ouroboros | 9e3d7b2163b865375d1b14a37c9130c55b9de8a6eb74b54f0d6f1a8b820eceae | Triage

Submit
Reports

Overview

overview

Static

static

decoderma@...om.exe

windows7_x64

decoderma@...om.exe

windows10_x64

Sharing

General

Target

decoderma@tutanota.com.exe
Size

998KB
Sample

200706-l4mr5ga3mx
MD5

7bc5183b207888e9c01193fe2f1d0976
SHA1

e679f69eb28ab3462cc308143d9d372b40d936d1
SHA256

9e3d7b2163b865375d1b14a37c9130c55b9de8a6eb74b54f0d6f1a8b820eceae
SHA512

ce38603c3e21a716124bc4cc627f3c983685849625ec2cec5a1391eb904a84dff8681204cc3944c73e19c4398ed37fb8658927ed0f953c037afea98eea989aaf

Score

10^/10

ouroboros xmrig evasion miner ransomware spyware

Static task

static1

Behavioral task

behavioral1

Sample

decoderma@tutanota.com.exe

Resource

win7

ouroboros xmrig evasion miner ransomware spyware

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

decoderma@tutanota.com.exe

Resource

win10

ouroboros evasion ransomware spyware

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  decoderma@tutanota.com.exe
- Size
  
  998KB
- MD5
  
  7bc5183b207888e9c01193fe2f1d0976
- SHA1
  
  e679f69eb28ab3462cc308143d9d372b40d936d1
- SHA256
  
  9e3d7b2163b865375d1b14a37c9130c55b9de8a6eb74b54f0d6f1a8b820eceae
- SHA512
  
  ce38603c3e21a716124bc4cc627f3c983685849625ec2cec5a1391eb904a84dff8681204cc3944c73e19c4398ed37fb8658927ed0f953c037afea98eea989aaf
Score

10^/10

ouroboros xmrig evasion miner ransomware spyware
- Ouroboros/Zeropadypt
  Ransomware family based on open-source CryptoWire.
  ransomware ouroboros
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Replication Through Removable Media

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

ouroborosxmrigevasionminerransomwarespyware

behavioral2

ouroborosevasionransomwarespyware

© 2018-2024

Terms | Privacy