ouroboros | fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c

Analysis

max time kernel
151s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
12-02-2022 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
Size

994KB
MD5

7748cd256ffcbf262761607ddb75bb38
SHA1

eef70ff4314467d0abfa757916600062bac584fb
SHA256

fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c
SHA512

1fb7b60d8c002ff83d2ab44c6e02e624676595e3d142c3c4dab5a6d84b83401a4ca590ac68bdae85e78a2cd02cdba4769e50d6faaa68c2f318837ad14aba35ff

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 5 IoCs

Processes:

fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\desktop.ini	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\Program Files\desktop.ini	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 30 http://www.sfml-dev.org/ip-provider.php

description	flow	ioc
HTTP URL	30	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

Processes:

fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashWideTile.scale-125_contrast-white.png	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_BadgeLogo.scale-100.png	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-200.png	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterRegular.ttf.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\visualvm.conf.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\FileAssociation\FileAssociation.targetsize-16.png	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white.png	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\libarchive_plugin.dll.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryResume.dotx.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\NIRMALA.TTF.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-256_contrast-white.png	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_zh_CN.jar	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WWINTL.DLL.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-125.png	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.dll	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.boot.tree.dat	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\README.txt	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\core_ja.jar.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xsl	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20_altform-unplated.png	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare310x310Logo.scale-200_contrast-black.png	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\import_google_contacts\googleProfileAvatars.png	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnoseek_plugin.dll	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\clrcompression.dll	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\remixCTA_welcome.png	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\UnpublishPublish.emz.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\management-agent.jar	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWAD.TTF	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GKPowerPoint.dll.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_scale-200.png	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmdlocal.dll.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\clrcompression.dll	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-100.png	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jsaddins\onenote_strings.js	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar.[[email protected]][AQ6EY1OP9VTLZXH].Spade	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\SmallTile.scale-100.png	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_MouseNose.png	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe

Drops file in Windows directory 8 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe

pid	process
1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	4060	svchost.exe
Token: SeCreatePagefilePrivilege	4060	svchost.exe
Token: SeShutdownPrivilege	4060	svchost.exe
Token: SeCreatePagefilePrivilege	4060	svchost.exe
Token: SeShutdownPrivilege	4060	svchost.exe
Token: SeCreatePagefilePrivilege	4060	svchost.exe
Token: SeSecurityPrivilege	1868	TiWorker.exe
Token: SeRestorePrivilege	1868	TiWorker.exe
Token: SeBackupPrivilege	1868	TiWorker.exe
Token: SeBackupPrivilege	1868	TiWorker.exe
Token: SeRestorePrivilege	1868	TiWorker.exe
Token: SeSecurityPrivilege	1868	TiWorker.exe
Token: SeBackupPrivilege	1868	TiWorker.exe
Token: SeRestorePrivilege	1868	TiWorker.exe
Token: SeSecurityPrivilege	1868	TiWorker.exe
Token: SeBackupPrivilege	1868	TiWorker.exe
Token: SeRestorePrivilege	1868	TiWorker.exe
Token: SeSecurityPrivilege	1868	TiWorker.exe
Token: SeBackupPrivilege	1868	TiWorker.exe
Token: SeRestorePrivilege	1868	TiWorker.exe
Token: SeSecurityPrivilege	1868	TiWorker.exe
Token: SeBackupPrivilege	1868	TiWorker.exe
Token: SeRestorePrivilege	1868	TiWorker.exe
Token: SeSecurityPrivilege	1868	TiWorker.exe
Token: SeBackupPrivilege	1868	TiWorker.exe
Token: SeRestorePrivilege	1868	TiWorker.exe
Token: SeSecurityPrivilege	1868	TiWorker.exe
Token: SeBackupPrivilege	1868	TiWorker.exe
Token: SeRestorePrivilege	1868	TiWorker.exe
Token: SeSecurityPrivilege	1868	TiWorker.exe
Token: SeBackupPrivilege	1868	TiWorker.exe
Token: SeRestorePrivilege	1868	TiWorker.exe
Token: SeSecurityPrivilege	1868	TiWorker.exe
Token: SeBackupPrivilege	1868	TiWorker.exe
Token: SeRestorePrivilege	1868	TiWorker.exe
Token: SeSecurityPrivilege	1868	TiWorker.exe
Token: SeBackupPrivilege	1868	TiWorker.exe
Token: SeRestorePrivilege	1868	TiWorker.exe
Token: SeSecurityPrivilege	1868	TiWorker.exe
Token: SeBackupPrivilege	1868	TiWorker.exe
Token: SeRestorePrivilege	1868	TiWorker.exe
Token: SeSecurityPrivilege	1868	TiWorker.exe
Token: SeBackupPrivilege	1868	TiWorker.exe
Token: SeRestorePrivilege	1868	TiWorker.exe
Token: SeSecurityPrivilege	1868	TiWorker.exe
Token: SeBackupPrivilege	1868	TiWorker.exe
Token: SeRestorePrivilege	1868	TiWorker.exe
Token: SeSecurityPrivilege	1868	TiWorker.exe
Token: SeBackupPrivilege	1868	TiWorker.exe
Token: SeRestorePrivilege	1868	TiWorker.exe
Token: SeSecurityPrivilege	1868	TiWorker.exe
Token: SeBackupPrivilege	1868	TiWorker.exe
Token: SeRestorePrivilege	1868	TiWorker.exe
Token: SeSecurityPrivilege	1868	TiWorker.exe
Token: SeBackupPrivilege	1868	TiWorker.exe
Token: SeRestorePrivilege	1868	TiWorker.exe
Token: SeSecurityPrivilege	1868	TiWorker.exe
Token: SeBackupPrivilege	1868	TiWorker.exe
Token: SeRestorePrivilege	1868	TiWorker.exe
Token: SeSecurityPrivilege	1868	TiWorker.exe
Token: SeBackupPrivilege	1868	TiWorker.exe
Token: SeRestorePrivilege	1868	TiWorker.exe
Token: SeSecurityPrivilege	1868	TiWorker.exe
Token: SeBackupPrivilege	1868	TiWorker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1384 wrote to memory of 4616	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 4616	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 4616	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 4616 wrote to memory of 4556	4616	cmd.exe	net.exe
PID 4616 wrote to memory of 4556	4616	cmd.exe	net.exe
PID 4616 wrote to memory of 4556	4616	cmd.exe	net.exe
PID 4556 wrote to memory of 4084	4556	net.exe	net1.exe
PID 4556 wrote to memory of 4084	4556	net.exe	net1.exe
PID 4556 wrote to memory of 4084	4556	net.exe	net1.exe
PID 1384 wrote to memory of 1676	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 1676	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 1676	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1676 wrote to memory of 4888	1676	cmd.exe	net.exe
PID 1676 wrote to memory of 4888	1676	cmd.exe	net.exe
PID 1676 wrote to memory of 4888	1676	cmd.exe	net.exe
PID 4888 wrote to memory of 4924	4888	net.exe	net1.exe
PID 4888 wrote to memory of 4924	4888	net.exe	net1.exe
PID 4888 wrote to memory of 4924	4888	net.exe	net1.exe
PID 1384 wrote to memory of 820	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 820	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 820	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 820 wrote to memory of 4440	820	cmd.exe	net.exe
PID 820 wrote to memory of 4440	820	cmd.exe	net.exe
PID 820 wrote to memory of 4440	820	cmd.exe	net.exe
PID 4440 wrote to memory of 1264	4440	net.exe	net1.exe
PID 4440 wrote to memory of 1264	4440	net.exe	net1.exe
PID 4440 wrote to memory of 1264	4440	net.exe	net1.exe
PID 1384 wrote to memory of 4760	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 4760	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 4760	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 4760 wrote to memory of 1504	4760	cmd.exe	net.exe
PID 4760 wrote to memory of 1504	4760	cmd.exe	net.exe
PID 4760 wrote to memory of 1504	4760	cmd.exe	net.exe
PID 1504 wrote to memory of 1396	1504	net.exe	net1.exe
PID 1504 wrote to memory of 1396	1504	net.exe	net1.exe
PID 1504 wrote to memory of 1396	1504	net.exe	net1.exe
PID 1384 wrote to memory of 2892	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 2892	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 2892	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 2892 wrote to memory of 1756	2892	cmd.exe	net.exe
PID 2892 wrote to memory of 1756	2892	cmd.exe	net.exe
PID 2892 wrote to memory of 1756	2892	cmd.exe	net.exe
PID 1756 wrote to memory of 1904	1756	net.exe	net1.exe
PID 1756 wrote to memory of 1904	1756	net.exe	net1.exe
PID 1756 wrote to memory of 1904	1756	net.exe	net1.exe
PID 1384 wrote to memory of 2764	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 2764	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 2764	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 3196	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 3196	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 3196	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 3300	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 3300	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 3300	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 256	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 256	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 1384 wrote to memory of 256	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe
PID 256 wrote to memory of 4656	256	cmd.exe	net.exe
PID 256 wrote to memory of 4656	256	cmd.exe	net.exe
PID 256 wrote to memory of 4656	256	cmd.exe	net.exe
PID 4656 wrote to memory of 3208	4656	net.exe	net1.exe
PID 4656 wrote to memory of 3208	4656	net.exe	net1.exe
PID 4656 wrote to memory of 3208	4656	net.exe	net1.exe
PID 1384 wrote to memory of 4372	1384	fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe
"C:\Users\Admin\AppData\Local\Temp\fbebb86bb85113fa75d10309be7dc158e2b3ae09a800ae909e701b9c2028f58c.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:4084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:4924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:1396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:1904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:3196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:3300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:256
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:3208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:4372
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:4480
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:3892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:404
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:3636
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:5084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:4252
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:3672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:1812
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4060-133-0x0000020E3B570000-0x0000020E3B580000-memory.dmp

Filesize
64KB

Download
memory/4060-134-0x0000020E3BDE0000-0x0000020E3BDF0000-memory.dmp

Filesize
64KB

Download
memory/4060-135-0x0000020E3E2F0000-0x0000020E3E2F4000-memory.dmp

Filesize
16KB

Download