ouroboros | d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382

General

Target

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
Size

376KB
MD5

a521f2c76e2212feb810e6bc1d35995a
SHA1

e0bc61d4e38c30f86d7236b431db50e411e60c06
SHA256

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382
SHA512

868ebdcb41453316f6dc6fa1344479df7b0f5807bebe4d17721d77ebacb8a7dc31f0e11f2cb9fcacd869fb2326b561ece3a5ad0999ba824e14255040f4ae8280

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 7 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

description	ioc	process
File created	C:\Program Files\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-634046074-2673730973-2644684987-1000\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\$Recycle.Bin\S-1-5-21-634046074-2673730973-2644684987-1000\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 3 http://www.sfml-dev.org/ip-provider.php

description	flow	ioc
HTTP URL	3	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\clone.scale-180.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5313_20x20x32.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-pl.xrm-ms	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1851_20x20x32.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\NewScene.scale-180.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\ucrtbase.dll.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sv\Microsoft.AnalysisServices.Excel.BackEnd.resources.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\Bin\LightedTextured_PixelLighting_VS.fxo	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-compat.xml.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\he\Microsoft.ReportingServices.QueryDesigners.resources.dll.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\fi\PowerViewRes.fi.xap.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.winforms.dll.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tr\Microsoft.ReportingServices.QueryDesigners.resources.dll.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\vccorlib140.dll.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-oob.xrm-ms	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\DisablePush.M2V.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-125_contrast-white.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sr-latn\Microsoft.DataWarehouse.Interfaces.resources.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libhttp_plugin.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\ProjectionPlanar.scale-180.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\tripeaks\Extreme_Altitude_Unearned_small.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_DE-DE.respack	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\ar\Microsoft.ReportingServices.ReportDesign.Common.resources.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.json	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-125_contrast-high.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\contrast-black\DashboardDefaultThumbnail.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\lt\LocalizedStrings.xml	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EURO\MSOEURO.DLL	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-200.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\DenyUnlock.cmd.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.access	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\attach.dll.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\jvm.dll.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\NavColumn_Black\Icon_Printer.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.scale-100_contrast-white.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-phn.xrm-ms.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_ja_4.4.0.v20140623020002.jar.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties.Email=[SupportOdveta@protonmail.com]ID=[CA98K5NVU1DOPJQ].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

NTFS ADS 3 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\zh-TW\8:챈Ɏt.ex	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Documents and Settings\zh-TW\8:⻘ǲt.ex	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Documents and Settings\zh-TW\8:⾰Ǆt.ex	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

pid	process
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 4876 wrote to memory of 4924	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 4924	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 4924	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4924 wrote to memory of 4964	4924	cmd.exe	net.exe
PID 4924 wrote to memory of 4964	4924	cmd.exe	net.exe
PID 4924 wrote to memory of 4964	4924	cmd.exe	net.exe
PID 4964 wrote to memory of 4984	4964	net.exe	net1.exe
PID 4964 wrote to memory of 4984	4964	net.exe	net1.exe
PID 4964 wrote to memory of 4984	4964	net.exe	net1.exe
PID 4876 wrote to memory of 5016	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 5016	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 5016	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 5016 wrote to memory of 5056	5016	cmd.exe	net.exe
PID 5016 wrote to memory of 5056	5016	cmd.exe	net.exe
PID 5016 wrote to memory of 5056	5016	cmd.exe	net.exe
PID 5056 wrote to memory of 5072	5056	net.exe	net1.exe
PID 5056 wrote to memory of 5072	5056	net.exe	net1.exe
PID 5056 wrote to memory of 5072	5056	net.exe	net1.exe
PID 4876 wrote to memory of 5092	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 5092	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 5092	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 5092 wrote to memory of 1856	5092	cmd.exe	net.exe
PID 5092 wrote to memory of 1856	5092	cmd.exe	net.exe
PID 5092 wrote to memory of 1856	5092	cmd.exe	net.exe
PID 1856 wrote to memory of 1704	1856	net.exe	net1.exe
PID 1856 wrote to memory of 1704	1856	net.exe	net1.exe
PID 1856 wrote to memory of 1704	1856	net.exe	net1.exe
PID 4876 wrote to memory of 360	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 360	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 360	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 360 wrote to memory of 1000	360	cmd.exe	net.exe
PID 360 wrote to memory of 1000	360	cmd.exe	net.exe
PID 360 wrote to memory of 1000	360	cmd.exe	net.exe
PID 1000 wrote to memory of 2092	1000	net.exe	net1.exe
PID 1000 wrote to memory of 2092	1000	net.exe	net1.exe
PID 1000 wrote to memory of 2092	1000	net.exe	net1.exe
PID 4876 wrote to memory of 4008	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 4008	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 4008	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4008 wrote to memory of 4448	4008	cmd.exe	net.exe
PID 4008 wrote to memory of 4448	4008	cmd.exe	net.exe
PID 4008 wrote to memory of 4448	4008	cmd.exe	net.exe
PID 4448 wrote to memory of 3176	4448	net.exe	net1.exe
PID 4448 wrote to memory of 3176	4448	net.exe	net1.exe
PID 4448 wrote to memory of 3176	4448	net.exe	net1.exe
PID 4876 wrote to memory of 3672	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 3672	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 3672	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 1820	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 1820	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 1820	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 4552	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 4552	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 4552	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 4668	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 4668	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4876 wrote to memory of 4668	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 4668 wrote to memory of 4652	4668	cmd.exe	net.exe
PID 4668 wrote to memory of 4652	4668	cmd.exe	net.exe
PID 4668 wrote to memory of 4652	4668	cmd.exe	net.exe
PID 4652 wrote to memory of 3760	4652	net.exe	net1.exe
PID 4652 wrote to memory of 3760	4652	net.exe	net1.exe
PID 4652 wrote to memory of 3760	4652	net.exe	net1.exe
PID 4876 wrote to memory of 4320	4876	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
"C:\Users\Admin\AppData\Local\Temp\d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
2⤵
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
2⤵
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
2⤵
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
3⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
4⤵
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
2⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\net.exe
net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
4⤵
PID:3176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
2⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
2⤵
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
3⤵
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
4⤵
PID:3760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
PID:4320

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
PID:3796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
2⤵
PID:4176

C:\Windows\SysWOW64\net.exe
net stop vds
3⤵
PID:4200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
4⤵
PID:4116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
2⤵
PID:4132

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:4208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
2⤵
PID:2440

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:4756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4876-0-0x0000000001630000-0x0000000001631000-memory.dmp

Filesize
4KB

Download
memory/4876-1-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/4876-2-0x0000000001630000-0x0000000001631000-memory.dmp

Filesize
4KB

Download
memory/4876-3-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/4876-4-0x0000000001630000-0x0000000001631000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads