg.exe
reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Modifies registry key
PID:1780

C:\Windows\system32\cmd.exe
cmd /C vssadmin Delete Shadows /All /Quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1260

C:\Windows\system32\cmd.exe
cmd /C "rd /s /q C:\\$RECYCLE.BIN"
2⤵
PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C ping 127.0.0.1 -n 10 > nul & del "C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:228

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READMEV1.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1792

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\system32\reg.exe
reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Modifies registry key
PID:1644

C:\Windows\system32\cmd.exe
cmd /C vssadmin Delete Shadows /All /Quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1888

C:\Windows\system32\cmd.exe
cmd /C "rd /s /q C:\\$RECYCLE.BIN"
2⤵
PID:208

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READMEV1.txt
1⤵
PID:1504

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UmVzdGFydEdyYW50Lnhscw==.lockedv1
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UmVzdGFydEdyYW50Lnhscw==.lockedv1
2⤵
PID:1796

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\TmV3TG9jay5tb3Y=.lockedv1
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\TmV3TG9jay5tb3Y=.lockedv1
2⤵
PID:276

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

File Deletion

T1107

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe
MD5
d3715ab62bb922b56fb64b38c3feae8f

SHA1
5f3442d9fddc111a8ee3de9e5fe243f259da52c6

SHA256
1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7

SHA512
8b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READMEV1.txt
MD5
50262a247e047954224d62aeb1c8779e

SHA1
6479fd917fbc31cdca1e38d98d3fb154bb2d8b7d

SHA256
455e9b9dfaeda6813dc5be5500057cd7d0aa09e64627fd77843ba75753945242

SHA512
5ff02a8d94d0792265554fe6a7394edaf086dc04c39b29eee0b406fe276a21affdfb0a8d6a7a83240c55e1822f265f6c18f5f4018355162d291744b5d441f0a7

Download Submit
C:\Users\Admin\Desktop\READMEV1.txt
MD5
50262a247e047954224d62aeb1c8779e

SHA1
6479fd917fbc31cdca1e38d98d3fb154bb2d8b7d

SHA256
455e9b9dfaeda6813dc5be5500057cd7d0aa09e64627fd77843ba75753945242

SHA512
5ff02a8d94d0792265554fe6a7394edaf086dc04c39b29eee0b406fe276a21affdfb0a8d6a7a83240c55e1822f265f6c18f5f4018355162d291744b5d441f0a7

Download Submit
C:\Users\Admin\Desktop\TmV3TG9jay5tb3Y=.lockedv1
MD5
ea4b85c199dce2cabe7163e032594256

SHA1
13f780640355926a457f9b231f80a040facd8b35

SHA256
40d0251bc29f1da42b01249896593502ffc5a608a90e7a1a35d91e2a4474da05

SHA512
b3ab080297b078b4749690e068dfafca271804607adbc9db3ebe31a42b7acd9edcfb94db679b1785d6eeb6e10b4c1f256a7bb9d6c25229ebc06f50e5278d6c01

Download Submit
C:\Users\Admin\Desktop\UmVzdGFydEdyYW50Lnhscw==.lockedv1
MD5
4aa93eb21f5f7c23e01b61543bf5717b

SHA1
f21d764ee17db7aa56e204cf1ad677d1de82eace

SHA256
d73b2c148cc82c81f29fc2498a230eb380f8da39e8a557a4b64d34411dc1686e

SHA512
4f8542740036232d2b98ecc5b862192e0c5c8151ae87075cf128eef28af210801ee0b3d5fdeb8445e1a69ec86c5d1dd52d9d7ab7d9fc17dc6e4439b70540abde

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe
MD5
d3715ab62bb922b56fb64b38c3feae8f

SHA1
5f3442d9fddc111a8ee3de9e5fe243f259da52c6

SHA256
1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7

SHA512
8b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe
MD5
d3715ab62bb922b56fb64b38c3feae8f

SHA1
5f3442d9fddc111a8ee3de9e5fe243f259da52c6

SHA256
1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7

SHA512
8b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe
MD5
d3715ab62bb922b56fb64b38c3feae8f

SHA1
5f3442d9fddc111a8ee3de9e5fe243f259da52c6

SHA256
1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7

SHA512
8b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe
MD5
d3715ab62bb922b56fb64b38c3feae8f

SHA1
5f3442d9fddc111a8ee3de9e5fe243f259da52c6

SHA256
1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7

SHA512
8b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe
MD5
d3715ab62bb922b56fb64b38c3feae8f

SHA1
5f3442d9fddc111a8ee3de9e5fe243f259da52c6

SHA256
1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7

SHA512
8b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\windows-update-CVE-wFW.exe
MD5
d3715ab62bb922b56fb64b38c3feae8f

SHA1
5f3442d9fddc111a8ee3de9e5fe243f259da52c6

SHA256
1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7

SHA512
8b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439

Download Submit
memory/208-28-0x0000000000000000-mapping.dmp

Download
memory/228-13-0x0000000000000000-mapping.dmp

Download
memory/276-32-0x0000000000000000-mapping.dmp

Download
memory/396-9-0x0000000000000000-mapping.dmp

Download
memory/784-3-0x0000000000400000-0x00000000006E7000-memory.dmp

Filesize
2.9MB

Download
memory/784-2-0x0000000000400000-0x00000000006E7000-memory.dmp

Filesize
2.9MB

Download
memory/784-4-0x0000000000400000-0x00000000006E7000-memory.dmp

Filesize
2.9MB

Download
memory/1260-8-0x0000000000000000-mapping.dmp

Download
memory/1424-25-0x0000000000000000-mapping.dmp

Download
memory/1644-26-0x0000000000000000-mapping.dmp

Download
memory/1700-12-0x0000000000000000-mapping.dmp

Download
memory/1760-6-0x0000000000000000-mapping.dmp

Download
memory/1780-7-0x0000000000000000-mapping.dmp

Download
memory/1796-30-0x0000000000000000-mapping.dmp

Download
memory/1848-11-0x000007FEF6A60000-0x000007FEF6CDA000-memory.dmp

Filesize
2.5MB

Download
memory/1888-27-0x0000000000000000-mapping.dmp

Download
memory/1908-5-0x0000000000000000-mapping.dmp

Download
memory/2040-23-0x0000000000400000-0x00000000006E7000-memory.dmp

Filesize
2.9MB

Download
memory/2040-22-0x0000000000400000-0x00000000006E7000-memory.dmp

Filesize
2.9MB

Download
memory/2044-24-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads