1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7

General

Target

windows-update-cve-wfw.exe
Size

2.7MB
MD5

d3715ab62bb922b56fb64b38c3feae8f
SHA1

5f3442d9fddc111a8ee3de9e5fe243f259da52c6
SHA256

1fda7a2eeb2478c97b59f75f094c546d585923b286d8d7a52d4afe2795f186e7
SHA512

8b7164b2b18d94e1d327fceb858c8d87a2d743bdaa95277e4449788a8e363eca18596490d7fa686501552b7ee273487bb431fb07520e115c67227c8b5507e439

Score

10^/10

evasion ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Enumerates VirtualBox DLL files 2 TTPs

File and Directory Discovery
T1083

Virtualization/Sandbox Evasion
T1497
Looks for VirtualBox drivers on disk 2 TTPs
evasion

File and Directory Discovery
T1083

Virtualization/Sandbox Evasion
T1497
Looks for VMWare drivers on disk 2 TTPs
evasion

File and Directory Discovery
T1083

Virtualization/Sandbox Evasion
T1497

Drops file in Program Files directory 398 IoCs

Processes:

windows-update-cve-wfw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunmscapi.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\plugin.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\FlickAnimation.avi	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\LogoCanary.png	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\splash.gif	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyrun.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\dt.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jawt.h	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunjce_provider.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.bat	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.jpg	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunec.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jconsole.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\OrangeCircles.jpg	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveDrop32x32.gif	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.configuration_5.5.0.165303.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\GreenBubbles.jpg	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-split.avi	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\file_obj.gif	windows-update-cve-wfw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar	windows-update-cve-wfw.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1864 vssadmin.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1156 reg.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3268 vssvc.exe
Token: SeRestorePrivilege 3268 vssvc.exe
Token: SeAuditPrivilege 3268 vssvc.exe

pid	process
1864	vssadmin.exe

pid	process
1156	reg.exe

description	pid	process
Token: SeBackupPrivilege	3268	vssvc.exe
Token: SeRestorePrivilege	3268	vssvc.exe
Token: SeAuditPrivilege	3268	vssvc.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

windows-update-cve-wfw.execmd.execmd.exe

description	pid	process	target process
PID 3372 wrote to memory of 1788	3372	windows-update-cve-wfw.exe	cmd.exe
PID 3372 wrote to memory of 1788	3372	windows-update-cve-wfw.exe	cmd.exe
PID 3372 wrote to memory of 592	3372	windows-update-cve-wfw.exe	cmd.exe
PID 3372 wrote to memory of 592	3372	windows-update-cve-wfw.exe	cmd.exe
PID 1788 wrote to memory of 1156	1788	cmd.exe	reg.exe
PID 1788 wrote to memory of 1156	1788	cmd.exe	reg.exe
PID 592 wrote to memory of 1864	592	cmd.exe	vssadmin.exe
PID 592 wrote to memory of 1864	592	cmd.exe	vssadmin.exe
PID 3372 wrote to memory of 588	3372	windows-update-cve-wfw.exe	cmd.exe
PID 3372 wrote to memory of 588	3372	windows-update-cve-wfw.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe
"C:\Users\Admin\AppData\Local\Temp\windows-update-cve-wfw.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\system32\reg.exe
reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Modifies registry key
PID:1156

C:\Windows\system32\cmd.exe
cmd /C vssadmin Delete Shadows /All /Quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1864

C:\Windows\system32\cmd.exe
cmd /C "rd /s /q C:\\$RECYCLE.BIN"
2⤵
PID:588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3268

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

File Deletion

2

T1107

Virtualization/Sandbox Evasion

3

T1497

Credential Access

Discovery

File and Directory Discovery

3

T1083

Virtualization/Sandbox Evasion

3

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/588-7-0x0000000000000000-mapping.dmp

Download
memory/592-4-0x0000000000000000-mapping.dmp

Download
memory/1156-5-0x0000000000000000-mapping.dmp

Download
memory/1788-3-0x0000000000000000-mapping.dmp

Download
memory/1864-6-0x0000000000000000-mapping.dmp

Download
memory/3372-2-0x0000000000BD0000-0x0000000000EB7000-memory.dmp

Filesize
2.9MB

Download

Resubmissions

Analysis

Sharing