Overview

overview

10

Static

static

7550228f68...19.exe

windows7_x64

10

7550228f68...19.exe

windows10_x64

10

Analysis

  • max time kernel
    71s
  • max time network
    24s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    02-05-2020 23:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

  • Size

    997KB

  • MD5

    5425c30ebba4f84d1874a2c783932646

  • SHA1

    80db4a06b57e61695389c354f155c26bb125bd71

  • SHA256

    7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319

  • SHA512

    457b1539296379bd93adfbc8c3a172405f9c341d9d8aa1c6a8c1dbb0ff52ae564911b1a1218ec5613a5e9e2bcca0c00001d118fb36868391ee93f8155b304f1f

Score
10/10
evasionpersistenceransomwareouroboros

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 124 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • NTFS ADS 6 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Makes http(s) request 1 IoCs

    Contacts server via http/https, possibly for C2 communication.

  • Drops file in Program Files directory 17841 IoCs
  • Runs net.exe
  • Modifies service 2 TTPs 10 IoCs
    persistence
  • Ouroboros/Zeropadypt

    Ransomware family based on open-source CryptoWire.

    ransomwareouroboros
  • Drops desktop.ini file(s) 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
    "C:\Users\Admin\AppData\Local\Temp\7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    • NTFS ADS
    • Drops file in Program Files directory
    • Drops desktop.ini file(s)
    PID:868
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop SQLWriter
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Windows\SysWOW64\net.exe
        net stop SQLWriter
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1064
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop SQLWriter
          4⤵
            PID:1532
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c net stop SQLBrowser
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1520
        • C:\Windows\SysWOW64\net.exe
          net stop SQLBrowser
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1360
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop SQLBrowser
            4⤵
              PID:1372
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1228
          • C:\Windows\SysWOW64\net.exe
            net stop MSSQLSERVER
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1804
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop MSSQLSERVER
              4⤵
                PID:1796
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1824
            • C:\Windows\SysWOW64\net.exe
              net stop MSSQL$CONTOSO1
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1832
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop MSSQL$CONTOSO1
                4⤵
                  PID:1848
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c net stop MSDTC
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1864
              • C:\Windows\SysWOW64\net.exe
                net stop MSDTC
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1872
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop MSDTC
                  4⤵
                    PID:1888
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
                2⤵
                  PID:1884
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
                  2⤵
                    PID:1764
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
                    2⤵
                      PID:756
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
                      2⤵
                        PID:1200
                        • C:\Windows\SysWOW64\net.exe
                          net stop SQLSERVERAGENT
                          3⤵
                            PID:564
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop SQLSERVERAGENT
                              4⤵
                                PID:1516
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
                            2⤵
                              PID:1324
                              • C:\Windows\SysWOW64\net.exe
                                net stop MSSQLSERVER
                                3⤵
                                  PID:812
                                  • C:\Windows\SysWOW64\net1.exe
                                    C:\Windows\system32\net1 stop MSSQLSERVER
                                    4⤵
                                      PID:1740
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c net stop vds
                                  2⤵
                                    PID:1620
                                    • C:\Windows\SysWOW64\net.exe
                                      net stop vds
                                      3⤵
                                        PID:1600
                                        • C:\Windows\SysWOW64\net1.exe
                                          C:\Windows\system32\net1 stop vds
                                          4⤵
                                            PID:1592
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
                                        2⤵
                                          PID:1632
                                          • C:\Windows\SysWOW64\netsh.exe
                                            netsh advfirewall set currentprofile state off
                                            3⤵
                                            • Modifies service
                                            PID:1560
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
                                          2⤵
                                            PID:1932
                                            • C:\Windows\SysWOW64\netsh.exe
                                              netsh firewall set opmode mode=disable
                                              3⤵
                                              • Modifies service
                                              PID:1924

                                        Network

                                        MITRE ATT&CK Matrix ATT&CK v6

                                        Initial Access

                                        Execution

                                        Persistence

                                        Modify Existing Service

                                        2
                                        T1031

                                        Privilege Escalation

                                        Defense Evasion

                                        Modify Registry

                                        1
                                        T1112

                                        Credential Access

                                        Discovery

                                        Lateral Movement

                                        Collection

                                        Exfiltration

                                        Command and Control

                                        Impact

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • memory/868-0-0x0000000000BF0000-0x0000000000C01000-memory.dmp
                                          Filesize

                                          68KB

                                          Download
                                        • memory/868-1-0x00000000011C0000-0x00000000011D1000-memory.dmp
                                          Filesize

                                          68KB

                                          Download
                                        • memory/868-2-0x0000000000BF0000-0x0000000000C01000-memory.dmp
                                          Filesize

                                          68KB

                                          Download