Analysis
-
max time kernel
7s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-12-2020 17:21
Static task
static1
Behavioral task
behavioral1
Sample
windows-update-cve-wfw.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
windows-update-cve-wfw.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
windows-update-cve-wfw.exe
-
Size
2.7MB
-
MD5
d3715ab62bb922b56fb64b38c3feae8f
-
SHA1
5f3442d9fddc111a8ee3de9e5fe243f259da52c6
-
SHA256
1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7
-
SHA512
8b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439
Score
10/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates VirtualBox DLL files 2 TTPs
-
Looks for VirtualBox drivers on disk 2 TTPs
-
Looks for VMWare drivers on disk 2 TTPs
-
Drops file in Program Files directory 398 IoCs
Processes:
windows-update-cve-wfw.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunmscapi.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\plugin.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html windows-update-cve-wfw.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\FlickAnimation.avi windows-update-cve-wfw.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\LogoCanary.png windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\splash.gif windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyrun.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\dt.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jawt.h windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunjce_provider.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.bat windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.jpg windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunec.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\jconsole.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png windows-update-cve-wfw.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\OrangeCircles.jpg windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveDrop32x32.gif windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.configuration_5.5.0.165303.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\GreenBubbles.jpg windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar windows-update-cve-wfw.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt windows-update-cve-wfw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-split.avi windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\file_obj.gif windows-update-cve-wfw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar windows-update-cve-wfw.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1864 vssadmin.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3268 vssvc.exe Token: SeRestorePrivilege 3268 vssvc.exe Token: SeAuditPrivilege 3268 vssvc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
windows-update-cve-wfw.execmd.execmd.exedescription pid process target process PID 3372 wrote to memory of 1788 3372 windows-update-cve-wfw.exe cmd.exe PID 3372 wrote to memory of 1788 3372 windows-update-cve-wfw.exe cmd.exe PID 3372 wrote to memory of 592 3372 windows-update-cve-wfw.exe cmd.exe PID 3372 wrote to memory of 592 3372 windows-update-cve-wfw.exe cmd.exe PID 1788 wrote to memory of 1156 1788 cmd.exe reg.exe PID 1788 wrote to memory of 1156 1788 cmd.exe reg.exe PID 592 wrote to memory of 1864 592 cmd.exe vssadmin.exe PID 592 wrote to memory of 1864 592 cmd.exe vssadmin.exe PID 3372 wrote to memory of 588 3372 windows-update-cve-wfw.exe cmd.exe PID 3372 wrote to memory of 588 3372 windows-update-cve-wfw.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe"C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.execmd /C vssadmin Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /C "rd /s /q C:\\$RECYCLE.BIN"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/588-7-0x0000000000000000-mapping.dmp
-
memory/592-4-0x0000000000000000-mapping.dmp
-
memory/1156-5-0x0000000000000000-mapping.dmp
-
memory/1788-3-0x0000000000000000-mapping.dmp
-
memory/1864-6-0x0000000000000000-mapping.dmp
-
memory/3372-2-0x0000000000BD0000-0x0000000000EB7000-memory.dmpFilesize
2.9MB