ouroboros | 153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03

Analysis

max time kernel
155s
max time network
135s
platform
windows7_x64
resource
win7-en-20211208
submitted
12-02-2022 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
Size

1.3MB
MD5

7c81770eee7776811ccbf01584262ca7
SHA1

5632f27158227ec4b6b6910133cebe035dc20bcb
SHA256

153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03
SHA512

39c515bc26ff320d8bfd07311ac927c5b68bac0b1b29b5f83235502f811b969b45edb6980656ac704b1963f562662f799a5275ca8c2f289d9d508f11a6c30437

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 15 IoCs

Processes:

153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\$Recycle.Bin\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\desktop.ini	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\desktop.ini	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 64 IoCs

Processes:

153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.[[email protected]][LX4N07KBVQGUJD1].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libgnutls_plugin.dll.[[email protected]][LX4N07KBVQGUJD1].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\MakeAccessible.api	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Budapest	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\LICENSE	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_ja.jar	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\msvcr100.dll	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Rio_Branco	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Tallinn	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationCore.resources.dll	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\WMPMediaSharing.dll.mui	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\localizedSettings.css	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll.[[email protected]][LX4N07KBVQGUJD1].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar.[[email protected]][LX4N07KBVQGUJD1].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.servlet_8.1.14.v20131031.jar.[[email protected]][LX4N07KBVQGUJD1].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers.[[email protected]][LX4N07KBVQGUJD1].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libafile_plugin.dll	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar.[[email protected]][LX4N07KBVQGUJD1].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Cocos	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\currency.data.[[email protected]][LX4N07KBVQGUJD1].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libadjust_plugin.dll	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL.[[email protected]][LX4N07KBVQGUJD1].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODBC.DLL.[[email protected]][LX4N07KBVQGUJD1].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Juneau	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Lord_Howe	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-nodes.jar.[[email protected]][LX4N07KBVQGUJD1].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Majuro.[[email protected]][LX4N07KBVQGUJD1].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\ECLIPSE.INF	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt.[[email protected]][LX4N07KBVQGUJD1].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\splashscreen.dll.[[email protected]][LX4N07KBVQGUJD1].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_zh_CN.jar	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+1	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Fortaleza.[[email protected]][LX4N07KBVQGUJD1].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Indianapolis.[[email protected]][LX4N07KBVQGUJD1].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-2.[[email protected]][LX4N07KBVQGUJD1].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Godthab	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Design.resources.dll	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\picturePuzzle.css	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF.[[email protected]][LX4N07KBVQGUJD1].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png.[[email protected]][LX4N07KBVQGUJD1].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar.[[email protected]][LX4N07KBVQGUJD1].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe

pid	process
1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1888 wrote to memory of 320	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 320	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 320	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 320	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 320 wrote to memory of 472	320	cmd.exe	net.exe
PID 320 wrote to memory of 472	320	cmd.exe	net.exe
PID 320 wrote to memory of 472	320	cmd.exe	net.exe
PID 320 wrote to memory of 472	320	cmd.exe	net.exe
PID 472 wrote to memory of 240	472	net.exe	net1.exe
PID 472 wrote to memory of 240	472	net.exe	net1.exe
PID 472 wrote to memory of 240	472	net.exe	net1.exe
PID 472 wrote to memory of 240	472	net.exe	net1.exe
PID 1888 wrote to memory of 1072	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 1072	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 1072	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 1072	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 568	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 568	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 568	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 568	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 1828	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 1828	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 1828	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 1828	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 1704	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 1704	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 1704	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 1704	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1704 wrote to memory of 1544	1704	cmd.exe	net.exe
PID 1704 wrote to memory of 1544	1704	cmd.exe	net.exe
PID 1704 wrote to memory of 1544	1704	cmd.exe	net.exe
PID 1704 wrote to memory of 1544	1704	cmd.exe	net.exe
PID 1544 wrote to memory of 684	1544	net.exe	net1.exe
PID 1544 wrote to memory of 684	1544	net.exe	net1.exe
PID 1544 wrote to memory of 684	1544	net.exe	net1.exe
PID 1544 wrote to memory of 684	1544	net.exe	net1.exe
PID 1888 wrote to memory of 600	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 600	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 600	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 600	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 600 wrote to memory of 1084	600	cmd.exe	net.exe
PID 600 wrote to memory of 1084	600	cmd.exe	net.exe
PID 600 wrote to memory of 1084	600	cmd.exe	net.exe
PID 600 wrote to memory of 1084	600	cmd.exe	net.exe
PID 1084 wrote to memory of 1120	1084	net.exe	net1.exe
PID 1084 wrote to memory of 1120	1084	net.exe	net1.exe
PID 1084 wrote to memory of 1120	1084	net.exe	net1.exe
PID 1084 wrote to memory of 1120	1084	net.exe	net1.exe
PID 1888 wrote to memory of 1100	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 1100	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 1100	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 1100	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1100 wrote to memory of 1996	1100	cmd.exe	net.exe
PID 1100 wrote to memory of 1996	1100	cmd.exe	net.exe
PID 1100 wrote to memory of 1996	1100	cmd.exe	net.exe
PID 1100 wrote to memory of 1996	1100	cmd.exe	net.exe
PID 1996 wrote to memory of 1832	1996	net.exe	net1.exe
PID 1996 wrote to memory of 1832	1996	net.exe	net1.exe
PID 1996 wrote to memory of 1832	1996	net.exe	net1.exe
PID 1996 wrote to memory of 1832	1996	net.exe	net1.exe
PID 1888 wrote to memory of 1488	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 1488	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 1488	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1888 wrote to memory of 1488	1888	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
"C:\Users\Admin\AppData\Local\Temp\153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:472
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:1828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:1832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:1488
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:1236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:1028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  PID:1776
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    PID:880
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:1940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:1964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1684
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:540
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:1708
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1236-54-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download