ouroboros | 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c

Analysis

max time kernel
165s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
12/02/2022, 00:35 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
Size

994KB
MD5

59121158ef88411544355a5bf293297c
SHA1

636510582fb27d2a23da35eeb55ef577f52caf68
SHA256

0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c
SHA512

fefbe9c3289f3cb410ddd8e742b3d27fba035827764aad47d304b9f0f23aef89a7215d85c6371c9900898b2b332b8b3a45a7fc117e33c43928f22b695609d4e2

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\desktop.ini	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File created	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File created	C:\Program Files\desktop.ini	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	24	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\descript.ion	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.[VoidDeceryptor@tutanota.com][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dt_shmem.dll	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\calendars.properties	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar.[VoidDeceryptor@tutanota.com][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar.[VoidDeceryptor@tutanota.com][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\libEGL.dll.[VoidDeceryptor@tutanota.com][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\UnpublishSearch.rar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\pl.pak	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\manifest.json	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.[VoidDeceryptor@tutanota.com][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jfxwebkit.dll	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File created	C:\Program Files\CompressConvertFrom.aiff.[VoidDeceryptor@tutanota.com][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\j2pcsc.dll	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jfxwebkit.dll	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\core_ja.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar.[VoidDeceryptor@tutanota.com][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-output2.jar.[VoidDeceryptor@tutanota.com][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt.[VoidDeceryptor@tutanota.com][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.[VoidDeceryptor@tutanota.com][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\README.html	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\JavaAccessBridge-64.dll	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-templates.xml	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\org-openide-filesystems.jar.[VoidDeceryptor@tutanota.com][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.[VoidDeceryptor@tutanota.com][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pl.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\PYCC.pf	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt.[VoidDeceryptor@tutanota.com][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_ja.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_zh_CN.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeSecurityPrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeSecurityPrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeSecurityPrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeSecurityPrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeSecurityPrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeSecurityPrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeSecurityPrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeSecurityPrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeSecurityPrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeSecurityPrivilege	2540	TiWorker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 4588	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	83
PID 4596 wrote to memory of 4588	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	83
PID 4596 wrote to memory of 4588	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	83
PID 4588 wrote to memory of 2632	4588	cmd.exe	85
PID 4588 wrote to memory of 2632	4588	cmd.exe	85
PID 4588 wrote to memory of 2632	4588	cmd.exe	85
PID 2632 wrote to memory of 2752	2632	net.exe	86
PID 2632 wrote to memory of 2752	2632	net.exe	86
PID 2632 wrote to memory of 2752	2632	net.exe	86
PID 4596 wrote to memory of 4848	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	87
PID 4596 wrote to memory of 4848	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	87
PID 4596 wrote to memory of 4848	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	87
PID 4848 wrote to memory of 4916	4848	cmd.exe	89
PID 4848 wrote to memory of 4916	4848	cmd.exe	89
PID 4848 wrote to memory of 4916	4848	cmd.exe	89
PID 4916 wrote to memory of 4852	4916	net.exe	90
PID 4916 wrote to memory of 4852	4916	net.exe	90
PID 4916 wrote to memory of 4852	4916	net.exe	90
PID 4596 wrote to memory of 1164	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	91
PID 4596 wrote to memory of 1164	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	91
PID 4596 wrote to memory of 1164	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	91
PID 1164 wrote to memory of 2392	1164	cmd.exe	93
PID 1164 wrote to memory of 2392	1164	cmd.exe	93
PID 1164 wrote to memory of 2392	1164	cmd.exe	93
PID 2392 wrote to memory of 4444	2392	net.exe	94
PID 2392 wrote to memory of 4444	2392	net.exe	94
PID 2392 wrote to memory of 4444	2392	net.exe	94
PID 4596 wrote to memory of 1272	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	95
PID 4596 wrote to memory of 1272	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	95
PID 4596 wrote to memory of 1272	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	95
PID 1272 wrote to memory of 3552	1272	cmd.exe	97
PID 1272 wrote to memory of 3552	1272	cmd.exe	97
PID 1272 wrote to memory of 3552	1272	cmd.exe	97
PID 3552 wrote to memory of 408	3552	net.exe	98
PID 3552 wrote to memory of 408	3552	net.exe	98
PID 3552 wrote to memory of 408	3552	net.exe	98
PID 4596 wrote to memory of 2892	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	99
PID 4596 wrote to memory of 2892	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	99
PID 4596 wrote to memory of 2892	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	99
PID 2892 wrote to memory of 1940	2892	cmd.exe	101
PID 2892 wrote to memory of 1940	2892	cmd.exe	101
PID 2892 wrote to memory of 1940	2892	cmd.exe	101
PID 1940 wrote to memory of 1960	1940	net.exe	102
PID 1940 wrote to memory of 1960	1940	net.exe	102
PID 1940 wrote to memory of 1960	1940	net.exe	102
PID 4596 wrote to memory of 3856	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	103
PID 4596 wrote to memory of 3856	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	103
PID 4596 wrote to memory of 3856	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	103
PID 4596 wrote to memory of 2384	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	105
PID 4596 wrote to memory of 2384	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	105
PID 4596 wrote to memory of 2384	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	105
PID 4596 wrote to memory of 2936	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	107
PID 4596 wrote to memory of 2936	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	107
PID 4596 wrote to memory of 2936	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	107
PID 4596 wrote to memory of 216	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	110
PID 4596 wrote to memory of 216	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	110
PID 4596 wrote to memory of 216	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	110
PID 216 wrote to memory of 4660	216	cmd.exe	112
PID 216 wrote to memory of 4660	216	cmd.exe	112
PID 216 wrote to memory of 4660	216	cmd.exe	112
PID 4660 wrote to memory of 3600	4660	net.exe	113
PID 4660 wrote to memory of 3600	4660	net.exe	113
PID 4660 wrote to memory of 3600	4660	net.exe	113
PID 4596 wrote to memory of 3464	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	115

