Analysis
-
max time kernel
179s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 00:24
Static task
static1
Behavioral task
behavioral1
Sample
bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
Resource
win10v2004-en-20220113
General
-
Target
bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
-
Size
994KB
-
MD5
043051032c01d2d5e7dc0a180eab52f0
-
SHA1
6a708fc95a1b0d0f60b5674b652e27b52db2fbbd
-
SHA256
bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee
-
SHA512
754d42a6600cfd11999b7e7a2cd771c62e42d8cd581a621cae764c245cc68af1b56c554704ea81cb0b17059bf94bf0a17798e14f26732840cb74a74a390b2537
Malware Config
Signatures
-
Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
-
Modifies Windows Firewall 1 TTPs
-
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\desktop.ini bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File created C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File created C:\Program Files\desktop.ini bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
description flow ioc HTTP URL 49 http://www.sfml-dev.org/ip-provider.php -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdaosp.dll bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File created C:\Program Files\7-Zip\Lang\fi.txt.[TheFlash@tutamail.com][FXANTKD5BCJMG2U].Spade bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.[TheFlash@tutamail.com][FXANTKD5BCJMG2U].Spade bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt.[TheFlash@tutamail.com][FXANTKD5BCJMG2U].Spade bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt.[TheFlash@tutamail.com][FXANTKD5BCJMG2U].Spade bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt.[TheFlash@tutamail.com][FXANTKD5BCJMG2U].Spade bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\System\ado\adovbs.inc bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\System\ado\msado28.tlb bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File created C:\Program Files\7-Zip\Lang\fur.txt.[TheFlash@tutamail.com][FXANTKD5BCJMG2U].Spade bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\TraceExpand.wav bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\DebugResolve.xml.[TheFlash@tutamail.com][FXANTKD5BCJMG2U].Spade bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\System\ado\msadox28.tlb bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.[TheFlash@tutamail.com][FXANTKD5BCJMG2U].Spade bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\System\ado\msadrh15.dll bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\7-Zip\readme.txt bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\UndoShow.jpe bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe.[TheFlash@tutamail.com][FXANTKD5BCJMG2U].Spade bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.[TheFlash@tutamail.com][FXANTKD5BCJMG2U].Spade bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\DenyStop.xml bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\SearchEdit.snd.[TheFlash@tutamail.com][FXANTKD5BCJMG2U].Spade bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe File opened for modification C:\Program Files\MoveSelect.dib.[TheFlash@tutamail.com][FXANTKD5BCJMG2U].Spade bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4084 svchost.exe Token: SeCreatePagefilePrivilege 4084 svchost.exe Token: SeShutdownPrivilege 4084 svchost.exe Token: SeCreatePagefilePrivilege 4084 svchost.exe Token: SeShutdownPrivilege 4084 svchost.exe Token: SeCreatePagefilePrivilege 4084 svchost.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3600 wrote to memory of 1248 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 85 PID 3600 wrote to memory of 1248 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 85 PID 3600 wrote to memory of 1248 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 85 PID 1248 wrote to memory of 4060 1248 cmd.exe 88 PID 1248 wrote to memory of 4060 1248 cmd.exe 88 PID 1248 wrote to memory of 4060 1248 cmd.exe 88 PID 4060 wrote to memory of 2216 4060 net.exe 89 PID 4060 wrote to memory of 2216 4060 net.exe 89 PID 4060 wrote to memory of 2216 4060 net.exe 89 PID 3600 wrote to memory of 2264 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 90 PID 3600 wrote to memory of 2264 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 90 PID 3600 wrote to memory of 2264 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 90 PID 2264 wrote to memory of 2852 2264 cmd.exe 92 PID 2264 wrote to memory of 2852 2264 cmd.exe 92 PID 2264 wrote to memory of 2852 2264 cmd.exe 92 PID 2852 wrote to memory of 4216 2852 net.exe 93 PID 2852 wrote to memory of 4216 2852 net.exe 93 PID 2852 wrote to memory of 4216 2852 net.exe 93 PID 3600 wrote to memory of 2648 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 94 PID 3600 wrote to memory of 2648 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 94 PID 3600 wrote to memory of 2648 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 94 PID 2648 wrote to memory of 4408 2648 cmd.exe 96 PID 2648 wrote to memory of 4408 2648 cmd.exe 96 PID 2648 wrote to memory of 4408 2648 cmd.exe 96 PID 4408 wrote to memory of 1420 4408 net.exe 97 PID 4408 wrote to memory of 1420 4408 net.exe 97 PID 4408 wrote to memory of 1420 4408 net.exe 97 PID 3600 wrote to memory of 4404 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 98 PID 3600 wrote to memory of 4404 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 98 PID 3600 wrote to memory of 4404 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 98 PID 