Overview

overview

10

Static

static

46afbb7804...56.exe

windows7_x64

10

46afbb7804...56.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    172s
  • max time network
    195s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    12-02-2022 00:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe

  • Size

    997KB

  • MD5

    feb72e2081db664d7539b81060261a28

  • SHA1

    357c7a47208fb8feddb54d50b8600be7cb075f1f

  • SHA256

    46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56

  • SHA512

    ac8cd678fd39259a150c2d4ac88143197553acd1e91d98dfee3eefd655818e176888433363dfc49189c7c10c76b888c56684a993a782ae9222adc4ef95e7107a

Score
10/10
ouroborosevasionransomware

Malware Config

Signatures

  • Ouroboros/Zeropadypt

    Ransomware family based on open-source CryptoWire.

    ransomwareouroboros
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops desktop.ini file(s) 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 49 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe
    "C:\Users\Admin\AppData\Local\Temp\46afbb780469fd2a5819a9d9ab9d30d2a0d463ff02e6638790624cf326e68b56.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3308
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop SQLWriter
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\SysWOW64\net.exe
        net stop SQLWriter
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3132
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop SQLWriter
          4⤵
            PID:984
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c net stop SQLBrowser
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2912
        • C:\Windows\SysWOW64\net.exe
          net stop SQLBrowser
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1784
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop SQLBrowser
            4⤵
              PID:2140
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:880
          • C:\Windows\SysWOW64\net.exe
            net stop MSSQLSERVER
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2260
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop MSSQLSERVER
              4⤵
                PID:364
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2992
            • C:\Windows\SysWOW64\net.exe
              net stop MSSQL$CONTOSO1
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3992
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop MSSQL$CONTOSO1
                4⤵
                  PID:3416
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c net stop MSDTC
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3404
              • C:\Windows\SysWOW64\net.exe
                net stop MSDTC
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2764
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop MSDTC
                  4⤵
                    PID:1844
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
                2⤵
                  PID:2268
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
                  2⤵
                    PID:2576
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
                    2⤵
                      PID:1588
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1860
                      • C:\Windows\SysWOW64\net.exe
                        net stop SQLSERVERAGENT
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1576
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop SQLSERVERAGENT
                          4⤵
                            PID:3240
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
                        2⤵
                          PID:3200
                          • C:\Windows\SysWOW64\net.exe
                            net stop MSSQLSERVER
                            3⤵
                              PID:1628
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 stop MSSQLSERVER
                                4⤵
                                  PID:1984
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c net stop vds
                              2⤵
                                PID:2484
                                • C:\Windows\SysWOW64\net.exe
                                  net stop vds
                                  3⤵
                                    PID:3888
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 stop vds
                                      4⤵
                                        PID:2488
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
                                    2⤵
                                      PID:3744
                                      • C:\Windows\SysWOW64\netsh.exe
                                        netsh advfirewall set currentprofile state off
                                        3⤵
                                          PID:3608
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
                                        2⤵
                                          PID:376
                                          • C:\Windows\SysWOW64\netsh.exe
                                            netsh firewall set opmode mode=disable
                                            3⤵
                                              PID:3620
                                        • C:\Windows\system32\MusNotifyIcon.exe
                                          %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
                                          1⤵
                                          • Checks processor information in registry
                                          PID:3756
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k NetworkService -p
                                          1⤵
                                          • Drops file in Windows directory
                                          • Modifies data under HKEY_USERS
                                          PID:3412
                                        • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                                          C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                                          1⤵
                                          • Drops file in Windows directory
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2928

                                        Network

                                        MITRE ATT&CK Matrix ATT&CK v6

                                        Initial Access

                                        Execution

                                        Persistence

                                        Modify Existing Service

                                        1
                                        T1031

                                        Privilege Escalation

                                        Defense Evasion

                                        Credential Access

                                        Discovery

                                        Query Registry

                                        1
                                        T1012

                                        System Information Discovery

                                        1
                                        T1082

                                        Lateral Movement

                                        Collection

                                        Exfiltration

                                        Command and Control

                                        Impact

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads