Overview

overview

10

Static

static

decoderma@...om.exe

windows7_x64

10

decoderma@...om.exe

windows10_x64

10

Analysis

  • max time kernel
    30s
  • max time network
    138s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    06-07-2020 08:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    decoderma@tutanota.com.exe

  • Size

    998KB

  • MD5

    7bc5183b207888e9c01193fe2f1d0976

  • SHA1

    e679f69eb28ab3462cc308143d9d372b40d936d1

  • SHA256

    9e3d7b2163b865375d1b14a37c9130c55b9de8a6eb74b54f0d6f1a8b820eceae

  • SHA512

    ce38603c3e21a716124bc4cc627f3c983685849625ec2cec5a1391eb904a84dff8681204cc3944c73e19c4398ed37fb8658927ed0f953c037afea98eea989aaf

Score
10/10
ouroborosevasionransomwarespyware

Malware Config

Signatures

  • Ouroboros/Zeropadypt

    Ransomware family based on open-source CryptoWire.

    ransomwareouroboros
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Drops desktop.ini file(s) 64 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • NTFS ADS 51 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\decoderma@tutanota.com.exe
    "C:\Users\Admin\AppData\Local\Temp\decoderma@tutanota.com.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3100
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop SQLWriter
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3292
      • C:\Windows\SysWOW64\net.exe
        net stop SQLWriter
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3384
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop SQLWriter
          4⤵
            PID:3276
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c net stop SQLBrowser
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3928
        • C:\Windows\SysWOW64\net.exe
          net stop SQLBrowser
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3448
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop SQLBrowser
            4⤵
              PID:3504
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3584
          • C:\Windows\SysWOW64\net.exe
            net stop MSSQLSERVER
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2600
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop MSSQLSERVER
              4⤵
                PID:3016
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3612
            • C:\Windows\SysWOW64\net.exe
              net stop MSSQL$CONTOSO1
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3668
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop MSSQL$CONTOSO1
                4⤵
                  PID:3008
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c net stop MSDTC
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2096
              • C:\Windows\SysWOW64\net.exe
                net stop MSDTC
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2164
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop MSDTC
                  4⤵
                    PID:392
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
                2⤵
                  PID:3800
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
                  2⤵
                    PID:3836
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
                    2⤵
                      PID:3384
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3796
                      • C:\Windows\SysWOW64\net.exe
                        net stop SQLSERVERAGENT
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1812
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop SQLSERVERAGENT
                          4⤵
                            PID:3600
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
                        2⤵
                          PID:1608
                          • C:\Windows\SysWOW64\net.exe
                            net stop MSSQLSERVER
                            3⤵
                              PID:2596
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 stop MSSQLSERVER
                                4⤵
                                  PID:1768
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c net stop vds
                              2⤵
                                PID:3164
                                • C:\Windows\SysWOW64\net.exe
                                  net stop vds
                                  3⤵
                                    PID:2268
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 stop vds
                                      4⤵
                                        PID:2640
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
                                    2⤵
                                      PID:3984
                                      • C:\Windows\SysWOW64\netsh.exe
                                        netsh advfirewall set currentprofile state off
                                        3⤵
                                          PID:2064
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
                                        2⤵
                                          PID:3740
                                          • C:\Windows\SysWOW64\netsh.exe
                                            netsh firewall set opmode mode=disable
                                            3⤵
                                              PID:3932

                                        Network

                                        MITRE ATT&CK Matrix ATT&CK v6

                                        Initial Access

                                        Replication Through Removable Media

                                        1
                                        T1091

                                        Execution

                                        Persistence

                                        Modify Existing Service

                                        1
                                        T1031

                                        Privilege Escalation

                                        Defense Evasion

                                        Credential Access

                                        Credentials in Files

                                        1
                                        T1081

                                        Discovery

                                        Lateral Movement

                                        Replication Through Removable Media

                                        1
                                        T1091

                                        Collection

                                        Data from Local System

                                        1
                                        T1005

                                        Exfiltration

                                        Command and Control

                                        Web Service

                                        1
                                        T1102

                                        Impact

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • memory/392-14-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/1608-21-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/1768-23-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/1812-19-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2064-28-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2096-12-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2164-13-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2268-25-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2596-22-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2600-7-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2640-26-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3008-11-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3016-8-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3100-35-0x0000000001EF0000-0x0000000001EF1000-memory.dmp
                                          Filesize

                                          4KB

                                          Download
                                        • memory/3100-36-0x00000000026F0000-0x00000000026F1000-memory.dmp
                                          Filesize

                                          4KB

                                          Download
                                        • memory/3100-32-0x00000000026F0000-0x00000000026F1000-memory.dmp
                                          Filesize

                                          4KB

                                          Download
                                        • memory/3100-31-0x0000000001EF0000-0x0000000001EF1000-memory.dmp
                                          Filesize

                                          4KB

                                          Download
                                        • memory/3100-33-0x0000000001EF0000-0x0000000001EF1000-memory.dmp
                                          Filesize

                                          4KB

                                          Download
                                        • memory/3100-34-0x00000000026F0000-0x00000000026F1000-memory.dmp
                                          Filesize

                                          4KB

                                          Download
                                        • memory/3100-48-0x00000000026F0000-0x00000000026F1000-memory.dmp
                                          Filesize

                                          4KB

                                          Download
                                        • memory/3164-24-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3276-2-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3292-0-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3384-1-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3384-17-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3448-4-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3504-5-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3584-6-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3600-20-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3612-9-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3668-10-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3740-29-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3796-18-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3800-15-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3836-16-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3928-3-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3932-30-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3984-27-0x0000000000000000-mapping.dmp
                                          Download