Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5107
Views
5
Helpful
1
Replies

W32.MAP.Ransomware.rwd.

Go to solution
Paladin
Level 1
Level 1

‎09-03-2021 06:38 AM - edited ‎09-03-2021 06:40 AM

Sha 256 e5dccb33478bf13629d0a3f0ba7daceb56d7792e0132886ed129334ec6bb2a33 detected by MAP and convicted as 

 W32.MAP.Ransomware.rwd.  Found this post https://quickview.cloudapps.cisco.com/quickview/bug/CSCvq59864, my Connector version is 7.4.1.20439. Not a known affected version. False positive? 

 

Event Details
Medium
2021-09-03 12:40:43 UTC

MAP detected d8e57517-45af-4d42-a2f1-7844fb9956ae.exe, Sontheim Components-1.07.6504-12 - #12 Full 12.0.21175.732 (e5dccb33…c6bb2a33) as W32.MAP.Ransomware.rwd.

by AGCOUpdateService.exe, AGCOUpdateService for .NET 4.6.2 1.21.7684.29091 (87eb220c…22037f3b)[Unknown] executing as SYSTEM@NT AUTHORITY.

The file was not quarantined. Error: Cannot delete file.

Affected Files Count: 5

Affected Files:

C:\Windows\Temp\d5ed4260-0cb4-11ec-4823-4bb689ee0029\deltapackage\1\9

C:\Windows\Temp\d5ed4260-0cb4-11ec-4823-4bb689ee0029\deltapackage\1\10

C:\Windows\Temp\d5ed4260-0cb4-11ec-4823-4bb689ee0029\deltapackage\1\12

C:\Windows\Temp\d5ed4260-0cb4-11ec-4823-4bb689ee0029\deltapackage\1\11

C:\Windows\Temp\d5ed4260-0cb4-11ec-4823-4bb689ee0029\deltapackage\1\13

 

File full path: C:\ProgramData\AGCO Corporation\AGCO Update\d8e57517-45af-4d42-a2f1-7844fb9956ae.exe

File SHA-1: ae4ddbe24fb08d39791918d2a0ca8c94ab5de8f0.

File MD5: 075e4668ceca61859906d5288fbfd702.

File size: 183808096 bytes.

File signed by AGCO Corporation with certificate serial 2 from thawte SHA256 Code Signing CA. Expires NaN:NaN:NaN, NaN 0NaN UTC. the certificate was warn trusted

Parent file SHA-1: efff229cbfa81dd4d4f35f5adaae0bbd100667f0.

Parent file MD5: 4ecbfbc987d8072846c6115b028dc471.

Parent file size: 1938344 bytes.

Parent file age: 0 seconds.

Parent file signed by AGCO Corporation with certificate serial 2 from thawte SHA256 Code Signing CA. Expires NaN:NaN:NaN, NaN 0NaN UTC. the certificate was warn trusted

Parent file cert MD5: b1bcf6b5b1954a4dd1cb0de00cfbe3ba.

Parent file cert SHA-1: 159bf94e915ba45752d31b62979a3acf93bea108.

Parent process id: 5340.

Parent process SID: S-1-5-18 (Local System).

 
 
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Wojciech Cecot
Cisco Employee
Cisco Employee

‎09-13-2021 12:47 AM

Hello Paladin,

bug CSCvq59864 was fixed and shouldn't affect any 7.x or later Secure Endpoint connectors. Regarding detection that you see, it is related to MAP engine (Malicious Activity Protection) rule “rwd”: reading, writing and deleting a set of files within short span of time. That happens with some softwares, especially during update. If you are certain that is legitimate software you can always create exclusion of following type: Process > Malicious Activity (for MAP engine) by using either Path of SHA.

Hope that help

Wojciech

View solution in original post

1 Reply 1

Go to solution
Wojciech Cecot
Cisco Employee
Cisco Employee

‎09-13-2021 12:47 AM

Hello Paladin,

bug CSCvq59864 was fixed and shouldn't affect any 7.x or later Secure Endpoint connectors. Regarding detection that you see, it is related to MAP engine (Malicious Activity Protection) rule “rwd”: reading, writing and deleting a set of files within short span of time. That happens with some softwares, especially during update. If you are certain that is legitimate software you can always create exclusion of following type: Process > Malicious Activity (for MAP engine) by using either Path of SHA.

Hope that help

Wojciech

Customers Also Viewed These Support Documents