ouroboros | 95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e

General

Target

95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
Size

986KB
MD5

934984b11e6690c10e7ad5bf1f0cf274
SHA1

5c826f0bca1460508b0a3db4b0e5f9fbd7c2104f
SHA256

95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e
SHA512

4cc96789b2c6a40b94d7dc5d3ed11876dc643172211114ee588bfc0988f00cc3508d0d1e5d39a08e29b003f12429ba46fa07ac58402d6838b7263a640b20f13e

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 9 IoCs

Processes:

95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-634046074-2673730973-2644684987-1000\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\$Recycle.Bin\S-1-5-21-634046074-2673730973-2644684987-1000\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 3 http://www.sfml-dev.org/ip-provider.php

description	flow	ioc
HTTP URL	3	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

Processes:

95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\es\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\HelpIcon_contrast-white.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\ui-strings.js	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\10px.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.targetsize-32_altform-unplated.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Flattener\AppVManifest.dll.Email=[lilmoonhack6677@protonmail.com]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-64.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar.Email=[lilmoonhack6677@protonmail.com]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\ReliveSurfaces\Preview\RelivePreviewControl.xaml	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Calculator.exe	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK.Email=[lilmoonhack6677@protonmail.com]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-modules.jar.Email=[lilmoonhack6677@protonmail.com]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\sr-cyrl-cs\mso.acl	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\THMBNAIL.PNG	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-256_altform-unplated_contrast-white.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.Email=[lilmoonhack6677@protonmail.com]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square71x71\PaintSmallTile.scale-200.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\69_32x32x32.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEES.DLL	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\uk\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll.Email=[lilmoonhack6677@protonmail.com]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms.Email=[lilmoonhack6677@protonmail.com]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\DW\DBGHELP.DLL	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Backgrounds\Background1.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\cloud_icon.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Help\3082\hxdsui.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo.Email=[lilmoonhack6677@protonmail.com]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\HeroHelp\Scenario2.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-36_altform-unplated_contrast-black.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms.Email=[lilmoonhack6677@protonmail.com]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\complete.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1066\PowerPivotExcelClientAddIn.rll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Base.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\YellowAbstractNote.scale-200.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6449_32x32x32.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\ui-strings.js	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Info.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\zh-CHT\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.Email=[lilmoonhack6677@protonmail.com]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-32_altform-fullcolor.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\eu-es\ui-strings.js	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Microsoft Office\root\Flattener\api-ms-win-core-file-l1-2-0.dll.Email=[lilmoonhack6677@protonmail.com]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-125_contrast-high.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.News\Assets\news_button.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Planet.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\resources.pri	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLikeExactly.ps1	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Info2x.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunmscapi.jar	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.lock	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\en-US.PhoneNumber.SMS.ot	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\fake_logo.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\ar\PowerViewRes.ar.xap.Email=[lilmoonhack6677@protonmail.com]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.Email=[lilmoonhack6677@protonmail.com]ID=[3HQ04VIO16MA5DR].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteReplay_white.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

NTFS ADS 2 IoCs

Processes:

95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\zh-TW\8:袠Ȫt	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Documents and Settings\zh-TW\8:꧰ǆt.ex	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

pid	process
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 4892 wrote to memory of 4940	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 4940	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 4940	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4940 wrote to memory of 4980	4940	cmd.exe	net.exe
PID 4940 wrote to memory of 4980	4940	cmd.exe	net.exe
PID 4940 wrote to memory of 4980	4940	cmd.exe	net.exe
PID 4980 wrote to memory of 5000	4980	net.exe	net1.exe
PID 4980 wrote to memory of 5000	4980	net.exe	net1.exe
PID 4980 wrote to memory of 5000	4980	net.exe	net1.exe
PID 4892 wrote to memory of 5020	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 5020	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 5020	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 5020 wrote to memory of 5080	5020	cmd.exe	net.exe
PID 5020 wrote to memory of 5080	5020	cmd.exe	net.exe
PID 5020 wrote to memory of 5080	5020	cmd.exe	net.exe
PID 5080 wrote to memory of 5096	5080	net.exe	net1.exe
PID 5080 wrote to memory of 5096	5080	net.exe	net1.exe
PID 5080 wrote to memory of 5096	5080	net.exe	net1.exe
PID 4892 wrote to memory of 5112	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 5112	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 5112	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 5112 wrote to memory of 1936	5112	cmd.exe	net.exe
PID 5112 wrote to memory of 1936	5112	cmd.exe	net.exe
PID 5112 wrote to memory of 1936	5112	cmd.exe	net.exe
PID 1936 wrote to memory of 1736	1936	net.exe	net1.exe
PID 1936 wrote to memory of 1736	1936	net.exe	net1.exe
PID 1936 wrote to memory of 1736	1936	net.exe	net1.exe
PID 4892 wrote to memory of 4252	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 4252	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 4252	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4252 wrote to memory of 1020	4252	cmd.exe	net.exe
PID 4252 wrote to memory of 1020	4252	cmd.exe	net.exe
PID 4252 wrote to memory of 1020	4252	cmd.exe	net.exe
PID 1020 wrote to memory of 4284	1020	net.exe	net1.exe
PID 1020 wrote to memory of 4284	1020	net.exe	net1.exe
PID 1020 wrote to memory of 4284	1020	net.exe	net1.exe
PID 4892 wrote to memory of 3000	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 3000	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 3000	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 3000 wrote to memory of 4156	3000	cmd.exe	net.exe
PID 3000 wrote to memory of 4156	3000	cmd.exe	net.exe
PID 3000 wrote to memory of 4156	3000	cmd.exe	net.exe
PID 4156 wrote to memory of 2960	4156	net.exe	net1.exe
PID 4156 wrote to memory of 2960	4156	net.exe	net1.exe
PID 4156 wrote to memory of 2960	4156	net.exe	net1.exe
PID 4892 wrote to memory of 3672	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 3672	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 3672	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 4420	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 4420	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 4420	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 3180	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 3180	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 3180	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 4628	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 4628	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4892 wrote to memory of 4628	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe
PID 4628 wrote to memory of 1672	4628	cmd.exe	net.exe
PID 4628 wrote to memory of 1672	4628	cmd.exe	net.exe
PID 4628 wrote to memory of 1672	4628	cmd.exe	net.exe
PID 1672 wrote to memory of 4676	1672	net.exe	net1.exe
PID 1672 wrote to memory of 4676	1672	net.exe	net1.exe
PID 1672 wrote to memory of 4676	1672	net.exe	net1.exe
PID 4892 wrote to memory of 4652	4892	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
"C:\Users\Admin\AppData\Local\Temp\95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
2⤵
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
2⤵
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
2⤵
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
3⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
4⤵
PID:4284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
2⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\net.exe
net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
4⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
2⤵
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
2⤵
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
3⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
4⤵
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
PID:4652

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
PID:4336

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
2⤵
PID:3780

C:\Windows\SysWOW64\net.exe
net stop vds
3⤵
PID:4104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
4⤵
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
2⤵
PID:3884

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
2⤵
PID:4768

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:2408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4892-0-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/4892-1-0x0000000001AF0000-0x0000000001AF1000-memory.dmp

Filesize
4KB

Download
memory/4892-2-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/4892-3-0x0000000001AF0000-0x0000000001AF1000-memory.dmp

Filesize
4KB

Download
memory/4892-4-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/4892-8-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/4892-16-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/4892-17-0x0000000001AF0000-0x0000000001AF1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads