Overview

overview

10

Static

static

4c2a849bc7...3e.exe

windows7_x64

10

4c2a849bc7...3e.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    196s
  • max time network
    215s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    12-02-2022 00:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe

  • Size

    1.3MB

  • MD5

    2dc6efa90b95e2ddcb867a418a6f8e81

  • SHA1

    de304a84bef4bc0b66df369ce855ff21a1e231cf

  • SHA256

    4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e

  • SHA512

    d7a7111d77734ce5f8f7291102166e9466f5206038d6c367bed0156df406f298f42ad270adae213d495fae6f300d8601ddff7e12d2617113755b73a4baa2fa2b

Score
10/10
ouroborosevasionransomware

Malware Config

Signatures

  • Ouroboros/Zeropadypt

    Ransomware family based on open-source CryptoWire.

    ransomwareouroboros
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops desktop.ini file(s) 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 48 IoCs
  • NTFS ADS 3 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe
    "C:\Users\Admin\AppData\Local\Temp\4c2a849bc79e4114ddea304a330fcb50f256745e04595bbaef0857c60d65943e.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3912
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop MSDTC
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3504
      • C:\Windows\SysWOW64\net.exe
        net stop MSDTC
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop MSDTC
          4⤵
            PID:656
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
        2⤵
          PID:3028
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
          2⤵
            PID:204
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
            2⤵
              PID:1140
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2308
              • C:\Windows\SysWOW64\net.exe
                net stop SQLSERVERAGENT
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2944
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop SQLSERVERAGENT
                  4⤵
                    PID:2696
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1224
                • C:\Windows\SysWOW64\net.exe
                  net stop MSSQLSERVER
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3920
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop MSSQLSERVER
                    4⤵
                      PID:3712
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c net stop vds
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1836
                  • C:\Windows\SysWOW64\net.exe
                    net stop vds
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3412
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop vds
                      4⤵
                        PID:1572
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3356
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh advfirewall set currentprofile state off
                      3⤵
                        PID:3620
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:780
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall set opmode mode=disable
                        3⤵
                          PID:2416
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c net stop SQLWriter
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2824
                        • C:\Windows\SysWOW64\net.exe
                          net stop SQLWriter
                          3⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3372
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 stop SQLWriter
                            4⤵
                              PID:3864
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c net stop SQLBrowser
                          2⤵
                            PID:2976
                            • C:\Windows\SysWOW64\net.exe
                              net stop SQLBrowser
                              3⤵
                                PID:1712
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 stop SQLBrowser
                                  4⤵
                                    PID:1552
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
                                2⤵
                                  PID:60
                                  • C:\Windows\SysWOW64\net.exe
                                    net stop MSSQLSERVER
                                    3⤵
                                      PID:2932
                                      • C:\Windows\SysWOW64\net1.exe
                                        C:\Windows\system32\net1 stop MSSQLSERVER
                                        4⤵
                                          PID:3840
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
                                      2⤵
                                        PID:3740
                                        • C:\Windows\SysWOW64\net.exe
                                          net stop MSSQL$CONTOSO1
                                          3⤵
                                            PID:1012
                                            • C:\Windows\SysWOW64\net1.exe
                                              C:\Windows\system32\net1 stop MSSQL$CONTOSO1
                                              4⤵
                                                PID:2588
                                        • C:\Windows\system32\MusNotifyIcon.exe
                                          %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
                                          1⤵
                                          • Checks processor information in registry
                                          PID:3968
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k NetworkService -p
                                          1⤵
                                          • Drops file in Windows directory
                                          • Modifies data under HKEY_USERS
                                          PID:1852
                                        • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                                          C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                                          1⤵
                                          • Drops file in Windows directory
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3044

                                        Network

                                        MITRE ATT&CK Enterprise v6

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads