Overview

overview

10

Static

static

f048d64599...2b.exe

windows7_x64

10

f048d64599...2b.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    12-02-2022 00:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe

  • Size

    994KB

  • MD5

    01dff1137a649d446b9468cfc2d57abb

  • SHA1

    23f971f8a2feae189b1a6c715a196accb46a342b

  • SHA256

    f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b

  • SHA512

    3d4d3c5d7e3598a9a3d970d280d51b379eeeca43dc5f371f74e40963cfeb8cdd538de049de65d20caa4ee260eb7d461de2eba2718ff19425a493225d864b2ad0

Score
10/10
ouroborosevasionransomware

Malware Config

Signatures

  • Ouroboros/Zeropadypt

    Ransomware family based on open-source CryptoWire.

    ransomwareouroboros
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops desktop.ini file(s) 15 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • NTFS ADS 3 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
    "C:\Users\Admin\AppData\Local\Temp\f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop SQLWriter
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1068
      • C:\Windows\SysWOW64\net.exe
        net stop SQLWriter
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:756
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop SQLWriter
          4⤵
            PID:704
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c net stop SQLBrowser
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:564
        • C:\Windows\SysWOW64\net.exe
          net stop SQLBrowser
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1540
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop SQLBrowser
            4⤵
              PID:820
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:364
          • C:\Windows\SysWOW64\net.exe
            net stop MSSQLSERVER
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1148
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop MSSQLSERVER
              4⤵
                PID:1216
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:968
            • C:\Windows\SysWOW64\net.exe
              net stop MSSQL$CONTOSO1
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:796
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop MSSQL$CONTOSO1
                4⤵
                  PID:436
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c net stop MSDTC
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1776
              • C:\Windows\SysWOW64\net.exe
                net stop MSDTC
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1440
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop MSDTC
                  4⤵
                    PID:1096
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
                2⤵
                  PID:1056
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
                  2⤵
                    PID:1028
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
                    2⤵
                      PID:1892
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
                      2⤵
                        PID:1996
                        • C:\Windows\SysWOW64\net.exe
                          net stop SQLSERVERAGENT
                          3⤵
                            PID:1748
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop SQLSERVERAGENT
                              4⤵
                                PID:1684
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
                            2⤵
                              PID:460
                              • C:\Windows\SysWOW64\net.exe
                                net stop MSSQLSERVER
                                3⤵
                                  PID:2004
                                  • C:\Windows\SysWOW64\net1.exe
                                    C:\Windows\system32\net1 stop MSSQLSERVER
                                    4⤵
                                      PID:600
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c net stop vds
                                  2⤵
                                    PID:956
                                    • C:\Windows\SysWOW64\net.exe
                                      net stop vds
                                      3⤵
                                        PID:1116
                                        • C:\Windows\SysWOW64\net1.exe
                                          C:\Windows\system32\net1 stop vds
                                          4⤵
                                            PID:920
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
                                        2⤵
                                          PID:780
                                          • C:\Windows\SysWOW64\netsh.exe
                                            netsh advfirewall set currentprofile state off
                                            3⤵
                                              PID:896
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
                                            2⤵
                                              PID:2000
                                              • C:\Windows\SysWOW64\netsh.exe
                                                netsh firewall set opmode mode=disable
                                                3⤵
                                                  PID:1700

                                            Network

                                            MITRE ATT&CK Enterprise v6

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • memory/896-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

                                              Filesize

                                              8KB

                                              Download