ouroboros | 94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1

Analysis

max time kernel
164s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
12-02-2022 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
Size

1.0MB
MD5

4d4c7db3318f4c6e7988c0df757513bc
SHA1

5cba2c8b3cc9d78a5e3e95b7d5c0675c86834795
SHA256

94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1
SHA512

268639d6a7959828224e011587e293233d1282b4e23a03dec9832e5a3d74b9a01d99de19c8eab9c8618c79991adb81db6c34a93c67d87be6021167924401dca3

Score

10^/10

ouroboros ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\desktop.ini	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File created	C:\Program Files\desktop.ini	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	24	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_100_percent.pak	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jsse.jar.Email=[[email protected]]ID=[VIQEBGHL23ZNJYK].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jvm.lib	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\bg.pak.Email=[[email protected]]ID=[VIQEBGHL23ZNJYK].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\nashorn.jar.Email=[[email protected]]ID=[VIQEBGHL23ZNJYK].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.update.configurator_3.3.300.v20140518-1928.jar	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.Email=[[email protected]]ID=[VIQEBGHL23ZNJYK].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar.Email=[[email protected]]ID=[VIQEBGHL23ZNJYK].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\89.0.4389.114.manifest	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.Email=[[email protected]]ID=[VIQEBGHL23ZNJYK].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\derby_common.bat	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\sound.properties	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt.Email=[[email protected]]ID=[VIQEBGHL23ZNJYK].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt.Email=[[email protected]]ID=[VIQEBGHL23ZNJYK].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.Email=[[email protected]]ID=[VIQEBGHL23ZNJYK].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\libEGL.dll.Email=[[email protected]]ID=[VIQEBGHL23ZNJYK].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt.Email=[[email protected]]ID=[VIQEBGHL23ZNJYK].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\msvcr100.dll.Email=[[email protected]]ID=[VIQEBGHL23ZNJYK].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.Email=[[email protected]]ID=[VIQEBGHL23ZNJYK].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoCanary.png	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\rt.jar.Email=[[email protected]]ID=[VIQEBGHL23ZNJYK].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\JAWTAccessBridge-64.dll	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.Email=[[email protected]]ID=[VIQEBGHL23ZNJYK].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\master_preferences	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.Email=[[email protected]]ID=[VIQEBGHL23ZNJYK].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt.Email=[[email protected]]ID=[VIQEBGHL23ZNJYK].odveta	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1180	svchost.exe
Token: SeCreatePagefilePrivilege	1180	svchost.exe
Token: SeShutdownPrivilege	1180	svchost.exe
Token: SeCreatePagefilePrivilege	1180	svchost.exe
Token: SeShutdownPrivilege	1180	svchost.exe
Token: SeCreatePagefilePrivilege	1180	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 4512	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	83
PID 1476 wrote to memory of 4512	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	83
PID 1476 wrote to memory of 4512	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	83
PID 4512 wrote to memory of 3276	4512	cmd.exe	85
PID 4512 wrote to memory of 3276	4512	cmd.exe	85
PID 4512 wrote to memory of 3276	4512	cmd.exe	85
PID 3276 wrote to memory of 1916	3276	net.exe	86
PID 3276 wrote to memory of 1916	3276	net.exe	86
PID 3276 wrote to memory of 1916	3276	net.exe	86
PID 1476 wrote to memory of 1536	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	89
PID 1476 wrote to memory of 1536	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	89
PID 1476 wrote to memory of 1536	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	89
PID 1536 wrote to memory of 1840	1536	cmd.exe	91
PID 1536 wrote to memory of 1840	1536	cmd.exe	91
