ouroboros | c6da46d2abe90035674272a826d1203dde07338e27e3ebefc6335cbedb389019

Resubmissions

25-06-2021 19:07

210625-wj3es9fxde 10

24-06-2021 06:02

210624-78vvv4fkks 10

Analysis

max time kernel
52s
max time network
108s
platform
windows7_x64
resource
win7v20210410
submitted
24-06-2021 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SvHost-3.exe
Size

1.3MB
MD5

6d0cefa5b7f1744aa5dbc041c50b1709
SHA1

023fe5cafe7f0b32bfaf1b3549785e4d36a13b63
SHA256

c6da46d2abe90035674272a826d1203dde07338e27e3ebefc6335cbedb389019
SHA512

fb3bef44b77d7d3b83c42f769236f2c7646f1642d07f3650199d6511a111b31cb917fdc9d776d0e4be5cffb374a162ce4cd09925463b94f9bf8be50501f66631

Score

10^/10

ouroboros xmrig evasion miner ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\Decrypt-info.txt

Ransom Note

All your files are encrypted due to security problem with your computer. You should pay money to recover your files. The price depends on how fast do you message us. You should contact us via this email address: [email protected] if you didn't receive any reply, message our second email address: [email protected] We guarantee that if you make payment, all your files will be recovered. You can send few example files. We recover them for you to prove that we can recover your files. Attention: Do not rename encrypted files. Do not try to decrypt your data using third-party software, it may cause permanent data loss. The decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	Windows Session Manager.exe

Executes dropped EXE 1 IoCs

pid	Process
572	Windows Session Manager.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Windows Session Manager.exe

Loads dropped DLL 3 IoCs

pid	Process
1036	SvHost-3.exe
1036	SvHost-3.exe
1036	SvHost-3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XVLP3GFJ\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Program Files\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	Windows Session Manager.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VLFEZDK1\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	Windows Session Manager.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	Windows Session Manager.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\servercore-wow64-rm.man	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\wbem\ServiceModel.mof	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\structureTable.xsd	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\cryptsvc.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MediaPlayer-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_neutral_ea1c8215e52777a6\display.PNF	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO2600T.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\NR2192E3.PPD	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\dhcpcsvc.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmbr004.inf_amd64_neutral_ccf1bc353e588fe1\BrSerIb.sys	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\Amd64\GS2192E3.PPD	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\NR1432E3.PPD	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\dspcli.bin	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\Amd64\GS7031NL.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\WiaExtensionHost64.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\avmx64c.inf_amd64_neutral_8ebb15bf548db022\c2.bin	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sdbus.inf_amd64_neutral_735aa3b5ee832f62\sdbus.PNF	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wdmvsc.inf_amd64_neutral_a2cf745000e2ea92\wdmvsc.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\qdvd.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\TroubleshootingPack.format.ps1xml	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\qasf.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\schedcli.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\brmsl07.bin	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx005.inf_amd64_neutral_f65eeb9bff6bd8f3\Amd64\LMT642.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ts_generic.inf_amd64_neutral_1a5c861fdb3aab0e\ts_generic.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\bcryptprimitives.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00b.inf_amd64_neutral_4412894f52d39895\Amd64\CNB_0335.DLL	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\gpedit.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\sxs.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\wbem\en-US\ServDeps.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\C_1146.NLS	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\mfc40.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\brmfcmf.PNF	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF1401E3.PPD	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpzssw71.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\iis-powershellprovider-rm.man	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\C_20285.NLS	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc007.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dot4prt.inf_amd64_neutral_e7d3f62d0d4411db\dot4prt.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00d.inf_amd64_neutral_0600b2ba575729f4\Amd64\CNBP_284.DLL	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hphp910t.exp	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnxx002.inf_amd64_neutral_560fdd891b24f384\prnxx002.PNF	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\el-GR\DWrite.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\Speech\Engines\SR\spsreng.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx3-OC-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\da-DK\msprivs.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_neutral_407146dba80d1566\pnrmc.sys	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\Amd64\CNBP_337.DLL	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\termmgr.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\wbemcomn2.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd6100t.gpd	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\megasr.inf_loc	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mstape.inf_amd64_neutral_c2bb3ef1c45cd5a1\mstape.sys	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\kom4650X.xml	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\WSRM-Service-Replacement.man	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\imapi.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\OptionalFeatures.exe	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot2\edb.chk	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmrock.inf_amd64_neutral_2ec26aaad7a9d419\mdmrock.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\hpo63001.icc	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\kerberos.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\DevicePairingProxy.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00a.inf_amd64_neutral_92a4c727cdf4c2f7\Amd64\EP0NPP01.DLL	Windows Session Manager.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubstx3g_plugin.dll	Windows Session Manager.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Stanley.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15059_.GIF	Windows Session Manager.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Regina.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00965_.WMF.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152628.WMF.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01618_.WMF.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\PREVIEW.GIF.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400002.PNG.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	Windows Session Manager.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll	Windows Session Manager.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_partly-cloudy.png	Windows Session Manager.exe
File created	C:\Program Files\Microsoft Office\Office14\BCSLaunch.dll.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Reunion	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.PNG.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\PREVIEW.GIF.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR4B.GIF	Windows Session Manager.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\PREVIEW.GIF.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Adjacency.thmx.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	Windows Session Manager.exe
File created	C:\Program Files (x86)\Google\Update\1.3.35.452\psmachine_64.dll.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00603_.WMF	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF	Windows Session Manager.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\gu.pak.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00853_.WMF	Windows Session Manager.exe
File created	C:\Program Files\Java\jre7\lib\jfr.jar.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00454_.WMF	Windows Session Manager.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png	Windows Session Manager.exe
File created	C:\Program Files\Java\jre7\bin\glib-lite.dll.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe.config	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02282_.WMF	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFRES.CFG.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\FPEXT.MSG	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RECS.ICO	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382950.JPG.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02356_.WMF.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar	Windows Session Manager.exe
File created	C:\Program Files\Mozilla Firefox\updater.ini.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Baku.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImages.jpg.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jli.dll.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_dummy_plugin.dll.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01065_.WMF.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152890.WMF	Windows Session Manager.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_zh_CN.jar.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02886_.WMF	Windows Session Manager.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieMergeLetter.dotx	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaSansRegular.ttf.[[email protected]][4F3EE062].Spyro	Windows Session Manager.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b#\9de2cd2a58c9f19effe0588c17b1714f\System.Web.Abstractions.ni.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\Cursors\larrow.cur	Windows Session Manager.exe
File opened for modification	C:\Windows\IME\IMEJP10\DICTS\IMJPST.DIC	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_Code\ProvidersPage.cs	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\curl-hot.png	Windows Session Manager.exe
File opened for modification	C:\Windows\Fonts\arial.ttf	Windows Session Manager.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~zh-TW~7.1.7601.16492.mum	Windows Session Manager.exe
File opened for modification	C:\Windows\Speech\Engines\SR\en-US\tn1033.bin	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..policy-admin-gpedit_31bf3856ad364e35_6.1.7600.16385_none_2a271e3c7e986f2c\gpedit.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\nlscoremig.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\diagnostics\system\Networking\en-US\DiagPackage.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\Help\Windows\en-US\games.h1s	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Delta\Windows Navigation Start.wav	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\NlsLexicons0009.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\EN\SqlPersistenceProviderSchema.sql	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-enhancedvideorenderer_31bf3856ad364e35_6.1.7601.17514_none_edc8831ae3260955\evr.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\schannel-DL.man	Windows Session Manager.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.MediaCent#\e7b8df5d803bb9bd27f63f0074775aaf\Microsoft.MediaCenter.UI.ni.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-blb-grouppolicy_31bf3856ad364e35_6.1.7600.16385_none_489a9cfa1badc4c5\WindowsBackup.admx	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..gement-winproviders_31bf3856ad364e35_6.1.7601.17514_none_1573bf06bb8baa0c\UnattendProvider.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-iebrowsewebdiagnostic_31bf3856ad364e35_6.1.7601.17514_none_829f3aa88408cea0\CL_Utility.ps1	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ime-korean-commonapi_31bf3856ad364e35_6.1.7600.16385_none_358c550764e1d433\imkrapi.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-driververifier_31bf3856ad364e35_6.1.7600.16385_none_1660ccbeb66c6cf1\verifier.exe	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-icm-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fab1d6e235eef7d2\ICM.adml	Windows Session Manager.exe
File opened for modification	C:\Windows\inf\mdm3com.PNF	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.Powershell.Security.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\webAdminNoNavBar.master	Windows Session Manager.exe
File opened for modification	C:\Windows\PolicyDefinitions\WindowsConnectNow.admx	Windows Session Manager.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~ja-JP~7.1.7601.16492.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_arc.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0d84bbf86bc07c16\arc.inf_loc	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..ocker-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8ed8b37006b00933\DigitalLocker.adml	Windows Session Manager.exe
File opened for modification	C:\Windows\inf\averfx2swtv_noavin_x64.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_brmfcumd.inf_31bf3856ad364e35_6.1.7600.16385_none_82533c9760ae3cbc\brmfcumd.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..anagement.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2260fdcdf22a8d26\dmutil.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\001F\PerfCounters.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Runtime.Remoting.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_1394.inf_31bf3856ad364e35_6.1.7601.17514_none_59555c0e1c877c53\1394.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_brmfcwia.inf_31bf3856ad364e35_6.1.7600.16385_none_11493a3982b640b7\brmsl05.bin	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-directshow-vfw-capture_31bf3856ad364e35_6.1.7601.17514_none_34a42c333d8f8d28\vfwwdm32.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..mentation-migration_31bf3856ad364e35_11.2.9600.16428_none_ed889940cd85d5bf\WininetPlugin.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\Fonts\nrkis.ttf	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-eapmethods_31bf3856ad364e35_6.1.7600.16385_none_0280a5f69aef66f7\eaptlsuserpropertiesv1.xsd	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Landscape\Windows Ding.wav	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Landscape\Windows Information Bar.wav	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Xaml.targets	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_brmfcwia.inf_31bf3856ad364e35_6.1.7600.16385_none_11493a3982b640b7\BrmfUSB.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-aerodiagnostic_31bf3856ad364e35_6.1.7600.16385_none_4734ae48c8e465f5\TS_WDDMDriver.ps1	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-h..providers.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2c3b936d3d73e8ea\hcproviders.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..eplacementmanifests_31bf3856ad364e35_6.1.7601.17514_none_5a1a617d021715d4\dhcpservermigplugin-rep.man	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Collections.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_perf.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmzoom.inf_31bf3856ad364e35_6.1.7600.16385_none_74f94081302baaad\mdmzoom.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-core_31bf3856ad364e35_6.1.7601.17514_none_474e72a0a0c61a74\msoeacct.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired13b18a9#\f3e56ef4494d5d7845ad4070fd599860\System.DirectoryServices.ni.dll.aux	Windows Session Manager.exe
File opened for modification	C:\Windows\PolicyDefinitions\PerformancePerftrack.admx	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..smcnative.resources_31bf3856ad364e35_6.1.7600.16385_en-us_912e40bbd6ff2a08\smcnative.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..e-coretipjpnprofile_31bf3856ad364e35_6.1.7601.17514_none_40000a14149c4d20\IMJPTIP.DLL	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Drawing.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.VisualBasic.Activities.Compiler.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-VirtualXP-Licensing-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_hcw85b64.inf_31bf3856ad364e35_6.1.7600.16385_none_61287d00f82bbdeb\hcw85mlD.rom	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_pt-pt_2d228c23dc8c3814\fms.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ehexthost32.exe	Windows Session Manager.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\desk\8:Ƃ\Ƃ\Ƃ\¦¨Ƃ\°²Ƃ\º¼򠆂\贠R򷆂ݕ	Windows Session Manager.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\desk\8:\\\¦¨\°²򝂘\º¼򴂘\ÄÆ훬\ÎÐ퍈\ØÚ쾤\âä찀\ìî졜\öø쒸\ĀĂ섔\ĊČ뵰\ĔĖ만\ĞĠ똨\ĨĪ늄	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\pack\8:Ţ\ Ţ\¨ªŢ\²´Ţ\¼¾󺅢\ÆÈ𑅢\ÐÒ	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\Adob\:<ı\LNı\VXı\`b򐄱\jl򧄱\tv횸ı\~팔ı\콰ı\쯌ı\젨ı\¦¨쒄ı\°²샠ı\º¼봼ı\ÄÆ릘ı\ÎÐ뗴ı\ØÚ뉐ı\âä꺬ı\ìî꬈ı\öøꝤı\ĀĂꏀı\ĊČꀜı\ĔĖ鱸ı\ĞĠ飔ı\秸Ŧ锰ıa\ĲĴ醌ı\ļľ跨ı\ňŊ詄ı\ŒŔ蚠ı\ŜŞ苼ı\ŦŨ罘ı\ŰŲ߿\艀Ŧ砐ı\ƄƆ瑬ı\ƌƎ烈ı\ƖƘ洤ı\ƠƢ榀ı\ƪƬ旜ı\ƴƶ戸ı\ƾǀ应ı\鮨Ŧ嫰ı\ǒǔ坌ı\ǜǞ厨ı	Windows Session Manager.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\desk\8:ı\ı\ı\¦¨ı\°²ı\º¼򐄱\ÄÆ򧄱\ØÚ팔ı	Windows Session Manager.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\desk\8:Ţ\Ţ\Ţ\¦¨Ţ\°²Ţ\º¼󺅢\ÄÆ𑅢\ÎÐ𨅢\ØÚ풼Ţ\âä턘Ţ\ìî쵴Ţ\öø짐Ţ\ĀĂ올Ţ\ĊČ슈Ţ\ĔĖ뻤Ţ\ĞĠ뭀Ţ\ĨĪ랜Ţ\ĲĴ돸Ţ\ļľ끔Ţ\ņň결Ţ\ŐŒꤌŢ\빐RꕨŢį	Windows Session Manager.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
572	Windows Session Manager.exe
572	Windows Session Manager.exe
572	Windows Session Manager.exe
572	Windows Session Manager.exe
572	Windows Session Manager.exe
572	Windows Session Manager.exe
572	Windows Session Manager.exe
572	Windows Session Manager.exe
572	Windows Session Manager.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 572	1036	SvHost-3.exe	32
PID 1036 wrote to memory of 572	1036	SvHost-3.exe	32
PID 1036 wrote to memory of 572	1036	SvHost-3.exe	32
PID 1036 wrote to memory of 572	1036	SvHost-3.exe	32
PID 572 wrote to memory of 552	572	Windows Session Manager.exe	34
PID 572 wrote to memory of 552	572	Windows Session Manager.exe	34
PID 572 wrote to memory of 552	572	Windows Session Manager.exe	34
PID 572 wrote to memory of 552	572	Windows Session Manager.exe	34
PID 552 wrote to memory of 1264	552	cmd.exe	36
PID 552 wrote to memory of 1264	552	cmd.exe	36
PID 552 wrote to memory of 1264	552	cmd.exe	36
PID 552 wrote to memory of 1264	552	cmd.exe	36
PID 1264 wrote to memory of 892	1264	net.exe	37
PID 1264 wrote to memory of 892	1264	net.exe	37
PID 1264 wrote to memory of 892	1264	net.exe	37
PID 1264 wrote to memory of 892	1264	net.exe	37
PID 572 wrote to memory of 288	572	Windows Session Manager.exe	38
PID 572 wrote to memory of 288	572	Windows Session Manager.exe	38
PID 572 wrote to memory of 288	572	Windows Session Manager.exe	38
PID 572 wrote to memory of 288	572	Windows Session Manager.exe	38
PID 572 wrote to memory of 836	572	Windows Session Manager.exe	40
PID 572 wrote to memory of 836	572	Windows Session Manager.exe	40
PID 572 wrote to memory of 836	572	Windows Session Manager.exe	40
PID 572 wrote to memory of 836	572	Windows Session Manager.exe	40
PID 572 wrote to memory of 1640	572	Windows Session Manager.exe	42
PID 572 wrote to memory of 1640	572	Windows Session Manager.exe	42
PID 572 wrote to memory of 1640	572	Windows Session Manager.exe	42
PID 572 wrote to memory of 1640	572	Windows Session Manager.exe	42
PID 572 wrote to memory of 1724	572	Windows Session Manager.exe	44
PID 572 wrote to memory of 1724	572	Windows Session Manager.exe	44
PID 572 wrote to memory of 1724	572	Windows Session Manager.exe	44
PID 572 wrote to memory of 1724	572	Windows Session Manager.exe	44
PID 1724 wrote to memory of 1812	1724	cmd.exe	46
PID 1724 wrote to memory of 1812	1724	cmd.exe	46
PID 1724 wrote to memory of 1812	1724	cmd.exe	46
PID 1724 wrote to memory of 1812	1724	cmd.exe	46
PID 1812 wrote to memory of 1368	1812	net.exe	47
PID 1812 wrote to memory of 1368	1812	net.exe	47
PID 1812 wrote to memory of 1368	1812	net.exe	47
PID 1812 wrote to memory of 1368	1812	net.exe	47
PID 572 wrote to memory of 1852	572	Windows Session Manager.exe	48
PID 572 wrote to memory of 1852	572	Windows Session Manager.exe	48
PID 572 wrote to memory of 1852	572	Windows Session Manager.exe	48
PID 572 wrote to memory of 1852	572	Windows Session Manager.exe	48
PID 1852 wrote to memory of 804	1852	cmd.exe	50
PID 1852 wrote to memory of 804	1852	cmd.exe	50
PID 1852 wrote to memory of 804	1852	cmd.exe	50
PID 1852 wrote to memory of 804	1852	cmd.exe	50
PID 804 wrote to memory of 1688	804	net.exe	51
PID 804 wrote to memory of 1688	804	net.exe	51
PID 804 wrote to memory of 1688	804	net.exe	51
PID 804 wrote to memory of 1688	804	net.exe	51
PID 572 wrote to memory of 772	572	Windows Session Manager.exe	52
PID 572 wrote to memory of 772	572	Windows Session Manager.exe	52
PID 572 wrote to memory of 772	572	Windows Session Manager.exe	52
PID 572 wrote to memory of 772	572	Windows Session Manager.exe	52
PID 772 wrote to memory of 1520	772	cmd.exe	54
PID 772 wrote to memory of 1520	772	cmd.exe	54
PID 772 wrote to memory of 1520	772	cmd.exe	54
PID 772 wrote to memory of 1520	772	cmd.exe	54
PID 1520 wrote to memory of 1616	1520	net.exe	55
PID 1520 wrote to memory of 1616	1520	net.exe	55
PID 1520 wrote to memory of 1616	1520	net.exe	55
PID 1520 wrote to memory of 1616	1520	net.exe	55

C:\Users\Admin\AppData\Local\Temp\SvHost-3.exe
"C:\Users\Admin\AppData\Local\Temp\SvHost-3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops startup file
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Windows\SysWOW64\net.exe
      net stop MSDTC
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1264
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSDTC
        5⤵
        
        PID:892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
    3⤵
    PID:836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLSERVERAGENT
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLSERVERAGENT
        5⤵
        
        PID:1368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLSERVER
      4⤵
      Suspicious use of WriteProcessMemory
      PID:804
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLSERVER
        5⤵
        
        PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Windows\SysWOW64\net.exe
      net stop vds
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vds
        5⤵
        
        PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
    3⤵
    PID:1716
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set currentprofile state off
      4⤵
      PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
    3⤵
    PID:396
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall set opmode mode=disable
      4⤵
      PID:388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop SQLWriter
    3⤵
    PID:1640
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLWriter
      4⤵
      PID:1684
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        5⤵
        
        PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:1724
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLBrowser
      4⤵
      PID:528
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        5⤵
        
        PID:804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
    3⤵
    PID:1852
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLSERVER
      4⤵
      PID:1112
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLSERVER
        5⤵
        
        PID:956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
    3⤵
    PID:1636
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$CONTOSO1
      4⤵
      PID:1520
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$CONTOSO1
        5⤵
        
        PID:772

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Decrypt-info.txt
1⤵
PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1036-59-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/1608-101-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp

Filesize
8KB

Download