ouroboros | fc11050f29c333b365df4fc8788985668bcdb6095a5874e01f68986b37bee065

Analysis

max time kernel
46s
max time network
131s
platform
windows10_x64
resource
win10v20201028
submitted
03-11-2020 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 7 IoCs

Processes:

4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File created	C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File created	C:\Program Files\desktop.ini	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 10 http://www.sfml-dev.org/ip-provider.php

description	flow	ioc
HTTP URL	10	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

Processes:

4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-windows.jar.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\uk.pak	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs.ja_5.5.0.165303.jar	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\java.policy	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.WPG	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\j2pcsc.dll	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.bfc.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\HideDismount.svgz	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xsl	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-100.png	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\zipfs.jar.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssv.dll	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\setEmbeddedCP.bat.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\lcms.dll	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-ms	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul.xrm-ms	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\FlickLearningWizard.exe.mui	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.dll.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\msipc.dll.mui	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSTYLE.DLL	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_ja_4.4.0.v20140623020002.jar.[[email protected]][WMQX6VYK1Z9PIB3].exploit	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proof.en-us.msi.16.en-us.boot.tree.dat	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe

NTFS ADS 4 IoCs

Processes:

4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\zh-TW\8:瞰óǢt.ex	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Documents and Settings\zh-TW\8:瑐óȂt.ex	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Documents and Settings\zh-TW\8:瞰óȪt.ex	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
File opened for modification	C:\Documents and Settings\zh-TW\8:窀óȾt.ex	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe

pid	process
984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 984 wrote to memory of 3864	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 3864	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 3864	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 3864 wrote to memory of 3976	3864	cmd.exe	net.exe
PID 3864 wrote to memory of 3976	3864	cmd.exe	net.exe
PID 3864 wrote to memory of 3976	3864	cmd.exe	net.exe
PID 3976 wrote to memory of 3860	3976	net.exe	net1.exe
PID 3976 wrote to memory of 3860	3976	net.exe	net1.exe
PID 3976 wrote to memory of 3860	3976	net.exe	net1.exe
PID 984 wrote to memory of 492	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 492	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 492	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 2708	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 2708	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 2708	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 2280	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 2280	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 2280	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 2852	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 2852	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 2852	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 2852 wrote to memory of 3272	2852	cmd.exe	net.exe
PID 2852 wrote to memory of 3272	2852	cmd.exe	net.exe
PID 2852 wrote to memory of 3272	2852	cmd.exe	net.exe
PID 3272 wrote to memory of 2724	3272	net.exe	net1.exe
PID 3272 wrote to memory of 2724	3272	net.exe	net1.exe
PID 3272 wrote to memory of 2724	3272	net.exe	net1.exe
PID 984 wrote to memory of 2632	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 2632	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 2632	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 2632 wrote to memory of 2304	2632	cmd.exe	net.exe
PID 2632 wrote to memory of 2304	2632	cmd.exe	net.exe
PID 2632 wrote to memory of 2304	2632	cmd.exe	net.exe
PID 2304 wrote to memory of 2108	2304	net.exe	net1.exe
PID 2304 wrote to memory of 2108	2304	net.exe	net1.exe
PID 2304 wrote to memory of 2108	2304	net.exe	net1.exe
PID 984 wrote to memory of 500	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 500	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 500	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 500 wrote to memory of 2552	500	cmd.exe	net.exe
PID 500 wrote to memory of 2552	500	cmd.exe	net.exe
PID 500 wrote to memory of 2552	500	cmd.exe	net.exe
PID 2552 wrote to memory of 3808	2552	net.exe	net1.exe
PID 2552 wrote to memory of 3808	2552	net.exe	net1.exe
PID 2552 wrote to memory of 3808	2552	net.exe	net1.exe
PID 984 wrote to memory of 2312	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 2312	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 2312	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 2312 wrote to memory of 3920	2312	cmd.exe	netsh.exe
PID 2312 wrote to memory of 3920	2312	cmd.exe	netsh.exe
PID 2312 wrote to memory of 3920	2312	cmd.exe	netsh.exe
PID 984 wrote to memory of 3980	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 3980	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 3980	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 3980 wrote to memory of 692	3980	cmd.exe	netsh.exe
PID 3980 wrote to memory of 692	3980	cmd.exe	netsh.exe
PID 3980 wrote to memory of 692	3980	cmd.exe	netsh.exe
PID 984 wrote to memory of 3656	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 3656	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 984 wrote to memory of 3656	984	4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe	cmd.exe
PID 3656 wrote to memory of 208	3656	cmd.exe	net.exe
PID 3656 wrote to memory of 208	3656	cmd.exe	net.exe
PID 3656 wrote to memory of 208	3656	cmd.exe	net.exe
PID 208 wrote to memory of 2756	208	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe
"C:\Users\Admin\AppData\Local\Temp\4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:3860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:2708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:2280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3272
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:2724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:2108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:500
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:3808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:3920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:1428
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:1404
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:2244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1176
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:3816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:3828
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:2696
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:2784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/208-20-0x0000000000000000-mapping.dmp

Download
memory/492-3-0x0000000000000000-mapping.dmp

Download
memory/500-12-0x0000000000000000-mapping.dmp

Download
memory/692-18-0x0000000000000000-mapping.dmp

Download
memory/984-33-0x00000000017F0000-0x00000000017F1000-memory.dmp

Filesize
4KB

Download
memory/984-34-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/984-31-0x00000000017F0000-0x00000000017F1000-memory.dmp

Filesize
4KB

Download
memory/984-32-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/984-35-0x00000000017F0000-0x00000000017F1000-memory.dmp

Filesize
4KB

Download
memory/984-41-0x00000000017F0000-0x00000000017F1000-memory.dmp

Filesize
4KB

Download
memory/1176-26-0x0000000000000000-mapping.dmp

Download
memory/1404-23-0x0000000000000000-mapping.dmp

Download
memory/1428-22-0x0000000000000000-mapping.dmp

Download
memory/1624-25-0x0000000000000000-mapping.dmp

Download
memory/2108-11-0x0000000000000000-mapping.dmp

Download
memory/2244-24-0x0000000000000000-mapping.dmp

Download
memory/2280-5-0x0000000000000000-mapping.dmp

Download
memory/2304-10-0x0000000000000000-mapping.dmp

Download
memory/2312-15-0x0000000000000000-mapping.dmp

Download
memory/2552-13-0x0000000000000000-mapping.dmp

Download
memory/2632-9-0x0000000000000000-mapping.dmp

Download
memory/2696-29-0x0000000000000000-mapping.dmp

Download
memory/2708-4-0x0000000000000000-mapping.dmp

Download
memory/2724-8-0x0000000000000000-mapping.dmp

Download
memory/2756-21-0x0000000000000000-mapping.dmp

Download
memory/2784-30-0x0000000000000000-mapping.dmp

Download
memory/2852-6-0x0000000000000000-mapping.dmp

Download
memory/3272-7-0x0000000000000000-mapping.dmp

Download
memory/3656-19-0x0000000000000000-mapping.dmp

Download
memory/3808-14-0x0000000000000000-mapping.dmp

Download
memory/3816-27-0x0000000000000000-mapping.dmp

Download
memory/3828-28-0x0000000000000000-mapping.dmp

Download
memory/3860-2-0x0000000000000000-mapping.dmp

Download
memory/3864-0-0x0000000000000000-mapping.dmp

Download
memory/3920-16-0x0000000000000000-mapping.dmp

Download
memory/3976-1-0x0000000000000000-mapping.dmp

Download
memory/3980-17-0x0000000000000000-mapping.dmp

Download