PID 1536 wrote to memory of 1840	1536	cmd.exe	91
PID 1840 wrote to memory of 2760	1840	net.exe	92
PID 1840 wrote to memory of 2760	1840	net.exe	92
PID 1840 wrote to memory of 2760	1840	net.exe	92
PID 1476 wrote to memory of 2080	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	93
PID 1476 wrote to memory of 2080	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	93
PID 1476 wrote to memory of 2080	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	93
PID 2080 wrote to memory of 2912	2080	cmd.exe	96
PID 2080 wrote to memory of 2912	2080	cmd.exe	96
PID 2080 wrote to memory of 2912	2080	cmd.exe	96
PID 2912 wrote to memory of 3052	2912	net.exe	97
PID 2912 wrote to memory of 3052	2912	net.exe	97
PID 2912 wrote to memory of 3052	2912	net.exe	97
PID 1476 wrote to memory of 3676	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	98
PID 1476 wrote to memory of 3676	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	98
PID 1476 wrote to memory of 3676	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	98
PID 3676 wrote to memory of 4036	3676	cmd.exe	101
PID 3676 wrote to memory of 4036	3676	cmd.exe	101
PID 3676 wrote to memory of 4036	3676	cmd.exe	101
PID 4036 wrote to memory of 4680	4036	net.exe	102
PID 4036 wrote to memory of 4680	4036	net.exe	102
PID 4036 wrote to memory of 4680	4036	net.exe	102
PID 1476 wrote to memory of 4828	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	103
PID 1476 wrote to memory of 4828	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	103
PID 1476 wrote to memory of 4828	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	103
PID 4828 wrote to memory of 3516	4828	cmd.exe	105
PID 4828 wrote to memory of 3516	4828	cmd.exe	105
PID 4828 wrote to memory of 3516	4828	cmd.exe	105
PID 3516 wrote to memory of 224	3516	net.exe	106
PID 3516 wrote to memory of 224	3516	net.exe	106
PID 3516 wrote to memory of 224	3516	net.exe	106
PID 1476 wrote to memory of 4776	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	107
PID 1476 wrote to memory of 4776	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	107
PID 1476 wrote to memory of 4776	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	107
PID 4776 wrote to memory of 448	4776	cmd.exe	109
PID 4776 wrote to memory of 448	4776	cmd.exe	109
PID 4776 wrote to memory of 448	4776	cmd.exe	109
PID 448 wrote to memory of 3740	448	net.exe	110
PID 448 wrote to memory of 3740	448	net.exe	110
PID 448 wrote to memory of 3740	448	net.exe	110
PID 1476 wrote to memory of 4108	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	111
PID 1476 wrote to memory of 4108	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	111
PID 1476 wrote to memory of 4108	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	111
PID 4108 wrote to memory of 4272	4108	cmd.exe	113
PID 4108 wrote to memory of 4272	4108	cmd.exe	113
PID 4108 wrote to memory of 4272	4108	cmd.exe	113
PID 4272 wrote to memory of 4148	4272	net.exe	114
PID 4272 wrote to memory of 4148	4272	net.exe	114
PID 4272 wrote to memory of 4148	4272	net.exe	114
PID 1476 wrote to memory of 2164	1476	94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe	115

C:\Users\Admin\AppData\Local\Temp\94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe
"C:\Users\Admin\AppData\Local\Temp\94afdfe738467eae8094ba37281096fddffa7970a31a688c934c92dc0fac4eb1.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3276
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:1916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:2760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:3052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:4680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:3740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:4148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  PID:2164
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    PID:4500
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:2252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MySQL
  2⤵
  PID:3800
- - C:\Windows\SysWOW64\net.exe
    net stop MySQL
    3⤵
    PID:4736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MySQL
      4⤵
      PID:4896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1180-130-0x000001DC4A970000-0x000001DC4A980000-memory.dmp

Filesize
64KB

Download
memory/1180-131-0x000001DC4B0E0000-0x000001DC4B0F0000-memory.dmp

Filesize
64KB

Download
memory/1180-132-0x000001DC4D5F0000-0x000001DC4D5F4000-memory.dmp

Filesize
16KB

Download