ouroboros | f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b

Analysis

max time kernel
158s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
12-02-2022 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
Size

994KB
MD5

01dff1137a649d446b9468cfc2d57abb
SHA1

23f971f8a2feae189b1a6c715a196accb46a342b
SHA256

f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b
SHA512

3d4d3c5d7e3598a9a3d970d280d51b379eeeca43dc5f371f74e40963cfeb8cdd538de049de65d20caa4ee260eb7d461de2eba2718ff19425a493225d864b2ad0

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\desktop.ini	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File created	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File created	C:\Program Files\desktop.ini	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	25	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fa.pak.[[email protected]][RM16FUL8GT0DV5N].Spade	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ppd.xrm-ms	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL090.XML	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL109.XML	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-charts.jar.[[email protected]][RM16FUL8GT0DV5N].Spade	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\hprof.dll	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\lt.pak.[[email protected]][RM16FUL8GT0DV5N].Spade	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-oob.xrm-ms	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_ja_4.4.0.v20140623020002.jar	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-options-keymap.xml_hidden	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\msipc.dll	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt.[[email protected]][RM16FUL8GT0DV5N].Spade	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe.[[email protected]][RM16FUL8GT0DV5N].Spade	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.[[email protected]][RM16FUL8GT0DV5N].Spade	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\cursors.properties	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EntityPicker.dll.[[email protected]][RM16FUL8GT0DV5N].Spade	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.properties.src	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.security	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt.[[email protected]][RM16FUL8GT0DV5N].Spade	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-oob.xrm-ms	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File created	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt.[[email protected]][RM16FUL8GT0DV5N].Spade	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL.[[email protected]][RM16FUL8GT0DV5N].Spade	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-private-l1-1-0.dll	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File created	C:\Program Files\Java\jdk1.8.0_66\COPYRIGHT.[[email protected]][RM16FUL8GT0DV5N].Spade	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-math-l1-1-0.dll	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1655.dll	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\msipc.dll.mui	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.ELM	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE.[[email protected]][RM16FUL8GT0DV5N].Spade	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.[[email protected]][RM16FUL8GT0DV5N].Spade	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\net.properties	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\DisableWrite.ADT	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\InstallerMainShell.tlb	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\centered.dotx	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\deployJava1.dll.[[email protected]][RM16FUL8GT0DV5N].Spade	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUABI.TTF	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jconsole.jar.[[email protected]][RM16FUL8GT0DV5N].Spade	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File created	C:\Program Files\DisableExpand.ps1.[[email protected]][RM16FUL8GT0DV5N].Spade	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar.[[email protected]][RM16FUL8GT0DV5N].Spade	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar.[[email protected]][RM16FUL8GT0DV5N].Spade	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4276	svchost.exe
Token: SeCreatePagefilePrivilege	4276	svchost.exe
Token: SeShutdownPrivilege	4276	svchost.exe
Token: SeCreatePagefilePrivilege	4276	svchost.exe
Token: SeShutdownPrivilege	4276	svchost.exe
Token: SeCreatePagefilePrivilege	4276	svchost.exe
Token: SeSecurityPrivilege	4760	TiWorker.exe
Token: SeRestorePrivilege	4760	TiWorker.exe
Token: SeBackupPrivilege	4760	TiWorker.exe
Token: SeBackupPrivilege	4760	TiWorker.exe
Token: SeRestorePrivilege	4760	TiWorker.exe
Token: SeSecurityPrivilege	4760	TiWorker.exe
Token: SeBackupPrivilege	4760	TiWorker.exe
Token: SeRestorePrivilege	4760	TiWorker.exe
Token: SeSecurityPrivilege	4760	TiWorker.exe
Token: SeBackupPrivilege	4760	TiWorker.exe
Token: SeRestorePrivilege	4760	TiWorker.exe
Token: SeSecurityPrivilege	4760	TiWorker.exe
Token: SeBackupPrivilege	4760	TiWorker.exe
Token: SeRestorePrivilege	4760	TiWorker.exe
Token: SeSecurityPrivilege	4760	TiWorker.exe
Token: SeBackupPrivilege	4760	TiWorker.exe
Token: SeRestorePrivilege	4760	TiWorker.exe
Token: SeSecurityPrivilege	4760	TiWorker.exe
Token: SeBackupPrivilege	4760	TiWorker.exe
Token: SeRestorePrivilege	4760	TiWorker.exe
Token: SeSecurityPrivilege	4760	TiWorker.exe
Token: SeBackupPrivilege	4760	TiWorker.exe
Token: SeRestorePrivilege	4760	TiWorker.exe
Token: SeSecurityPrivilege	4760	TiWorker.exe
Token: SeBackupPrivilege	4760	TiWorker.exe
Token: SeRestorePrivilege	4760	TiWorker.exe
Token: SeSecurityPrivilege	4760	TiWorker.exe
Token: SeBackupPrivilege	4760	TiWorker.exe
Token: SeRestorePrivilege	4760	TiWorker.exe
Token: SeSecurityPrivilege	4760	TiWorker.exe
Token: SeBackupPrivilege	4760	TiWorker.exe
Token: SeRestorePrivilege	4760	TiWorker.exe
Token: SeSecurityPrivilege	4760	TiWorker.exe
Token: SeBackupPrivilege	4760	TiWorker.exe
Token: SeRestorePrivilege	4760	TiWorker.exe
Token: SeSecurityPrivilege	4760	TiWorker.exe
Token: SeBackupPrivilege	4760	TiWorker.exe
Token: SeRestorePrivilege	4760	TiWorker.exe
Token: SeSecurityPrivilege	4760	TiWorker.exe
Token: SeBackupPrivilege	4760	TiWorker.exe
Token: SeRestorePrivilege	4760	TiWorker.exe
Token: SeSecurityPrivilege	4760	TiWorker.exe
Token: SeBackupPrivilege	4760	TiWorker.exe
Token: SeRestorePrivilege	4760	TiWorker.exe
Token: SeSecurityPrivilege	4760	TiWorker.exe
Token: SeBackupPrivilege	4760	TiWorker.exe
Token: SeRestorePrivilege	4760	TiWorker.exe
Token: SeSecurityPrivilege	4760	TiWorker.exe
Token: SeBackupPrivilege	4760	TiWorker.exe
Token: SeRestorePrivilege	4760	TiWorker.exe
Token: SeSecurityPrivilege	4760	TiWorker.exe
Token: SeBackupPrivilege	4760	TiWorker.exe
Token: SeRestorePrivilege	4760	TiWorker.exe
Token: SeSecurityPrivilege	4760	TiWorker.exe
Token: SeBackupPrivilege	4760	TiWorker.exe
Token: SeRestorePrivilege	4760	TiWorker.exe
Token: SeSecurityPrivilege	4760	TiWorker.exe
Token: SeBackupPrivilege	4760	TiWorker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 1972	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	83
PID 4452 wrote to memory of 1972	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	83
PID 4452 wrote to memory of 1972	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	83
PID 1972 wrote to memory of 3796	1972	cmd.exe	85
PID 1972 wrote to memory of 3796	1972	cmd.exe	85
PID 1972 wrote to memory of 3796	1972	cmd.exe	85
PID 3796 wrote to memory of 4376	3796	net.exe	86
PID 3796 wrote to memory of 4376	3796	net.exe	86
PID 3796 wrote to memory of 4376	3796	net.exe	86
PID 4452 wrote to memory of 4560	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	87
PID 4452 wrote to memory of 4560	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	87
PID 4452 wrote to memory of 4560	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	87
PID 4560 wrote to memory of 2504	4560	cmd.exe	89
PID 4560 wrote to memory of 2504	4560	cmd.exe	89
PID 4560 wrote to memory of 2504	4560	cmd.exe	89
PID 2504 wrote to memory of 4480	2504	net.exe	90
PID 2504 wrote to memory of 4480	2504	net.exe	90
PID 2504 wrote to memory of 4480	2504	net.exe	90
PID 4452 wrote to memory of 1688	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	91
PID 4452 wrote to memory of 1688	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	91
PID 4452 wrote to memory of 1688	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	91
PID 1688 wrote to memory of 4968	1688	cmd.exe	93