C:\Users\Admin\AppData\Local\Temp\0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
"C:\Users\Admin\AppData\Local\Temp\0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:4852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:4444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:1960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:3856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:2384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:2936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:3600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:3464
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:4720
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:3636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:5096
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:4216
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:4244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:3572
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1088

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2540

Network

DNS

www.sfml-dev.org

0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe

Remote address:

8.8.8.8:53

Request

www.sfml-dev.org

IN A

Response

www.sfml-dev.org

IN CNAME

sfml-dev.org

sfml-dev.org

IN A

78.47.82.133
GET

http://www.sfml-dev.org/ip-provider.php

0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe

Remote address:

78.47.82.133:80

Request

GET /ip-provider.php HTTP/1.0
content-length: 0
from: user@sfml-dev.org
host: www.sfml-dev.org
user-agent: libsfml-network/2.x

Response

HTTP/1.1 200 OK

Date: Sat, 12 Feb 2022 00:36:10 GMT
Server: Apache
Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.sfml-dev.org www.gstatic.com www.google.com www.google-analytics.com ssl.google-analytics.com; connect-src 'self' www.google-analytics.com; img-src 'self' https: data:; style-src 'self' 'unsafe-inline' *.sfml-dev.org fonts.googleapis.com; media-src https: data:; font-src 'self' fonts.gstatic.com; base-uri 'self'; form-action 'self'; frame-src https: data:
Content-Length: 12
Connection: close
Content-Type: text/html; charset=UTF-8
DNS

crl4.digicert.com

Remote address:

8.8.8.8:53

Request

crl4.digicert.com

IN A

Response

crl4.digicert.com

IN CNAME

cs9.wac.phicdn.net

cs9.wac.phicdn.net

IN A

93.184.220.29
GET

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D

Remote address:

93.184.220.29:80

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: ocsp.digicert.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 2321
Cache-Control: max-age=117182
Content-Type: application/ocsp-response
Date: Sat, 12 Feb 2022 00:36:50 GMT
Etag: "62061ecf-1d7"
Expires: Sun, 13 Feb 2022 09:09:52 GMT
Last-Modified: Fri, 11 Feb 2022 08:31:11 GMT
Server: ECS (amb/6BAD)
X-Cache: HIT
Content-Length: 471
GET

http://crl3.digicert.com/Omniroot2025.crl

Remote address:

93.184.220.29:80

Request

GET /Omniroot2025.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: crl3.digicert.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 3770
Cache-Control: max-age=10800
Content-Type: application/pkix-crl
Date: Sat, 12 Feb 2022 00:36:55 GMT
Etag: "2114594392"
Expires: Sat, 12 Feb 2022 03:36:55 GMT
Last-Modified: Tue, 08 Feb 2022 23:15:25 GMT
Server: ECS (amb/6BBA)
X-Cache: HIT
Content-Length: 7869
GET

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAxq6XzO1ZmDhpCgCp6lMhQ%3D

Remote address:

93.184.220.29:80

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAxq6XzO1ZmDhpCgCp6lMhQ%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: ocsp.digicert.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 2424
Cache-Control: max-age=90965
Content-Type: application/ocsp-response
Date: Sat, 12 Feb 2022 00:37:38 GMT
Etag: "6205b82f-1d7"
Expires: Sun, 13 Feb 2022 01:53:43 GMT
Last-Modified: Fri, 11 Feb 2022 01:13:19 GMT
Server: ECS (amb/6B9B)
X-Cache: HIT
Content-Length: 471

78.47.82.133:80

http://www.sfml-dev.org/ip-provider.php

http

0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe

364 B
829 B
5
5

HTTP Request

GET http://www.sfml-dev.org/ip-provider.php

HTTP Response

200
172.98.203.175:80

0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe

260 B
5
93.184.220.29:80

crl4.digicert.com

260 B
5
172.98.203.178:80

0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe

260 B
5
93.184.220.29:80

crl4.digicert.com

260 B
5
93.184.220.29:80

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D

http

466 B
931 B
5
3

HTTP Request

GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D

HTTP Response

200
10.127.1.158:8080

0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
93.184.220.29:80

http://crl3.digicert.com/Omniroot2025.crl

http

456 B
8.5kB
7
8

HTTP Request

GET http://crl3.digicert.com/Omniroot2025.crl

HTTP Response

200
93.184.220.29:80

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAxq6XzO1ZmDhpCgCp6lMhQ%3D

http

424 B
930 B
4
3

HTTP Request

GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAxq6XzO1ZmDhpCgCp6lMhQ%3D

HTTP Response

200

8.8.8.8:53

www.sfml-dev.org

dns

0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe

62 B
92 B
1
1

DNS Request

www.sfml-dev.org

DNS Response

78.47.82.133
8.8.8.8:53

crl4.digicert.com

dns

63 B
111 B
1
1

DNS Request

crl4.digicert.com

DNS Response

93.184.220.29

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.