ouroboros | fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c

Analysis

max time kernel
151s
max time network
120s
platform
windows7_x64
resource
win7-en-20211208
submitted
12-02-2022 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
Size

994KB
MD5

7748cd256ffcbf262761607ddb75bb38
SHA1

eef70ff4314467d0abfa757916600062bac584fb
SHA256

fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c
SHA512

1fb7b60d8c002ff83d2ab44c6e02e624676595e3d142c3c4dab5a6d84b83401a4ca590ac68bdae85e78a2cd02cdba4769e50d6faaa68c2f318837ad14aba35ff

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 6 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2329389628-4064185017-3901522362-1000\desktop.ini	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\$Recycle.Bin\S-1-5-21-2329389628-4064185017-3901522362-1000\desktop.ini	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\desktop.ini	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\Program Files\desktop.ini	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	3	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\Common.fxh	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jre7\bin\management.dll	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\javaws.jar.[[email protected]][L24ZD0RN91VU86I].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ashgabat	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\pt-PT.pak	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\cursors.properties	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_zh_4.4.0.v20140623020002.jar	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_ja.jar	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.[[email protected]][L24ZD0RN91VU86I].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ar.pak	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\PYCC.pf	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h.[[email protected]][L24ZD0RN91VU86I].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_ja.jar	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jre7\bin\awt.dll	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_zh_4.4.0.v20140623020002.jar	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt_0.11.101.v20140818-1343.jar.[[email protected]][L24ZD0RN91VU86I].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.[[email protected]][L24ZD0RN91VU86I].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Broken_Hill	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Luxembourg	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-lib-uihandler.xml_hidden	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\youtube.crx.[[email protected]][L24ZD0RN91VU86I].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt.[[email protected]][L24ZD0RN91VU86I].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll.[[email protected]][L24ZD0RN91VU86I].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar.[[email protected]][L24ZD0RN91VU86I].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties.[[email protected]][L24ZD0RN91VU86I].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jre7\bin\splashscreen.dll	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.ds_1.4.200.v20131126-2331.jar.[[email protected]][L24ZD0RN91VU86I].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx.[[email protected]][L24ZD0RN91VU86I].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Nairobi	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\ir.idl	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_zh_CN.jar	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_de.properties	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt.[[email protected]][L24ZD0RN91VU86I].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\DVDMaker.exe.mui	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe.[[email protected]][L24ZD0RN91VU86I].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java_crw_demo.dll.[[email protected]][L24ZD0RN91VU86I].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\S-1-5-21-2329389628-4064185017-3901522362-1000\ꞔ疮"쀀\ꞔ疮:쀀\ꞔ疮:쀀	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2329389628-4064185017-3901522362-1000\ꞔ疮"쀀\ꞔ疮:쀀	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2329389628-4064185017-3901522362-1000\ꞔ疮"쀀벰므ꨚ疮\ꞔ疮:쀀⌸⌠ꨚ疮	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 612 wrote to memory of 952	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	28
PID 612 wrote to memory of 952	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	28
PID 612 wrote to memory of 952	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	28
PID 612 wrote to memory of 952	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	28
PID 952 wrote to memory of 280	952	cmd.exe	30
PID 952 wrote to memory of 280	952	cmd.exe	30
PID 952 wrote to memory of 280	952	cmd.exe	30
PID 952 wrote to memory of 280	952	cmd.exe	30
PID 280 wrote to memory of 560	280	net.exe	31
PID 280 wrote to memory of 560	280	net.exe	31
PID 280 wrote to memory of 560	280	net.exe	31
PID 280 wrote to memory of 560	280	net.exe	31
PID 612 wrote to memory of 756	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	32
PID 612 wrote to memory of 756	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	32
PID 612 wrote to memory of 756	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	32
PID 612 wrote to memory of 756	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	32
PID 756 wrote to memory of 1248	756	cmd.exe	34
PID 756 wrote to memory of 1248	756	cmd.exe	34
PID 756 wrote to memory of 1248	756	cmd.exe	34
PID 756 wrote to memory of 1248	756	cmd.exe	34
PID 1248 wrote to memory of 548	1248	net.exe	35
PID 1248 wrote to memory of 548	1248	net.exe	35
PID 1248 wrote to memory of 548	1248	net.exe	35
PID 1248 wrote to memory of 548	1248	net.exe	35
PID 612 wrote to memory of 1392	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	36
PID 612 wrote to memory of 1392	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	36
PID 612 wrote to memory of 1392	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	36
PID 612 wrote to memory of 1392	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	36
PID 1392 wrote to memory of 1984	1392	cmd.exe	38
PID 1392 wrote to memory of 1984	1392	cmd.exe	38
PID 1392 wrote to memory of 1984	1392	cmd.exe	38
PID 1392 wrote to memory of 1984	1392	cmd.exe	38
PID 1984 wrote to memory of 688	1984	net.exe	39
PID 1984 wrote to memory of 688	1984	net.exe	39
PID 1984 wrote to memory of 688	1984	net.exe	39
PID 1984 wrote to memory of 688	1984	net.exe	39
PID 612 wrote to memory of 1752	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	40
PID 612 wrote to memory of 1752	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	40
PID 612 wrote to memory of 1752	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	40
PID 612 wrote to memory of 1752	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	40
PID 1752 wrote to memory of 1584	1752	cmd.exe	42
PID 1752 wrote to memory of 1584	1752	cmd.exe	42
PID 1752 wrote to memory of 1584	1752	cmd.exe	42
PID 1752 wrote to memory of 1584	1752	cmd.exe	42
PID 1584 wrote to memory of 1940	1584	net.exe	43
PID 1584 wrote to memory of 1940	1584	net.exe	43
PID 1584 wrote to memory of 1940	1584	net.exe	43
PID 1584 wrote to memory of 1940	1584	net.exe	43
PID 612 wrote to memory of 1788	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	44
PID 612 wrote to memory of 1788	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	44
PID 612 wrote to memory of 1788	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	44
PID 612 wrote to memory of 1788	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	44
PID 1788 wrote to memory of 1780	1788	cmd.exe	46
PID 1788 wrote to memory of 1780	1788	cmd.exe	46
PID 1788 wrote to memory of 1780	1788	cmd.exe	46
PID 1788 wrote to memory of 1780	1788	cmd.exe	46
PID 1780 wrote to memory of 956	1780	net.exe	47
PID 1780 wrote to memory of 956	1780	net.exe	47
PID 1780 wrote to memory of 956	1780	net.exe	47
PID 1780 wrote to memory of 956	1780	net.exe	47
PID 612 wrote to memory of 1116	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	48
PID 612 wrote to memory of 1116	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	48
PID 612 wrote to memory of 1116	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	48
PID 612 wrote to memory of 1116	612	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	48

C:\Users\Admin\AppData\Local\Temp\fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
"C:\Users\Admin\AppData\Local\Temp\fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:280
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:1940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:1148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  PID:1476
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    PID:1680
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1764
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1968
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:544
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:1904
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:1528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:668
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/888-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download