Analysis
-
max time kernel
143s -
max time network
269s -
platform
windows7_x64 -
resource
win7v191014 -
submitted
11-02-2020 15:13
General
-
Target
8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe
-
Size
1.7MB
-
MD5
3f4181968baaf480a628d522c14cee75
-
SHA1
0cfbe9d8a205fa528c00c96253ff309ab666ee90
-
SHA256
8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351
-
SHA512
319332107b9da31aaa752dc75d5291c80668c204be2b6f0a3d31d4a48428bdccd5dcc7787678eb003fbb3d61af5245ea0d8c87b343cbaf77877e5f0c49e69db4
Malware Config
Extracted
Protocol: ftp- Host:
80.82.69.52 - Port:
21 - Username:
admin - Password:
asmodeusasmodeus
Signatures
-
Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Drops file in Drivers directory 9 IoCs
-
Executes dropped EXE 2 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
-
Suspicious Office macro 2 IoCs
Office document equipped with macros.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 64 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe"C:\Users\Admin\AppData\Local\Temp\8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe"C:\Users\Admin\AppData\Local\Temp\._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLWriter3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLBrowser3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$CONTOSO14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$CONTOSO15⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSDTC3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSDTC4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSDTC5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT3⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLSERVERAGENT4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER3⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop vds3⤵
-
C:\Windows\SysWOW64\net.exenet stop vds4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vds5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable4⤵
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Modifies system certificate store
-
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
06fdd27742bc4dcb30bc348fa0c24041
SHA1532db4b18a787d4d6a7e48f0b43c51210312f82b
SHA2565aaa3a31d1683ad8d80d2abeb978dbfa35ccfec75e26e41388bd2df69aff07b8
SHA512ba567237981d4ad6fe5c1dd4ea21602b3398125fefe33858c0da719ac7bdab4d99e0be09c993a6bbafda5448855a9a8bbaa4ea148a356e5c5b71de54d6c5c722
-
MD5
06fdd27742bc4dcb30bc348fa0c24041
SHA1532db4b18a787d4d6a7e48f0b43c51210312f82b
SHA2565aaa3a31d1683ad8d80d2abeb978dbfa35ccfec75e26e41388bd2df69aff07b8
SHA512ba567237981d4ad6fe5c1dd4ea21602b3398125fefe33858c0da719ac7bdab4d99e0be09c993a6bbafda5448855a9a8bbaa4ea148a356e5c5b71de54d6c5c722
-
MD5
f9c4f186439b54979f342691f4c0ed66
SHA14e5a6ab1595b17e1e59ab139a82837f6e3c15019
SHA256df8358c7045a4f2c0c2b8c150531c8f5433a4189da5d8c5aae1bb8b940c39a10
SHA5125bea342ca70254abf087ca07b2838ab279f2a73530807e127a9870f126299516df41dde3c1ef1e2df6f1c0af3763df79a577be6bcaf33b72e699a872516afa93
-
MD5
37536fbbc7e845a5cd6597fb435fe6e0
SHA1ac8d8e37163ce35562003f0aebca12f59a6b7d4d