4404 wrote to memory of 116 4404 cmd.exe 100 PID 4404 wrote to memory of 116 4404 cmd.exe 100 PID 4404 wrote to memory of 116 4404 cmd.exe 100 PID 116 wrote to memory of 3664 116 net.exe 101 PID 116 wrote to memory of 3664 116 net.exe 101 PID 116 wrote to memory of 3664 116 net.exe 101 PID 3600 wrote to memory of 3632 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 102 PID 3600 wrote to memory of 3632 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 102 PID 3600 wrote to memory of 3632 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 102 PID 3632 wrote to memory of 3332 3632 cmd.exe 104 PID 3632 wrote to memory of 3332 3632 cmd.exe 104 PID 3632 wrote to memory of 3332 3632 cmd.exe 104 PID 3332 wrote to memory of 4380 3332 net.exe 105 PID 3332 wrote to memory of 4380 3332 net.exe 105 PID 3332 wrote to memory of 4380 3332 net.exe 105 PID 3600 wrote to memory of 4328 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 106 PID 3600 wrote to memory of 4328 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 106 PID 3600 wrote to memory of 4328 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 106 PID 3600 wrote to memory of 4592 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 108 PID 3600 wrote to memory of 4592 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 108 PID 3600 wrote to memory of 4592 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 108 PID 3600 wrote to memory of 4568 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 110 PID 3600 wrote to memory of 4568 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 110 PID 3600 wrote to memory of 4568 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 110 PID 3600 wrote to memory of 4956 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 112 PID 3600 wrote to memory of 4956 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 112 PID 3600 wrote to memory of 4956 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 112 PID 4956 wrote to memory of 2052 4956 cmd.exe 114 PID 4956 wrote to memory of 2052 4956 cmd.exe 114 PID 4956 wrote to memory of 2052 4956 cmd.exe 114 PID 2052 wrote to memory of 3696 2052 net.exe 115 PID 2052 wrote to memory of 3696 2052 net.exe 115 PID 2052 wrote to memory of 3696 2052 net.exe 115 PID 3600 wrote to memory of 4712 3600 bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe"C:\Users\Admin\AppData\Local\Temp\bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLWriter2⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵PID:2216
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLBrowser2⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵PID:4216
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵PID:1420
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO12⤵
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\net.exenet stop MSSQL$CONTOSO13⤵
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$CONTOSO14⤵PID:3664
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSDTC2⤵
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\net.exenet stop MSDTC3⤵
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSDTC4⤵PID:4380
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵PID:4328
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no2⤵PID:4592
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet2⤵PID:4568
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT2⤵
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\net.exenet stop SQLSERVERAGENT3⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT4⤵PID:3696
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵PID:4712
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵PID:1872
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵PID:4272
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop vds2⤵PID:3260
-
C:\Windows\SysWOW64\net.exenet stop vds3⤵PID:1008
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vds4⤵PID:2160
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off2⤵PID:704
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵PID:1460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable2⤵PID:1304
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵PID:1216
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4084
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3112
Network
-
Remote address:8.8.8.8:53Requestwww.sfml-dev.orgIN AResponsewww.sfml-dev.orgIN CNAMEsfml-dev.orgsfml-dev.orgIN A78.47.82.133
-
GEThttp://www.sfml-dev.org/ip-provider.phpbb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exeRemote address:78.47.82.133:80RequestGET /ip-provider.php HTTP/1.0
content-length: 0
from: user@sfml-dev.org
host: www.sfml-dev.org
user-agent: libsfml-network/2.x
ResponseHTTP/1.1 200 OK
Server: Apache
Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.sfml-dev.org www.gstatic.com www.google.com www.google-analytics.com ssl.google-analytics.com; connect-src 'self' www.google-analytics.com; img-src 'self' https: data:; style-src 'self' 'unsafe-inline' *.sfml-dev.org fonts.googleapis.com; media-src https: data:; font-src 'self' fonts.gstatic.com; base-uri 'self'; form-action 'self'; frame-src https: data:
Content-Length: 12
Connection: close
Content-Type: text/html; charset=UTF-8
-
46 B 40 B 1 1
-
322 B 7
-
322 B 7
-
40 B 1
-
78.47.82.133:80http://www.sfml-dev.org/ip-provider.phphttpbb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe364 B 829 B 5 5
HTTP Request
GET http://www.sfml-dev.org/ip-provider.phpHTTP Response
200 -
260 B 5
-
260 B 5
-