ouroboros | bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee

Analysis

max time kernel
179s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
12/02/2022, 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
Size

994KB
MD5

043051032c01d2d5e7dc0a180eab52f0
SHA1

6a708fc95a1b0d0f60b5674b652e27b52db2fbbd
SHA256

bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee
SHA512

754d42a6600cfd11999b7e7a2cd771c62e42d8cd581a621cae764c245cc68af1b56c554704ea81cb0b17059bf94bf0a17798e14f26732840cb74a74a390b2537

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\desktop.ini	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File created	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File created	C:\Program Files\desktop.ini	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	49	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.[[email protected]][FXANTKD5BCJMG2U].Spade	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.[[email protected]][FXANTKD5BCJMG2U].Spade	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt.[[email protected]][FXANTKD5BCJMG2U].Spade	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt.[[email protected]][FXANTKD5BCJMG2U].Spade	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt.[[email protected]][FXANTKD5BCJMG2U].Spade	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adovbs.inc	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado28.tlb	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.[[email protected]][FXANTKD5BCJMG2U].Spade	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\TraceExpand.wav	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\DebugResolve.xml.[[email protected]][FXANTKD5BCJMG2U].Spade	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox28.tlb	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.[[email protected]][FXANTKD5BCJMG2U].Spade	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadrh15.dll	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\UndoShow.jpe	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe.[[email protected]][FXANTKD5BCJMG2U].Spade	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.[[email protected]][FXANTKD5BCJMG2U].Spade	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\DenyStop.xml	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\SearchEdit.snd.[[email protected]][FXANTKD5BCJMG2U].Spade	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
File opened for modification	C:\Program Files\MoveSelect.dib.[[email protected]][FXANTKD5BCJMG2U].Spade	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4084	svchost.exe
Token: SeCreatePagefilePrivilege	4084	svchost.exe
Token: SeShutdownPrivilege	4084	svchost.exe
Token: SeCreatePagefilePrivilege	4084	svchost.exe
Token: SeShutdownPrivilege	4084	svchost.exe
Token: SeCreatePagefilePrivilege	4084	svchost.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 1248	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	85
PID 3600 wrote to memory of 1248	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	85
PID 3600 wrote to memory of 1248	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	85
PID 1248 wrote to memory of 4060	1248	cmd.exe	88
PID 1248 wrote to memory of 4060	1248	cmd.exe	88
PID 1248 wrote to memory of 4060	1248	cmd.exe	88
PID 4060 wrote to memory of 2216	4060	net.exe	89
PID 4060 wrote to memory of 2216	4060	net.exe	89
PID 4060 wrote to memory of 2216	4060	net.exe	89
PID 3600 wrote to memory of 2264	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	90
PID 3600 wrote to memory of 2264	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	90
PID 3600 wrote to memory of 2264	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	90
PID 2264 wrote to memory of 2852	2264	cmd.exe	92
PID 2264 wrote to memory of 2852	2264	cmd.exe	92
PID 2264 wrote to memory of 2852	2264	cmd.exe	92
PID 2852 wrote to memory of 4216	2852	net.exe	93
PID 2852 wrote to memory of 4216	2852	net.exe	93
PID 2852 wrote to memory of 4216	2852	net.exe	93
PID 3600 wrote to memory of 2648	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	94
PID 3600 wrote to memory of 2648	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	94
PID 3600 wrote to memory of 2648	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	94
PID 2648 wrote to memory of 4408	2648	cmd.exe	96
PID 2648 wrote to memory of 4408	2648	cmd.exe	96
PID 2648 wrote to memory of 4408	2648	cmd.exe	96
PID 4408 wrote to memory of 1420	4408	net.exe	97
PID 4408 wrote to memory of 1420	4408	net.exe	97
PID 4408 wrote to memory of 1420	4408	net.exe	97
PID 3600 wrote to memory of 4404	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	98
PID 3600 wrote to memory of 4404	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	98
PID 3600 wrote to memory of 4404	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	98
PID 4404 wrote to memory of 116	4404	cmd.exe	100
PID 4404 wrote to memory of 116	4404	cmd.exe	100
PID 4404 wrote to memory of 116	4404	cmd.exe	100
PID 116 wrote to memory of 3664	116	net.exe	101
PID 116 wrote to memory of 3664	116	net.exe	101
PID 116 wrote to memory of 3664	116	net.exe	101
PID 3600 wrote to memory of 3632	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	102
PID 3600 wrote to memory of 3632	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	102
PID 3600 wrote to memory of 3632	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	102
PID 3632 wrote to memory of 3332	3632	cmd.exe	104
PID 3632 wrote to memory of 3332	3632	cmd.exe	104
PID 3632 wrote to memory of 3332	3632	cmd.exe	104
PID 3332 wrote to memory of 4380	3332	net.exe	105
PID 3332 wrote to memory of 4380	3332	net.exe	105
PID 3332 wrote to memory of 4380	3332	net.exe	105
PID 3600 wrote to memory of 4328	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	106
PID 3600 wrote to memory of 4328	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	106
PID 3600 wrote to memory of 4328	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	106
PID 3600 wrote to memory of 4592	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	108
PID 3600 wrote to memory of 4592	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	108
PID 3600 wrote to memory of 4592	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	108
PID 3600 wrote to memory of 4568	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	110
PID 3600 wrote to memory of 4568	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	110
PID 3600 wrote to memory of 4568	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	110
PID 3600 wrote to memory of 4956	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	112
PID 3600 wrote to memory of 4956	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	112
PID 3600 wrote to memory of 4956	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	112
PID 4956 wrote to memory of 2052	4956	cmd.exe	114
PID 4956 wrote to memory of 2052	4956	cmd.exe	114
PID 4956 wrote to memory of 2052	4956	cmd.exe	114
PID 2052 wrote to memory of 3696	2052	net.exe	115
PID 2052 wrote to memory of 3696	2052	net.exe	115
PID 2052 wrote to memory of 3696	2052	net.exe	115
PID 3600 wrote to memory of 4712	3600	bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe	116

C:\Users\Admin\AppData\Local\Temp\bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe
"C:\Users\Admin\AppData\Local\Temp\bb51eef3e46dc4ebf041dd7ac6e717d36eea57ca3acc88efad65fa3cb06081ee.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:2216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:4216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4408
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:3664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:4380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:4328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:4592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:4568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:3696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:4712
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1872
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:4272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:3260
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:1008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:2160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:704
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:1460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4084-131-0x0000025816380000-0x0000025816390000-memory.dmp

Filesize
64KB

Download
memory/4084-130-0x0000025816320000-0x0000025816330000-memory.dmp

Filesize
64KB

Download
memory/4084-132-0x0000025818A60000-0x0000025818A64000-memory.dmp

Filesize
16KB

Download