SHA256f0fd9d2921bb8a785027e66786827f94b12b0305f0e72ab36e8ad7472396f786
SHA51209ea392d535e5c823ef81cea390abbdce5f6db92285fd437b5e0f195c2704b4d9b02db50bfd58720577ad425151f95f119bea04502a2b536f00a2952b291b350
-
MD5
e550da03aee5b546b436cd553d3233b9
SHA17d4f842c50f4136f10c6c6a2e891bfc4a182a0ed
SHA2569abfd4e29b96cca442502b1de6071fe0293455df22b4eff19fa3e6df060947e7
SHA512e758228aa2b04ec44ded777ae2318ecf6e9278b6b5981d29d10378e0f66885fabccab48ece78fc279755e710fb531575b58a4fe28469d199736eeb24aa62c767
-
MD5
a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
MD5
15bad11d15616bbc01aa76228db2403e
SHA1730dd8f47152ca228e325dc0a31c7d7526d0e100
SHA256648ac02aa62a80d0b607e6aa07b44433b91ab4ca23471324cb00dafe846ffca5
SHA5125c767e6b6ccec3b6395b43132bdd98186445d4761b7b38ce6dd2e00f23425609b27c547842f76554ac7906cbe0c282051192f56337f1a2b0105a90f5fca2f379
-
MD5
5703a6e1134181e3fe69c51c9d132a4a
SHA117325e489b31d893774c7781c9ca5cb0bbbe6388
SHA2569a685964ff6437cc5dfc185d73c75e7c09a25f7867a1ff1d5c348c5b3d3a068e
SHA5126cd0d539bfd1d9444294fa8e94da9a65cd1940a82fe435f33257f11c8b645e2c95b4041e8ee6d9da43a2c6c5f4c160be7aa0d356ee77bbf1b151ef26cd78b251
-
MD5
6a0f0df0de1c490878a5d9b6b11b0dc1
SHA1bb6aa8f87ebb545a674163db2086296ab5aa4713
SHA2561af990a1b4ff4d6ba42bafe5e08c638f3157ac56a7e573432c4e76fddb991db5
SHA512d72e14e45b35f9fe25e69c6b86367d216ab317d2d48561bfebab439a3f9a7631c363ba5a73739b39dd27f236e0769f397ba04d53babaf1f2cd53cfd9fb5c68f7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
934984b11e6690c10e7ad5bf1f0cf274
SHA15c826f0bca1460508b0a3db4b0e5f9fbd7c2104f
SHA25695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e
SHA5124cc96789b2c6a40b94d7dc5d3ed11876dc643172211114ee588bfc0988f00cc3508d0d1e5d39a08e29b003f12429ba46fa07ac58402d6838b7263a640b20f13e
-
MD5
e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
MD5
06fdd27742bc4dcb30bc348fa0c24041
SHA1532db4b18a787d4d6a7e48f0b43c51210312f82b
SHA2565aaa3a31d1683ad8d80d2abeb978dbfa35ccfec75e26e41388bd2df69aff07b8
SHA512ba567237981d4ad6fe5c1dd4ea21602b3398125fefe33858c0da719ac7bdab4d99e0be09c993a6bbafda5448855a9a8bbaa4ea148a356e5c5b71de54d6c5c722
-
MD5
06fdd27742bc4dcb30bc348fa0c24041
SHA1532db4b18a787d4d6a7e48f0b43c51210312f82b
SHA2565aaa3a31d1683ad8d80d2abeb978dbfa35ccfec75e26e41388bd2df69aff07b8
SHA512ba567237981d4ad6fe5c1dd4ea21602b3398125fefe33858c0da719ac7bdab4d99e0be09c993a6bbafda5448855a9a8bbaa4ea148a356e5c5b71de54d6c5c722
-
MD5
06fdd27742bc4dcb30bc348fa0c24041
SHA1532db4b18a787d4d6a7e48f0b43c51210312f82b
SHA2565aaa3a31d1683ad8d80d2abeb978dbfa35ccfec75e26e41388bd2df69aff07b8
SHA512ba567237981d4ad6fe5c1dd4ea21602b3398125fefe33858c0da719ac7bdab4d99e0be09c993a6bbafda5448855a9a8bbaa4ea148a356e5c5b71de54d6c5c722
-
MD5
934984b11e6690c10e7ad5bf1f0cf274
SHA15c826f0bca1460508b0a3db4b0e5f9fbd7c2104f
SHA25695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e
SHA5124cc96789b2c6a40b94d7dc5d3ed11876dc643172211114ee588bfc0988f00cc3508d0d1e5d39a08e29b003f12429ba46fa07ac58402d6838b7263a640b20f13e
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
16KB
-
Filesize
16KB