PID 1688 wrote to memory of 4968	1688	cmd.exe	93
PID 1688 wrote to memory of 4968	1688	cmd.exe	93
PID 4968 wrote to memory of 4192	4968	net.exe	94
PID 4968 wrote to memory of 4192	4968	net.exe	94
PID 4968 wrote to memory of 4192	4968	net.exe	94
PID 4452 wrote to memory of 4940	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	95
PID 4452 wrote to memory of 4940	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	95
PID 4452 wrote to memory of 4940	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	95
PID 4940 wrote to memory of 1280	4940	cmd.exe	97
PID 4940 wrote to memory of 1280	4940	cmd.exe	97
PID 4940 wrote to memory of 1280	4940	cmd.exe	97
PID 1280 wrote to memory of 3012	1280	net.exe	98
PID 1280 wrote to memory of 3012	1280	net.exe	98
PID 1280 wrote to memory of 3012	1280	net.exe	98
PID 4452 wrote to memory of 2920	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	99
PID 4452 wrote to memory of 2920	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	99
PID 4452 wrote to memory of 2920	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	99
PID 2920 wrote to memory of 2980	2920	cmd.exe	101
PID 2920 wrote to memory of 2980	2920	cmd.exe	101
PID 2920 wrote to memory of 2980	2920	cmd.exe	101
PID 2980 wrote to memory of 2236	2980	net.exe	102
PID 2980 wrote to memory of 2236	2980	net.exe	102
PID 2980 wrote to memory of 2236	2980	net.exe	102
PID 4452 wrote to memory of 1380	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	103
PID 4452 wrote to memory of 1380	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	103
PID 4452 wrote to memory of 1380	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	103
PID 4452 wrote to memory of 4936	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	105
PID 4452 wrote to memory of 4936	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	105
PID 4452 wrote to memory of 4936	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	105
PID 4452 wrote to memory of 4840	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	107
PID 4452 wrote to memory of 4840	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	107
PID 4452 wrote to memory of 4840	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	107
PID 4452 wrote to memory of 3840	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	109
PID 4452 wrote to memory of 3840	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	109
PID 4452 wrote to memory of 3840	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	109
PID 3840 wrote to memory of 3452	3840	cmd.exe	112
PID 3840 wrote to memory of 3452	3840	cmd.exe	112
PID 3840 wrote to memory of 3452	3840	cmd.exe	112
PID 3452 wrote to memory of 3804	3452	net.exe	113
PID 3452 wrote to memory of 3804	3452	net.exe	113
PID 3452 wrote to memory of 3804	3452	net.exe	113
PID 4452 wrote to memory of 4868	4452	f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe	114

C:\Users\Admin\AppData\Local\Temp\f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe
"C:\Users\Admin\AppData\Local\Temp\f048d645993b4b855dd76e5a5227b00bfa25e9a56c88b1a5c879d3cc8d0db42b.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:4376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:4480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:4192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:2236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:4936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:4840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3452
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:3804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:4868
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:4904
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:4424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:4012
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:2120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:3500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:4040
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:4348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4276-130-0x000001C6E0960000-0x000001C6E0970000-memory.dmp

Filesize
64KB

Download
memory/4276-131-0x000001C6E0F20000-0x000001C6E0F30000-memory.dmp

Filesize
64KB

Download
memory/4276-132-0x000001C6E35C0000-0x000001C6E35C4000-memory.dmp

Filesize
16KB

Download