ouroboros | 153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03

Analysis

max time kernel
165s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
12-02-2022 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
Size

1.3MB
MD5

7c81770eee7776811ccbf01584262ca7
SHA1

5632f27158227ec4b6b6910133cebe035dc20bcb
SHA256

153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03
SHA512

39c515bc26ff320d8bfd07311ac927c5b68bac0b1b29b5f83235502f811b969b45edb6980656ac704b1963f562662f799a5275ca8c2f289d9d508f11a6c30437

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 5 IoCs

Processes:

153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\desktop.ini	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\desktop.ini	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 25 http://www.sfml-dev.org/ip-provider.php

description	flow	ioc
HTTP URL	25	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

Processes:

153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_zh_CN.jar	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-processthreads-l1-1-1.dll	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-30_contrast-white.png	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadce.dll	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\deployJava1.dll.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-125_contrast-black.png	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-125.png	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-api-progress.jar.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-48_altform-unplated.png	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicsimple.dotx	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\SmallTile.scale-125.png	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunmscapi.jar.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\LICENSE.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Classic.dotx	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MML2OMML.XSL.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbytools.jar.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\jfxrt.jar	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\159.png	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\msipc.dll.mui	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\ssleay32.dll.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONLNTCOMLIB.DLL	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DatabaseCore.dll	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.Misc.v11.1.dll	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\deploy.dll.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif.[[email protected]][10TAEVWRJDXHY7F].lilium	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe

pid	process
3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 3908 wrote to memory of 1692	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 1692	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 1692	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1692 wrote to memory of 4512	1692	cmd.exe	net.exe
PID 1692 wrote to memory of 4512	1692	cmd.exe	net.exe
PID 1692 wrote to memory of 4512	1692	cmd.exe	net.exe
PID 4512 wrote to memory of 752	4512	net.exe	net1.exe
PID 4512 wrote to memory of 752	4512	net.exe	net1.exe
PID 4512 wrote to memory of 752	4512	net.exe	net1.exe
PID 3908 wrote to memory of 2984	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 2984	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 2984	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 2740	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 2740	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 2740	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 3152	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 3152	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 3152	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 3636	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 3636	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 3636	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3636 wrote to memory of 3500	3636	cmd.exe	net.exe
PID 3636 wrote to memory of 3500	3636	cmd.exe	net.exe
PID 3636 wrote to memory of 3500	3636	cmd.exe	net.exe
PID 3500 wrote to memory of 208	3500	net.exe	net1.exe
PID 3500 wrote to memory of 208	3500	net.exe	net1.exe
PID 3500 wrote to memory of 208	3500	net.exe	net1.exe
PID 3908 wrote to memory of 1456	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 1456	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 1456	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 1456 wrote to memory of 4976	1456	cmd.exe	net.exe
PID 1456 wrote to memory of 4976	1456	cmd.exe	net.exe
PID 1456 wrote to memory of 4976	1456	cmd.exe	net.exe
PID 4976 wrote to memory of 4844	4976	net.exe	net1.exe
PID 4976 wrote to memory of 4844	4976	net.exe	net1.exe
PID 4976 wrote to memory of 4844	4976	net.exe	net1.exe
PID 3908 wrote to memory of 4308	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 4308	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 4308	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 4308 wrote to memory of 840	4308	cmd.exe	net.exe
PID 4308 wrote to memory of 840	4308	cmd.exe	net.exe
PID 4308 wrote to memory of 840	4308	cmd.exe	net.exe
PID 840 wrote to memory of 3656	840	net.exe	net1.exe
PID 840 wrote to memory of 3656	840	net.exe	net1.exe
PID 840 wrote to memory of 3656	840	net.exe	net1.exe
PID 3908 wrote to memory of 3080	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 3080	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 3080	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3080 wrote to memory of 4024	3080	cmd.exe	netsh.exe
PID 3080 wrote to memory of 4024	3080	cmd.exe	netsh.exe
PID 3080 wrote to memory of 4024	3080	cmd.exe	netsh.exe
PID 3908 wrote to memory of 4200	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 4200	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 4200	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 4200 wrote to memory of 960	4200	cmd.exe	netsh.exe
PID 4200 wrote to memory of 960	4200	cmd.exe	netsh.exe
PID 4200 wrote to memory of 960	4200	cmd.exe	netsh.exe
PID 3908 wrote to memory of 2244	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 2244	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 3908 wrote to memory of 2244	3908	153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe	cmd.exe
PID 2244 wrote to memory of 1780	2244	cmd.exe	net.exe
PID 2244 wrote to memory of 1780	2244	cmd.exe	net.exe
PID 2244 wrote to memory of 1780	2244	cmd.exe	net.exe
PID 1780 wrote to memory of 1888	1780	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe
"C:\Users\Admin\AppData\Local\Temp\153a11e6dfe886a1950c874309f33cee72411bce30d283ece10b8f2d5870ca03.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:2740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:3152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:4844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:3656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:4024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:1888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:2192
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:3740
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:3092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1480
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:4736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:4900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:4092
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:1864
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:5068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
1⤵
PID:208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads