Overview

overview

10

Static

static

voidcrypt.exe

windows7_x64

10

voidcrypt.exe

windows10_x64

10

Analysis

  • max time kernel
    51s
  • max time network
    65s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    12-09-2020 15:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    voidcrypt.exe

  • Size

    997KB

  • MD5

    ba454585b9f42c7254c931c192556e08

  • SHA1

    0b530303634283a43d53abd9190106869f57ba5a

  • SHA256

    26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa

  • SHA512

    2cb918eab6776c7cfea031cbb48cc4e33e068489a37f39ba1e246f32fef7a35c3511293b399c81b5b8056bca50d725554866584460f04efe0d65c1d1c625bc4b

Score
10/10
ransomwareouroborosevasionspyware

Malware Config

Signatures

  • Ouroboros/Zeropadypt

    Ransomware family based on open-source CryptoWire.

    ransomwareouroboros
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Drops desktop.ini file(s) 88 IoCs
  • Drops autorun.inf file 1 TTPs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 25745 IoCs
  • Drops file in Windows directory 11314 IoCs
  • NTFS ADS 7 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of WriteProcessMemory 93 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\voidcrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\voidcrypt.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3888
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop SQLWriter
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\SysWOW64\net.exe
        net stop SQLWriter
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:628
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop SQLWriter
          4⤵
            PID:856
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c net stop SQLBrowser
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1076
        • C:\Windows\SysWOW64\net.exe
          net stop SQLBrowser
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1388
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop SQLBrowser
            4⤵
              PID:1476
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1632
          • C:\Windows\SysWOW64\net.exe
            net stop MSSQLSERVER
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1972
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop MSSQLSERVER
              4⤵
                PID:2076
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2160
            • C:\Windows\SysWOW64\net.exe
              net stop MSSQL$CONTOSO1
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2720
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop MSSQL$CONTOSO1
                4⤵
                  PID:2780
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c net stop MSDTC
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3660
              • C:\Windows\SysWOW64\net.exe
                net stop MSDTC
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3668
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop MSDTC
                  4⤵
                    PID:3596
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
                2⤵
                  PID:2516
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
                  2⤵
                    PID:1416
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
                    2⤵
                      PID:3636
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:188
                      • C:\Windows\SysWOW64\net.exe
                        net stop SQLSERVERAGENT
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1092
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop SQLSERVERAGENT
                          4⤵
                            PID:184
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
                        2⤵
                          PID:1648
                          • C:\Windows\SysWOW64\net.exe
                            net stop MSSQLSERVER
                            3⤵
                              PID:1224
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 stop MSSQLSERVER
                                4⤵
                                  PID:1624
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c net stop vds
                              2⤵
                                PID:2140
                                • C:\Windows\SysWOW64\net.exe
                                  net stop vds
                                  3⤵
                                    PID:1980
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 stop vds
                                      4⤵
                                        PID:2764
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
                                    2⤵
                                      PID:2944
                                      • C:\Windows\SysWOW64\netsh.exe
                                        netsh advfirewall set currentprofile state off
                                        3⤵
                                          PID:2156
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
                                        2⤵
                                          PID:1148
                                          • C:\Windows\SysWOW64\netsh.exe
                                            netsh firewall set opmode mode=disable
                                            3⤵
                                              PID:3728

                                        Network

                                        MITRE ATT&CK Enterprise v6

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • memory/184-20-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/188-18-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/628-1-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/856-2-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1076-3-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1092-19-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1148-29-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1224-22-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1388-4-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1416-16-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1476-5-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1624-23-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1632-6-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1648-21-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1972-7-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/1980-25-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2076-8-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2140-24-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2156-28-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2160-9-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2516-15-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2720-10-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2764-26-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2780-11-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2832-0-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/2944-27-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3596-14-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3636-17-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3660-12-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3668-13-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3728-30-0x0000000000000000-mapping.dmp

                                          Download

                                        • memory/3888-31-0x0000000001040000-0x0000000001041000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/3888-32-0x0000000001840000-0x0000000001841000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/3888-33-0x0000000001040000-0x0000000001041000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/3888-35-0x0000000001040000-0x0000000001041000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/3888-44-0x0000000001840000-0x0000000001841000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/3888-45-0x0000000001040000-0x0000000001041000-memory.dmp

                                          Filesize

                                          4KB

                                          Download