ouroboros | 95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e

Resubmissions

11-02-2020 15:08

200211-yh5d2v3rpa 10

11-02-2020 13:53

200211-smh4fqemta 10

Analysis

max time kernel
121s
max time network
150s
platform
windows10_x64
resource
win10v191014
submitted
11-02-2020 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
Size

986KB
MD5

934984b11e6690c10e7ad5bf1f0cf274
SHA1

5c826f0bca1460508b0a3db4b0e5f9fbd7c2104f
SHA256

95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e
SHA512

4cc96789b2c6a40b94d7dc5d3ed11876dc643172211114ee588bfc0988f00cc3508d0d1e5d39a08e29b003f12429ba46fa07ac58402d6838b7263a640b20f13e

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 9 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-634046074-2673730973-2644684987-1000\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\$Recycle.Bin\S-1-5-21-634046074-2673730973-2644684987-1000\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	3	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\es\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\HelpIcon_contrast-white.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\ui-strings.js	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\10px.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.targetsize-32_altform-unplated.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Flattener\AppVManifest.dll.Email=[[email protected]]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-64.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar.Email=[[email protected]]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\ReliveSurfaces\Preview\RelivePreviewControl.xaml	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Calculator.exe	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK.Email=[[email protected]]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-modules.jar.Email=[[email protected]]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\sr-cyrl-cs\mso.acl	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\THMBNAIL.PNG	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-256_altform-unplated_contrast-white.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.Email=[[email protected]]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square71x71\PaintSmallTile.scale-200.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\69_32x32x32.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEES.DLL	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\uk\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.Email=[[email protected]]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms.Email=[[email protected]]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\DW\DBGHELP.DLL	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Backgrounds\Background1.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\cloud_icon.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Help\3082\hxdsui.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo.Email=[[email protected]]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\HeroHelp\Scenario2.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-36_altform-unplated_contrast-black.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms.Email=[[email protected]]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\complete.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1066\PowerPivotExcelClientAddIn.rll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Base.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\YellowAbstractNote.scale-200.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6449_32x32x32.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\ui-strings.js	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Info.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\zh-CHT\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.Email=[[email protected]]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-32_altform-fullcolor.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\eu-es\ui-strings.js	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Microsoft Office\root\Flattener\api-ms-win-core-file-l1-2-0.dll.Email=[[email protected]]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-125_contrast-high.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.News\Assets\news_button.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Planet.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\resources.pri	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLikeExactly.ps1	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Info2x.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunmscapi.jar	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.lock	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\en-US.PhoneNumber.SMS.ot	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\fake_logo.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\ar\PowerViewRes.ar.xap.Email=[[email protected]]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.Email=[[email protected]]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteReplay_white.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\zh-TW\8:袠Ȫt	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Documents and Settings\zh-TW\8:꧰ǆt.ex	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 4940	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	73
PID 4892 wrote to memory of 4940	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	73
PID 4892 wrote to memory of 4940	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	73
PID 4940 wrote to memory of 4980	4940	cmd.exe	75
PID 4940 wrote to memory of 4980	4940	cmd.exe	75
PID 4940 wrote to memory of 4980	4940	cmd.exe	75
PID 4980 wrote to memory of 5000	4980	net.exe	76
PID 4980 wrote to memory of 5000	4980	net.exe	76
PID 4980 wrote to memory of 5000	4980	net.exe	76
PID 4892 wrote to memory of 5020	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	77
PID 4892 wrote to memory of 5020	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	77
PID 4892 wrote to memory of 5020	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	77
PID 5020 wrote to memory of 5080	5020	cmd.exe	80
PID 5020 wrote to memory of 5080	5020	cmd.exe	80
PID 5020 wrote to memory of 5080	5020	cmd.exe	80
PID 5080 wrote to memory of 5096	5080	net.exe	81
PID 5080 wrote to memory of 5096	5080	net.exe	81
PID 5080 wrote to memory of 5096	5080	net.exe	81
PID 4892 wrote to memory of 5112	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	82
PID 4892 wrote to memory of 5112	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	82
PID 4892 wrote to memory of 5112	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	82
PID 5112 wrote to memory of 1936	5112	cmd.exe	84
PID 5112 wrote to memory of 1936	5112	cmd.exe	84
PID 5112 wrote to memory of 1936	5112	cmd.exe	84
PID 1936 wrote to memory of 1736	1936	net.exe	85
PID 1936 wrote to memory of 1736	1936	net.exe	85
PID 1936 wrote to memory of 1736	1936	net.exe	85
PID 4892 wrote to memory of 4252	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	86
PID 4892 wrote to memory of 4252	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	86
PID 4892 wrote to memory of 4252	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	86
PID 4252 wrote to memory of 1020	4252	cmd.exe	88
PID 4252 wrote to memory of 1020	4252	cmd.exe	88
PID 4252 wrote to memory of 1020	4252	cmd.exe	88
PID 1020 wrote to memory of 4284	1020	net.exe	89
PID 1020 wrote to memory of 4284	1020	net.exe	89
PID 1020 wrote to memory of 4284	1020	net.exe	89
PID 4892 wrote to memory of 3000	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	90
PID 4892 wrote to memory of 3000	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	90
PID 4892 wrote to memory of 3000	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	90
PID 3000 wrote to memory of 4156	3000	cmd.exe	92
PID 3000 wrote to memory of 4156	3000	cmd.exe	92
PID 3000 wrote to memory of 4156	3000	cmd.exe	92
PID 4156 wrote to memory of 2960	4156	net.exe	93
PID 4156 wrote to memory of 2960	4156	net.exe	93
PID 4156 wrote to memory of 2960	4156	net.exe	93
PID 4892 wrote to memory of 3672	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	94
PID 4892 wrote to memory of 3672	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	94
PID 4892 wrote to memory of 3672	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	94
PID 4892 wrote to memory of 4420	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	96
PID 4892 wrote to memory of 4420	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	96
PID 4892 wrote to memory of 4420	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	96
PID 4892 wrote to memory of 3180	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	98
PID 4892 wrote to memory of 3180	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	98
PID 4892 wrote to memory of 3180	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	98
PID 4892 wrote to memory of 4628	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	100
PID 4892 wrote to memory of 4628	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	100
PID 4892 wrote to memory of 4628	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	100
PID 4628 wrote to memory of 1672	4628	cmd.exe	102
PID 4628 wrote to memory of 1672	4628	cmd.exe	102
PID 4628 wrote to memory of 1672	4628	cmd.exe	102
PID 1672 wrote to memory of 4676	1672	net.exe	103
PID 1672 wrote to memory of 4676	1672	net.exe	103
PID 1672 wrote to memory of 4676	1672	net.exe	103
PID 4892 wrote to memory of 4652	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	104

C:\Users\Admin\AppData\Local\Temp\95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
"C:\Users\Admin\AppData\Local\Temp\95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:5000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:5096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:4284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:2960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:3672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:4420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:3180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:4676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:4652
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:4336
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:4332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:3780
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:4104
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:3860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:3884
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:3680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:4768
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:2408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4892-0-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/4892-1-0x0000000001AF0000-0x0000000001AF1000-memory.dmp

Filesize
4KB

Download
memory/4892-2-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/4892-3-0x0000000001AF0000-0x0000000001AF1000-memory.dmp

Filesize
4KB

Download
memory/4892-4-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/4892-8-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/4892-16-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/4892-17-0x0000000001AF0000-0x0000000001AF1000-memory.dmp

Filesize
4KB

Download