ouroboros | 7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319

General

Target

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
Size

997KB
MD5

5425c30ebba4f84d1874a2c783932646
SHA1

80db4a06b57e61695389c354f155c26bb125bd71
SHA256

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319
SHA512

457b1539296379bd93adfbc8c3a172405f9c341d9d8aa1c6a8c1dbb0ff52ae564911b1a1218ec5613a5e9e2bcca0c00001d118fb36868391ee93f8155b304f1f

Score

10^/10

evasion ransomware ouroboros

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

pid	process
1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

Drops desktop.ini file(s) 7 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

description	ioc	process
File created	C:\$Recycle.Bin\S-1-5-21-1231583446-2617009595-2137880041-1000\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1231583446-2617009595-2137880041-1000\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

Drops file in Program Files directory 12754 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\cursors.properties	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_zh_4.4.0.v20140623020002.jar	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libddummy_plugin.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libstl_plugin.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\VideoLAN\VLC\skins\default.vlt.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\MedTile.scale-125.png	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\AssertProtect.M2T.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaprst.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.WindowsAzure.StorageClient.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\root\Flattener\api-ms-win-crt-utility-l1-1-0.dll.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.VisualElementsManifest.xml	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.dom.smil_1.0.0.v200806040011.jar.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-loaders.xml.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AirSpace.Etw.man.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\psfontj2d.properties.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmlrwbin_xl.dll.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\heart.png	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.dom.smil_1.0.0.v200806040011.jar.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_dummy_plugin.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-125.png	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryLetter.dotx.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Client.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\EmbossContour.scale-140.png	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-pl.xrm-ms.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-charts.jar	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.[Hichkasam@protonmail.com][ID-O9F5LP6T7DIUSRV].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

Runs net.exe
Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros

Suspicious use of WriteProcessMemory 93 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1612 wrote to memory of 1880	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 1880	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 1880	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1880 wrote to memory of 1648	1880	cmd.exe	net.exe
PID 1880 wrote to memory of 1648	1880	cmd.exe	net.exe
PID 1880 wrote to memory of 1648	1880	cmd.exe	net.exe
PID 1648 wrote to memory of 2392	1648	net.exe	net1.exe
PID 1648 wrote to memory of 2392	1648	net.exe	net1.exe
PID 1648 wrote to memory of 2392	1648	net.exe	net1.exe
PID 1612 wrote to memory of 2496	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 2496	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 2496	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 2496 wrote to memory of 2768	2496	cmd.exe	net.exe
PID 2496 wrote to memory of 2768	2496	cmd.exe	net.exe
PID 2496 wrote to memory of 2768	2496	cmd.exe	net.exe
PID 2768 wrote to memory of 296	2768	net.exe	net1.exe
PID 2768 wrote to memory of 296	2768	net.exe	net1.exe
PID 2768 wrote to memory of 296	2768	net.exe	net1.exe
PID 1612 wrote to memory of 1924	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 1924	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 1924	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1924 wrote to memory of 3604	1924	cmd.exe	net.exe
PID 1924 wrote to memory of 3604	1924	cmd.exe	net.exe
PID 1924 wrote to memory of 3604	1924	cmd.exe	net.exe
PID 3604 wrote to memory of 3816	3604	net.exe	net1.exe
PID 3604 wrote to memory of 3816	3604	net.exe	net1.exe
PID 3604 wrote to memory of 3816	3604	net.exe	net1.exe
PID 1612 wrote to memory of 4048	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 4048	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 4048	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 4048 wrote to memory of 3324	4048	cmd.exe	net.exe
PID 4048 wrote to memory of 3324	4048	cmd.exe	net.exe
PID 4048 wrote to memory of 3324	4048	cmd.exe	net.exe
PID 3324 wrote to memory of 2360	3324	net.exe	net1.exe
PID 3324 wrote to memory of 2360	3324	net.exe	net1.exe
PID 3324 wrote to memory of 2360	3324	net.exe	net1.exe
PID 1612 wrote to memory of 3912	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 3912	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 3912	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 3912 wrote to memory of 4036	3912	cmd.exe	net.exe
PID 3912 wrote to memory of 4036	3912	cmd.exe	net.exe
PID 3912 wrote to memory of 4036	3912	cmd.exe	net.exe
PID 4036 wrote to memory of 3256	4036	net.exe	net1.exe
PID 4036 wrote to memory of 3256	4036	net.exe	net1.exe
PID 4036 wrote to memory of 3256	4036	net.exe	net1.exe
PID 1612 wrote to memory of 3252	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 3252	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 3252	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 2936	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 2936	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 2936	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 3420	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 3420	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 3420	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 1404	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 1404	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1612 wrote to memory of 1404	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1404 wrote to memory of 1448	1404	cmd.exe	net.exe
PID 1404 wrote to memory of 1448	1404	cmd.exe	net.exe
PID 1404 wrote to memory of 1448	1404	cmd.exe	net.exe
PID 1448 wrote to memory of 1440	1448	net.exe	net1.exe
PID 1448 wrote to memory of 1440	1448	net.exe	net1.exe
PID 1448 wrote to memory of 1440	1448	net.exe	net1.exe
PID 1612 wrote to memory of 2032	1612	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe

NTFS ADS 2 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\zh-TW\"쀀隚瑶\:쀀隚瑶\:쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶\3쀀隚瑶	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Documents and Settings\zh-TW\隚瑶枠±暰±闎瑶ex\:쀀隚瑶啘°啀°闎瑶\隚瑶啸°啠°闎瑶	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Makes http(s) request 1 IoCs
Contacts server via http/https, possibly for C2 communication.

Processes:

description flow ioc

HTTP URL 4 http://www.sfml-dev.org/ip-provider.php

description	flow	ioc
HTTP URL	4	http://www.sfml-dev.org/ip-provider.php

C:\Users\Admin\AppData\Local\Temp\7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
"C:\Users\Admin\AppData\Local\Temp\7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- NTFS ADS
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
2⤵
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
2⤵
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:3816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
2⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
3⤵
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
4⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
2⤵
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\SysWOW64\net.exe
net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
4⤵
PID:3256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
2⤵
PID:3420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
2⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
3⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
4⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
PID:2032

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
PID:3752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:3736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
2⤵
PID:1740

C:\Windows\SysWOW64\net.exe
net stop vds
3⤵
PID:1228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
4⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
2⤵
PID:1660

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
2⤵
PID:3952

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:3944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1612-0-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/1612-1-0x0000000001A10000-0x0000000001A11000-memory.dmp

Filesize
4KB

Download
memory/1612-2-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/1612-6-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads