ouroboros | c6da46d2abe90035674272a826d1203dde07338e27e3ebefc6335cbedb389019

Resubmissions

25-06-2021 19:07

210625-wj3es9fxde 10

24-06-2021 06:02

210624-78vvv4fkks 10

Analysis

max time kernel
42s
max time network
70s
platform
windows10_x64
resource
win10v20210408
submitted
24-06-2021 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SvHost-3.exe
Size

1.3MB
MD5

6d0cefa5b7f1744aa5dbc041c50b1709
SHA1

023fe5cafe7f0b32bfaf1b3549785e4d36a13b63
SHA256

c6da46d2abe90035674272a826d1203dde07338e27e3ebefc6335cbedb389019
SHA512

fb3bef44b77d7d3b83c42f769236f2c7646f1642d07f3650199d6511a111b31cb917fdc9d776d0e4be5cffb374a162ce4cd09925463b94f9bf8be50501f66631

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros

Executes dropped EXE 1 IoCs

pid	Process
496	Windows Session Manager.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File created	C:\Program Files\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	Windows Session Manager.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	Windows Session Manager.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini	Windows Session Manager.exe
File created	C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Program Files\desktop.ini	Windows Session Manager.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.access.[[email protected]][FF6BAFEE].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmotionblur_plugin.dll	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.tree.dat	Windows Session Manager.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.[[email protected]][FF6BAFEE].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicuuc58_64.dll	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\bouquet.jpg	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\boot_zh_CN.jar.[[email protected]][FF6BAFEE].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.Misc.v11.1.dll	Windows Session Manager.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libfolder_plugin.dll	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jfr.dll.[[email protected]][FF6BAFEE].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN082.XML.[[email protected]][FF6BAFEE].Spyro	Windows Session Manager.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo.[[email protected]][FF6BAFEE].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-200.png	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_TW.properties	Windows Session Manager.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\vlc.mo	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-100_contrast-black.png	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.AnalysisServices.Common.dll	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER32.DLL	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.tree.dat	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.AuditItems.dll	Windows Session Manager.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\MSCONV97.DLL.[[email protected]][FF6BAFEE].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.dualsim2.smile.small.scale-150.png	Windows Session Manager.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.[[email protected]][FF6BAFEE].Spyro	Windows Session Manager.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.bat.[[email protected]][FF6BAFEE].Spyro	Windows Session Manager.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ts_plugin.dll.[[email protected]][FF6BAFEE].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF.[[email protected]][FF6BAFEE].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\iheart-radio.scale-125.png	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\ormma.js	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\Email.model	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_zh_4.4.0.v20140623020002.jar	Windows Session Manager.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe.[[email protected]][FF6BAFEE].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-125_contrast-white.png	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\11.png	Windows Session Manager.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\63.png	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoev.exe	Windows Session Manager.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatialaudio_plugin.dll	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\MedTile.scale-125.png	Windows Session Manager.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Hand Prints.htm	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	Windows Session Manager.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.[[email protected]][FF6BAFEE].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.png	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fontconfig.properties.src.[[email protected]][FF6BAFEE].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_TileSmallSquare.scale-100.png	Windows Session Manager.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui	Windows Session Manager.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe.[[email protected]][FF6BAFEE].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml.[[email protected]][FF6BAFEE].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.scale-200.png	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Density_Selected_Solid.png	Windows Session Manager.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar.[[email protected]][FF6BAFEE].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\SmallTile.scale-125.png	Windows Session Manager.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\.eclipseproduct.[[email protected]][FF6BAFEE].Spyro	Windows Session Manager.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
496	Windows Session Manager.exe
496	Windows Session Manager.exe
496	Windows Session Manager.exe
496	Windows Session Manager.exe
496	Windows Session Manager.exe
496	Windows Session Manager.exe
496	Windows Session Manager.exe
496	Windows Session Manager.exe
496	Windows Session Manager.exe
496	Windows Session Manager.exe
496	Windows Session Manager.exe
496	Windows Session Manager.exe
496	Windows Session Manager.exe
496	Windows Session Manager.exe
496	Windows Session Manager.exe
496	Windows Session Manager.exe
496	Windows Session Manager.exe
496	Windows Session Manager.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 496	652	SvHost-3.exe	76
PID 652 wrote to memory of 496	652	SvHost-3.exe	76
PID 652 wrote to memory of 496	652	SvHost-3.exe	76
PID 496 wrote to memory of 1352	496	Windows Session Manager.exe	79
PID 496 wrote to memory of 1352	496	Windows Session Manager.exe	79
PID 496 wrote to memory of 1352	496	Windows Session Manager.exe	79
PID 1352 wrote to memory of 1604	1352	cmd.exe	81
PID 1352 wrote to memory of 1604	1352	cmd.exe	81
PID 1352 wrote to memory of 1604	1352	cmd.exe	81
PID 1604 wrote to memory of 2812	1604	net.exe	82
PID 1604 wrote to memory of 2812	1604	net.exe	82
PID 1604 wrote to memory of 2812	1604	net.exe	82
PID 496 wrote to memory of 1420	496	Windows Session Manager.exe	83
PID 496 wrote to memory of 1420	496	Windows Session Manager.exe	83
PID 496 wrote to memory of 1420	496	Windows Session Manager.exe	83
PID 496 wrote to memory of 3592	496	Windows Session Manager.exe	85
PID 496 wrote to memory of 3592	496	Windows Session Manager.exe	85
PID 496 wrote to memory of 3592	496	Windows Session Manager.exe	85
PID 496 wrote to memory of 1724	496	Windows Session Manager.exe	87
PID 496 wrote to memory of 1724	496	Windows Session Manager.exe	87
PID 496 wrote to memory of 1724	496	Windows Session Manager.exe	87
PID 496 wrote to memory of 3932	496	Windows Session Manager.exe	89
PID 496 wrote to memory of 3932	496	Windows Session Manager.exe	89
PID 496 wrote to memory of 3932	496	Windows Session Manager.exe	89
PID 3932 wrote to memory of 1832	3932	cmd.exe	91
PID 3932 wrote to memory of 1832	3932	cmd.exe	91
PID 3932 wrote to memory of 1832	3932	cmd.exe	91
PID 1832 wrote to memory of 4076	1832	net.exe	92
PID 1832 wrote to memory of 4076	1832	net.exe	92
PID 1832 wrote to memory of 4076	1832	net.exe	92
PID 496 wrote to memory of 184	496	Windows Session Manager.exe	93
PID 496 wrote to memory of 184	496	Windows Session Manager.exe	93
PID 496 wrote to memory of 184	496	Windows Session Manager.exe	93
PID 184 wrote to memory of 3816	184	cmd.exe	95
PID 184 wrote to memory of 3816	184	cmd.exe	95
PID 184 wrote to memory of 3816	184	cmd.exe	95
PID 3816 wrote to memory of 2272	3816	net.exe	96
PID 3816 wrote to memory of 2272	3816	net.exe	96
PID 3816 wrote to memory of 2272	3816	net.exe	96
PID 496 wrote to memory of 1424	496	Windows Session Manager.exe	97
PID 496 wrote to memory of 1424	496	Windows Session Manager.exe	97
PID 496 wrote to memory of 1424	496	Windows Session Manager.exe	97
PID 1424 wrote to memory of 2544	1424	cmd.exe	99
PID 1424 wrote to memory of 2544	1424	cmd.exe	99
PID 1424 wrote to memory of 2544	1424	cmd.exe	99
PID 2544 wrote to memory of 3180	2544	net.exe	100
PID 2544 wrote to memory of 3180	2544	net.exe	100
PID 2544 wrote to memory of 3180	2544	net.exe	100
PID 496 wrote to memory of 776	496	Windows Session Manager.exe	101
PID 496 wrote to memory of 776	496	Windows Session Manager.exe	101
PID 496 wrote to memory of 776	496	Windows Session Manager.exe	101
PID 776 wrote to memory of 2068	776	cmd.exe	103
PID 776 wrote to memory of 2068	776	cmd.exe	103
PID 776 wrote to memory of 2068	776	cmd.exe	103
PID 496 wrote to memory of 2200	496	Windows Session Manager.exe	104
PID 496 wrote to memory of 2200	496	Windows Session Manager.exe	104
PID 496 wrote to memory of 2200	496	Windows Session Manager.exe	104
PID 2200 wrote to memory of 1724	2200	cmd.exe	106
PID 2200 wrote to memory of 1724	2200	cmd.exe	106
PID 2200 wrote to memory of 1724	2200	cmd.exe	106
PID 496 wrote to memory of 1832	496	Windows Session Manager.exe	107
PID 496 wrote to memory of 1832	496	Windows Session Manager.exe	107
PID 496 wrote to memory of 1832	496	Windows Session Manager.exe	107
PID 1832 wrote to memory of 1408	1832	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\SvHost-3.exe
"C:\Users\Admin\AppData\Local\Temp\SvHost-3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:652
- C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Windows\SysWOW64\net.exe
      net stop MSDTC
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSDTC
        5⤵
        
        PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLSERVERAGENT
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1832
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLSERVERAGENT
        5⤵
        
        PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:184
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLSERVER
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3816
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLSERVER
        5⤵
        
        PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Windows\SysWOW64\net.exe
      net stop vds
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vds
        5⤵
        
        PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set currentprofile state off
      4⤵
      PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall set opmode mode=disable
      4⤵
      PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLWriter
      4⤵
      PID:1408
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        5⤵
        
        PID:4092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:4056
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLBrowser
      4⤵
      PID:3816
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        5⤵
        
        PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
    3⤵
    PID:184
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLSERVER
      4⤵
      PID:2024
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLSERVER
        5⤵
        
        PID:3292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
    3⤵
    PID:2240
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$CONTOSO1
      4⤵
      PID:3868
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$CONTOSO1
        5⤵
        
        PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads