ouroboros | d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382

Resubmissions

06-02-2020 11:15

200206-yr9smta93e 8

06-02-2020 11:02

200206-3dy8j7a4kj 10

Analysis

max time kernel
59s
max time network
150s
resource
win10v191014
submitted
06-02-2020 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
Size

376KB
MD5

a521f2c76e2212feb810e6bc1d35995a
SHA1

e0bc61d4e38c30f86d7236b431db50e411e60c06
SHA256

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382
SHA512

868ebdcb41453316f6dc6fa1344479df7b0f5807bebe4d17721d77ebacb8a7dc31f0e11f2cb9fcacd869fb2326b561ece3a5ad0999ba824e14255040f4ae8280

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 7 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

description	ioc	process
File created	C:\Program Files\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-634046074-2673730973-2644684987-1000\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\$Recycle.Bin\S-1-5-21-634046074-2673730973-2644684987-1000\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 3 http://www.sfml-dev.org/ip-provider.php

description	flow	ioc
HTTP URL	3	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\clone.scale-180.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5313_20x20x32.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-pl.xrm-ms	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1851_20x20x32.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\NewScene.scale-180.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\ucrtbase.dll.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sv\Microsoft.AnalysisServices.Excel.BackEnd.resources.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\Bin\LightedTextured_PixelLighting_VS.fxo	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-compat.xml.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\he\Microsoft.ReportingServices.QueryDesigners.resources.dll.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\fi\PowerViewRes.fi.xap.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.winforms.dll.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tr\Microsoft.ReportingServices.QueryDesigners.resources.dll.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\vccorlib140.dll.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-oob.xrm-ms	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\DisablePush.M2V.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-125_contrast-white.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sr-latn\Microsoft.DataWarehouse.Interfaces.resources.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libhttp_plugin.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\ProjectionPlanar.scale-180.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\tripeaks\Extreme_Altitude_Unearned_small.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_DE-DE.respack	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\ar\Microsoft.ReportingServices.ReportDesign.Common.resources.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.json	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-125_contrast-high.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\contrast-black\DashboardDefaultThumbnail.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\lt\LocalizedStrings.xml	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EURO\MSOEURO.DLL	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-200.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\DenyUnlock.cmd.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.access	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\attach.dll.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\jvm.dll.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\NavColumn_Black\Icon_Printer.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.scale-100_contrast-white.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-phn.xrm-ms.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_ja_4.4.0.v20140623020002.jar.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties.Email=[[email protected]]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

NTFS ADS 3 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\zh-TW\8:챈Ɏt.ex	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Documents and Settings\zh-TW\8:⻘ǲt.ex	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Documents and Settings\zh-TW\8:⾰Ǆt.ex	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

pid	process
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 4876 wrote to memory of 4924	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 4924	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 4924	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4924 wrote to memory of 4964	4924	cmd.exe	net.exe
PID 4924 wrote to memory of 4964	4924	cmd.exe	net.exe
PID 4924 wrote to memory of 4964	4924	cmd.exe	net.exe
PID 4964 wrote to memory of 4984	4964	net.exe	net1.exe
PID 4964 wrote to memory of 4984	4964	net.exe	net1.exe
PID 4964 wrote to memory of 4984	4964	net.exe	net1.exe
PID 4876 wrote to memory of 5016	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 5016	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 5016	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 5016 wrote to memory of 5056	5016	cmd.exe	net.exe
PID 5016 wrote to memory of 5056	5016	cmd.exe	net.exe
PID 5016 wrote to memory of 5056	5016	cmd.exe	net.exe
PID 5056 wrote to memory of 5072	5056	net.exe	net1.exe
PID 5056 wrote to memory of 5072	5056	net.exe	net1.exe
PID 5056 wrote to memory of 5072	5056	net.exe	net1.exe
PID 4876 wrote to memory of 5092	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 5092	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 5092	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 5092 wrote to memory of 1856	5092	cmd.exe	net.exe
PID 5092 wrote to memory of 1856	5092	cmd.exe	net.exe
PID 5092 wrote to memory of 1856	5092	cmd.exe	net.exe
PID 1856 wrote to memory of 1704	1856	net.exe	net1.exe
PID 1856 wrote to memory of 1704	1856	net.exe	net1.exe
PID 1856 wrote to memory of 1704	1856	net.exe	net1.exe
PID 4876 wrote to memory of 360	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 360	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 360	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 360 wrote to memory of 1000	360	cmd.exe	net.exe
PID 360 wrote to memory of 1000	360	cmd.exe	net.exe
PID 360 wrote to memory of 1000	360	cmd.exe	net.exe
PID 1000 wrote to memory of 2092	1000	net.exe	net1.exe
PID 1000 wrote to memory of 2092	1000	net.exe	net1.exe
PID 1000 wrote to memory of 2092	1000	net.exe	net1.exe
PID 4876 wrote to memory of 4008	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 4008	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 4008	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4008 wrote to memory of 4448	4008	cmd.exe	net.exe
PID 4008 wrote to memory of 4448	4008	cmd.exe	net.exe
PID 4008 wrote to memory of 4448	4008	cmd.exe	net.exe
PID 4448 wrote to memory of 3176	4448	net.exe	net1.exe
PID 4448 wrote to memory of 3176	4448	net.exe	net1.exe
PID 4448 wrote to memory of 3176	4448	net.exe	net1.exe
PID 4876 wrote to memory of 3672	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 3672	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 3672	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 1820	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 1820	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 1820	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 4552	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 4552	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 4552	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 4668	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 4668	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 4668	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4668 wrote to memory of 4652	4668	cmd.exe	net.exe
PID 4668 wrote to memory of 4652	4668	cmd.exe	net.exe
PID 4668 wrote to memory of 4652	4668	cmd.exe	net.exe
PID 4652 wrote to memory of 3760	4652	net.exe	net1.exe
PID 4652 wrote to memory of 3760	4652	net.exe	net1.exe
PID 4652 wrote to memory of 3760	4652	net.exe	net1.exe
PID 4876 wrote to memory of 4320	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
"C:\Users\Admin\AppData\Local\Temp\d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:4984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:5072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:360
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:2092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:3176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:3672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:4552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:3760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:4320
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:3796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:4108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:4176
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:4200
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:4116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:4132
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:4208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:2440
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:4756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4876-0-0x0000000001630000-0x0000000001631000-memory.dmp

Filesize
4KB

Download
memory/4876-1-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/4876-2-0x0000000001630000-0x0000000001631000-memory.dmp

Filesize
4KB

Download
memory/4876-3-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/4876-4-0x0000000001630000-0x0000000001631000-memory.dmp

Filesize
4KB

Download