ouroboros | 46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56

General

Target

46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
Size

997KB
MD5

feb72e2081db664d7539b81060261a28
SHA1

357c7a47208fb8feddb54d50b8600be7cb075f1f
SHA256

46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56
SHA512

ac8cd678fd39259a150c2d4ac88143197553acd1e91d98dfee3eefd655818e176888433363dfc49189c7c10c76b888c56684a993a782ae9222adc4ef95e7107a

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 13 IoCs

Processes:

46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File created	C:\$Recycle.Bin\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\desktop.ini	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File created	C:\Program Files\desktop.ini	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe

Drops file in Program Files directory 64 IoCs

Processes:

46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-charts.jar.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Client.resources.dll	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Regina.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtau.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsource.ax	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Palau	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\RequestNew.fon	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\npt.dll	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Merida	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ta.pak.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Makassar	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jre7\bin\installer.dll	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ChkrRes.dll	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\he.pak	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\classfile_constants.h.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.cpl.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+1	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hi.pak	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-loaders.jar	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File created	C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcf.dll	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Jamaica	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_ja.jar	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt.[[email protected]][ID-EPCMBI2ZWQJO7DU].Void	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Program Files\Internet Explorer\jsprofilerui.dll	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe

NTFS ADS 3 IoCs

Processes:

46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\S-1-5-21-3846991908-3261386348-1409841751-1000\"쀀ʨcʨcꨚ瞅\:쀀⍀a⍀aꨚ瞅\:쀀⑀a⑀aꨚ瞅\3쀀Ѐ	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-3846991908-3261386348-1409841751-1000\ꞔ瞅"쀀\ꞔ瞅:쀀\ꞔ瞅:쀀	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-3846991908-3261386348-1409841751-1000\ꞔ瞅"쀀쉐a셠aꨚ瞅\ꞔ瞅:쀀⍘a⍀aꨚ瞅\ꞔ瞅:쀀❸a❠aꨚ瞅	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe

pid	process
1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1564 wrote to memory of 320	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 1564 wrote to memory of 320	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 1564 wrote to memory of 320	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 1564 wrote to memory of 320	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 320 wrote to memory of 708	320	cmd.exe	net.exe
PID 320 wrote to memory of 708	320	cmd.exe	net.exe
PID 320 wrote to memory of 708	320	cmd.exe	net.exe
PID 320 wrote to memory of 708	320	cmd.exe	net.exe
PID 708 wrote to memory of 744	708	net.exe	net1.exe
PID 708 wrote to memory of 744	708	net.exe	net1.exe
PID 708 wrote to memory of 744	708	net.exe	net1.exe
PID 708 wrote to memory of 744	708	net.exe	net1.exe
PID 1564 wrote to memory of 784	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 1564 wrote to memory of 784	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 1564 wrote to memory of 784	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 1564 wrote to memory of 784	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 784 wrote to memory of 1376	784	cmd.exe	net.exe
PID 784 wrote to memory of 1376	784	cmd.exe	net.exe
PID 784 wrote to memory of 1376	784	cmd.exe	net.exe
PID 784 wrote to memory of 1376	784	cmd.exe	net.exe
PID 1376 wrote to memory of 1648	1376	net.exe	net1.exe
PID 1376 wrote to memory of 1648	1376	net.exe	net1.exe
PID 1376 wrote to memory of 1648	1376	net.exe	net1.exe
PID 1376 wrote to memory of 1648	1376	net.exe	net1.exe
PID 1564 wrote to memory of 1696	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 1564 wrote to memory of 1696	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 1564 wrote to memory of 1696	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 1564 wrote to memory of 1696	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 1696 wrote to memory of 1136	1696	cmd.exe	net.exe
PID 1696 wrote to memory of 1136	1696	cmd.exe	net.exe
PID 1696 wrote to memory of 1136	1696	cmd.exe	net.exe
PID 1696 wrote to memory of 1136	1696	cmd.exe	net.exe
PID 1136 wrote to memory of 1928	1136	net.exe	net1.exe
PID 1136 wrote to memory of 1928	1136	net.exe	net1.exe
PID 1136 wrote to memory of 1928	1136	net.exe	net1.exe
PID 1136 wrote to memory of 1928	1136	net.exe	net1.exe
PID 1564 wrote to memory of 704	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 1564 wrote to memory of 704	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 1564 wrote to memory of 704	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 1564 wrote to memory of 704	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 704 wrote to memory of 1716	704	cmd.exe	net.exe
PID 704 wrote to memory of 1716	704	cmd.exe	net.exe
PID 704 wrote to memory of 1716	704	cmd.exe	net.exe
PID 704 wrote to memory of 1716	704	cmd.exe	net.exe
PID 1716 wrote to memory of 284	1716	net.exe	net1.exe
PID 1716 wrote to memory of 284	1716	net.exe	net1.exe
PID 1716 wrote to memory of 284	1716	net.exe	net1.exe
PID 1716 wrote to memory of 284	1716	net.exe	net1.exe
PID 1564 wrote to memory of 1336	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 1564 wrote to memory of 1336	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 1564 wrote to memory of 1336	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 1564 wrote to memory of 1336	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 1336 wrote to memory of 2008	1336	cmd.exe	net.exe
PID 1336 wrote to memory of 2008	1336	cmd.exe	net.exe
PID 1336 wrote to memory of 2008	1336	cmd.exe	net.exe
PID 1336 wrote to memory of 2008	1336	cmd.exe	net.exe
PID 2008 wrote to memory of 640	2008	net.exe	net1.exe
PID 2008 wrote to memory of 640	2008	net.exe	net1.exe
PID 2008 wrote to memory of 640	2008	net.exe	net1.exe
PID 2008 wrote to memory of 640	2008	net.exe	net1.exe
PID 1564 wrote to memory of 856	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 1564 wrote to memory of 856	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 1564 wrote to memory of 856	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe
PID 1564 wrote to memory of 856	1564	46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
"C:\Users\Admin\AppData\Local\Temp\46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
2⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
- Suspicious use of WriteProcessMemory
PID:708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
2⤵
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
2⤵
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
3⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
4⤵
PID:284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
2⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\net.exe
net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
4⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
2⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
2⤵
PID:1224

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
3⤵
PID:844

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
4⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
PID:1332

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
PID:1776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
2⤵
PID:1780

C:\Windows\SysWOW64\net.exe
net stop vds
3⤵
PID:1692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
4⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
2⤵
PID:1960

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
2⤵
PID:2032

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:1580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1684-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads