ouroboros | 94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1

Analysis

max time kernel
153s
max time network
137s
platform
windows7_x64
resource
win7-en-20211208
submitted
12-02-2022 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
Size

1.0MB
MD5

4d4c7db3318f4c6e7988c0df757513bc
SHA1

5cba2c8b3cc9d78a5e3e95b7d5c0675c86834795
SHA256

94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1
SHA512

268639d6a7959828224e011587e293233d1282b4e23a03dec9832e5a3d74b9a01d99de19c8eab9c8618c79991adb81db6c34a93c67d87be6021167924401dca3

Score

10^/10

ouroboros ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros

Drops desktop.ini file(s) 6 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2329389628-4064185017-3901522362-1000\desktop.ini	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File created	C:\$Recycle.Bin\S-1-5-21-2329389628-4064185017-3901522362-1000\desktop.ini	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\desktop.ini	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File created	C:\Program Files\desktop.ini	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	3	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ms.pak.Email=[[email protected]]ID=[K4N5UTXF8HO2ZBR].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tabskb.dll.mui	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Internet Explorer\perfcore.dll	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IpsMigrationPlugin.dll.mui	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt.Email=[[email protected]]ID=[K4N5UTXF8HO2ZBR].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.Email=[[email protected]]ID=[K4N5UTXF8HO2ZBR].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\pt-BR.pak	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Internet Explorer	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\drive.crx.Email=[[email protected]]ID=[K4N5UTXF8HO2ZBR].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ko.properties	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.Email=[[email protected]]ID=[K4N5UTXF8HO2ZBR].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.Email=[[email protected]]ID=[K4N5UTXF8HO2ZBR].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.Email=[[email protected]]ID=[K4N5UTXF8HO2ZBR].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\networkinspection.dll.mui	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\am.pak.Email=[[email protected]]ID=[K4N5UTXF8HO2ZBR].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\System\wab32res.dll	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_widescreen_Thumbnail.bmp	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 944	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	28
PID 1752 wrote to memory of 944	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	28
PID 1752 wrote to memory of 944	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	28
PID 1752 wrote to memory of 944	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	28
PID 944 wrote to memory of 1176	944	cmd.exe	30
PID 944 wrote to memory of 1176	944	cmd.exe	30
PID 944 wrote to memory of 1176	944	cmd.exe	30
PID 944 wrote to memory of 1176	944	cmd.exe	30
PID 1176 wrote to memory of 1216	1176	net.exe	31
PID 1176 wrote to memory of 1216	1176	net.exe	31
PID 1176 wrote to memory of 1216	1176	net.exe	31
PID 1176 wrote to memory of 1216	1176	net.exe	31
PID 1752 wrote to memory of 620	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	32
PID 1752 wrote to memory of 620	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	32
PID 1752 wrote to memory of 620	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	32
PID 1752 wrote to memory of 620	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	32
PID 620 wrote to memory of 1344	620	cmd.exe	34
PID 620 wrote to memory of 1344	620	cmd.exe	34
PID 620 wrote to memory of 1344	620	cmd.exe	34
PID 620 wrote to memory of 1344	620	cmd.exe	34
PID 1344 wrote to memory of 1244	1344	net.exe	35
PID 1344 wrote to memory of 1244	1344	net.exe	35
PID 1344 wrote to memory of 1244	1344	net.exe	35
PID 1344 wrote to memory of 1244	1344	net.exe	35
PID 1752 wrote to memory of 808	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	36
PID 1752 wrote to memory of 808	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	36
PID 1752 wrote to memory of 808	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	36
PID 1752 wrote to memory of 808	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	36
PID 808 wrote to memory of 1824	808	cmd.exe	38
PID 808 wrote to memory of 1824	808	cmd.exe	38
PID 808 wrote to memory of 1824	808	cmd.exe	38
PID 808 wrote to memory of 1824	808	cmd.exe	38
PID 1824 wrote to memory of 1408	1824	net.exe	39
PID 1824 wrote to memory of 1408	1824	net.exe	39
PID 1824 wrote to memory of 1408	1824	net.exe	39
PID 1824 wrote to memory of 1408	1824	net.exe	39
PID 1752 wrote to memory of 2012	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	40
PID 1752 wrote to memory of 2012	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	40
PID 1752 wrote to memory of 2012	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	40
PID 1752 wrote to memory of 2012	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	40
PID 2012 wrote to memory of 592	2012	cmd.exe	42
PID 2012 wrote to memory of 592	2012	cmd.exe	42
PID 2012 wrote to memory of 592	2012	cmd.exe	42
PID 2012 wrote to memory of 592	2012	cmd.exe	42
PID 592 wrote to memory of 392	592	net.exe	43
PID 592 wrote to memory of 392	592	net.exe	43
PID 592 wrote to memory of 392	592	net.exe	43
PID 592 wrote to memory of 392	592	net.exe	43
PID 1752 wrote to memory of 1624	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	44
PID 1752 wrote to memory of 1624	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	44
PID 1752 wrote to memory of 1624	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	44
PID 1752 wrote to memory of 1624	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	44
PID 1624 wrote to memory of 1604	1624	cmd.exe	46
PID 1624 wrote to memory of 1604	1624	cmd.exe	46
PID 1624 wrote to memory of 1604	1624	cmd.exe	46
PID 1624 wrote to memory of 1604	1624	cmd.exe	46
PID 1604 wrote to memory of 1032	1604	net.exe	47
PID 1604 wrote to memory of 1032	1604	net.exe	47
PID 1604 wrote to memory of 1032	1604	net.exe	47
PID 1604 wrote to memory of 1032	1604	net.exe	47
PID 1752 wrote to memory of 1292	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	48
PID 1752 wrote to memory of 1292	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	48
PID 1752 wrote to memory of 1292	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	48
PID 1752 wrote to memory of 1292	1752	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	48

C:\Users\Admin\AppData\Local\Temp\94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
"C:\Users\Admin\AppData\Local\Temp\94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:1216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:1032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    PID:1708
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    PID:1608
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MySQL
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\net.exe
    net stop MySQL
    3⤵
    PID:1056
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MySQL
      4⤵
      PID:1700

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads