ouroboros | 4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e

Analysis

max time kernel
157s
max time network
136s
platform
windows7_x64
resource
win7-en-20211208
submitted
12-02-2022 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
Size

1.3MB
MD5

2dc6efa90b95e2ddcb867a418a6f8e81
SHA1

de304a84bef4bc0b66df369ce855ff21a1e231cf
SHA256

4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e
SHA512

d7a7111d77734ce5f8f7291102166e9466f5206038d6c367bed0156df406f298f42ad270adae213d495fae6f300d8601ddff7e12d2617113755b73a4baa2fa2b

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 15 IoCs

Processes:

4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File created	C:\$Recycle.Bin\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File created	C:\Program Files\desktop.ini	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 64 IoCs

Processes:

4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\zipfs.jar	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\jvm.dll.[[email protected]][MTWAY968XSVLUJ7].Encrypted	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libGLESv2.dll	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.APL	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\FPEXT.MSG.[[email protected]][MTWAY968XSVLUJ7].Encrypted	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02009_.WMF	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_200_percent.pak	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\libEGL.dll	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Pangnirtung	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_CN.properties.[[email protected]][MTWAY968XSVLUJ7].Encrypted	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Godthab.[[email protected]][MTWAY968XSVLUJ7].Encrypted	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107024.WMF	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341738.JPG	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14981_.GIF	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zaporozhye.[[email protected]][MTWAY968XSVLUJ7].Encrypted	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PROFILE.INF	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Jujuy.[[email protected]][MTWAY968XSVLUJ7].Encrypted	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237225.WMF	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cuiaba.[[email protected]][MTWAY968XSVLUJ7].Encrypted	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationFramework.resources.dll	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\msitss55.dll	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Internet Explorer\networkinspection.dll	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Marquesas.[[email protected]][MTWAY968XSVLUJ7].Encrypted	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\logo.png	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\gadget.xml	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02091_.WMF	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.[[email protected]][MTWAY968XSVLUJ7].Encrypted	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00454_.WMF	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip.[[email protected]][MTWAY968XSVLUJ7].Encrypted	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius.[[email protected]][MTWAY968XSVLUJ7].Encrypted	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01252_.WMF	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Phoenix	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Brussels	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Istanbul.[[email protected]][MTWAY968XSVLUJ7].Encrypted	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\NETWORK.INF	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15059_.GIF	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_ja.jar	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\EET	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar.[[email protected]][MTWAY968XSVLUJ7].Encrypted	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00361_.WMF	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107730.WMF	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198113.WMF	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml.[[email protected]][MTWAY968XSVLUJ7].Encrypted	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\CloseTrace.mid	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sk.pak.[[email protected]][MTWAY968XSVLUJ7].Encrypted	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ndjamena.[[email protected]][MTWAY968XSVLUJ7].Encrypted	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\wmpnssci.dll.mui	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\cpu.css	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCL.DLL	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\MSB1ESEN.ITS.[[email protected]][MTWAY968XSVLUJ7].Encrypted	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar.[[email protected]][MTWAY968XSVLUJ7].Encrypted	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe

pid	process
1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1684 wrote to memory of 1388	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 1388	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 1388	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 1388	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1388 wrote to memory of 1080	1388	cmd.exe	net.exe
PID 1388 wrote to memory of 1080	1388	cmd.exe	net.exe
PID 1388 wrote to memory of 1080	1388	cmd.exe	net.exe
PID 1388 wrote to memory of 1080	1388	cmd.exe	net.exe
PID 1080 wrote to memory of 832	1080	net.exe	net1.exe
PID 1080 wrote to memory of 832	1080	net.exe	net1.exe
PID 1080 wrote to memory of 832	1080	net.exe	net1.exe
PID 1080 wrote to memory of 832	1080	net.exe	net1.exe
PID 1684 wrote to memory of 524	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 524	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 524	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 524	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 568	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 568	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 568	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 568	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 456	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 456	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 456	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 456	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 852	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 852	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 852	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 852	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 852 wrote to memory of 1796	852	cmd.exe	net.exe
PID 852 wrote to memory of 1796	852	cmd.exe	net.exe
PID 852 wrote to memory of 1796	852	cmd.exe	net.exe
PID 852 wrote to memory of 1796	852	cmd.exe	net.exe
PID 1796 wrote to memory of 1944	1796	net.exe	net1.exe
PID 1796 wrote to memory of 1944	1796	net.exe	net1.exe
PID 1796 wrote to memory of 1944	1796	net.exe	net1.exe
PID 1796 wrote to memory of 1944	1796	net.exe	net1.exe
PID 1684 wrote to memory of 396	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 396	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 396	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 396	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 396 wrote to memory of 1192	396	cmd.exe	net.exe
PID 396 wrote to memory of 1192	396	cmd.exe	net.exe
PID 396 wrote to memory of 1192	396	cmd.exe	net.exe
PID 396 wrote to memory of 1192	396	cmd.exe	net.exe
PID 1192 wrote to memory of 1092	1192	net.exe	net1.exe
PID 1192 wrote to memory of 1092	1192	net.exe	net1.exe
PID 1192 wrote to memory of 1092	1192	net.exe	net1.exe
PID 1192 wrote to memory of 1092	1192	net.exe	net1.exe
PID 1684 wrote to memory of 1440	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 1440	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 1440	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 1440	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1440 wrote to memory of 1820	1440	cmd.exe	net.exe
PID 1440 wrote to memory of 1820	1440	cmd.exe	net.exe
PID 1440 wrote to memory of 1820	1440	cmd.exe	net.exe
PID 1440 wrote to memory of 1820	1440	cmd.exe	net.exe
PID 1820 wrote to memory of 1468	1820	net.exe	net1.exe
PID 1820 wrote to memory of 1468	1820	net.exe	net1.exe
PID 1820 wrote to memory of 1468	1820	net.exe	net1.exe
PID 1820 wrote to memory of 1468	1820	net.exe	net1.exe
PID 1684 wrote to memory of 1172	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 1172	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 1172	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe
PID 1684 wrote to memory of 1172	1684	4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
"C:\Users\Admin\AppData\Local\Temp\4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:1468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:1172
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    PID:804
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:556
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:240
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1664
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1164
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:1348
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:1572
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/888-54-0x0000000076421000-0x0000000076423000-memory.dmp

Filesize
8KB

Download