Analysis
-
max time kernel
165s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 00:35
Static task
static1
Behavioral task
behavioral1
Sample
0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
Resource
win10v2004-en-20220113
General
-
Target
0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
-
Size
994KB
-
MD5
59121158ef88411544355a5bf293297c
-
SHA1
636510582fb27d2a23da35eeb55ef577f52caf68
-
SHA256
0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c
-
SHA512
fefbe9c3289f3cb410ddd8e742b3d27fba035827764aad47d304b9f0f23aef89a7215d85c6371c9900898b2b332b8b3a45a7fc117e33c43928f22b695609d4e2
Malware Config
Signatures
-
Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
-
Modifies Windows Firewall 1 TTPs
-
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\desktop.ini 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File created C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File created C:\Program Files\desktop.ini 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
description flow ioc HTTP URL 24 http://www.sfml-dev.org/ip-provider.php -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\descript.ion 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.[[email protected]][H5J39RNVDI12Q4B].Spade 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dt_shmem.dll 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\calendars.properties 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar.[[email protected]][H5J39RNVDI12Q4B].Spade 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar.[[email protected]][H5J39RNVDI12Q4B].Spade 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\libEGL.dll.[[email protected]][H5J39RNVDI12Q4B].Spade 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\UnpublishSearch.rar 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\pl.pak 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\manifest.json 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.[[email protected]][H5J39RNVDI12Q4B].Spade 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jfxwebkit.dll 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File created C:\Program Files\CompressConvertFrom.aiff.[[email protected]][H5J39RNVDI12Q4B].Spade 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\j2pcsc.dll 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jfxwebkit.dll 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\core_ja.jar 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar.[[email protected]][H5J39RNVDI12Q4B].Spade 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-output2.jar.[[email protected]][H5J39RNVDI12Q4B].Spade 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt.[[email protected]][H5J39RNVDI12Q4B].Spade 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File created C:\Program Files\7-Zip\Lang\yo.txt.[[email protected]][H5J39RNVDI12Q4B].Spade 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\README.html 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\JavaAccessBridge-64.dll 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-templates.xml 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\org-openide-filesystems.jar.[[email protected]][H5J39RNVDI12Q4B].Spade 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.[[email protected]][H5J39RNVDI12Q4B].Spade 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pl.jar 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\PYCC.pf 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt.[[email protected]][H5J39RNVDI12Q4B].Spade 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_ja.jar 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_zh_CN.jar 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeSecurityPrivilege 2540 TiWorker.exe Token: SeRestorePrivilege 2540 TiWorker.exe Token: SeBackupPrivilege 2540 TiWorker.exe Token: SeBackupPrivilege 2540 TiWorker.exe Token: SeRestorePrivilege 2540 TiWorker.exe Token: SeSecurityPrivilege 2540 TiWorker.exe Token: SeBackupPrivilege 2540 TiWorker.exe Token: SeRestorePrivilege 2540 TiWorker.exe Token: SeSecurityPrivilege 2540 TiWorker.exe Token: SeBackupPrivilege 2540 TiWorker.exe Token: SeRestorePrivilege 2540 TiWorker.exe Token: SeSecurityPrivilege 2540 TiWorker.exe Token: SeBackupPrivilege 2540 TiWorker.exe Token: SeRestorePrivilege 2540 TiWorker.exe Token: SeSecurityPrivilege 2540 TiWorker.exe Token: SeBackupPrivilege 2540 TiWorker.exe Token: SeRestorePrivilege 2540 TiWorker.exe Token: SeSecurityPrivilege 2540 TiWorker.exe Token: SeBackupPrivilege 2540 TiWorker.exe Token: SeRestorePrivilege 2540 TiWorker.exe Token: SeSecurityPrivilege 2540 TiWorker.exe Token: SeBackupPrivilege 2540 TiWorker.exe Token: SeRestorePrivilege 2540 TiWorker.exe Token: SeSecurityPrivilege 2540 TiWorker.exe Token: SeBackupPrivilege 2540 TiWorker.exe Token: SeRestorePrivilege 2540 TiWorker.exe Token: SeSecurityPrivilege 2540 TiWorker.exe Token: SeBackupPrivilege 2540 TiWorker.exe Token: SeRestorePrivilege 2540 TiWorker.exe Token: SeSecurityPrivilege 2540 TiWorker.exe Token: SeBackupPrivilege 2540 TiWorker.exe Token: SeRestorePrivilege 2540 TiWorker.exe Token: SeSecurityPrivilege 2540 TiWorker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4596 wrote to memory of 4588 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 83 PID 4596 wrote to memory of 4588 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 83 PID 4596 wrote to memory of 4588 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 83 PID 4588 wrote to memory of 2632 4588 cmd.exe 85 PID 4588 wrote to memory of 2632 4588 cmd.exe 85 PID 4588 wrote to memory of 2632 4588 cmd.exe 85 PID 2632 wrote to memory of 2752 2632 net.exe 86 PID 2632 wrote to memory of 2752 2632 net.exe 86 PID 2632 wrote to memory of 2752 2632 net.exe 86 PID 4596 wrote to memory of 4848 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 87 PID 4596 wrote to memory of 4848 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 87 PID 4596 wrote to memory of 4848 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 87 PID 4848 wrote to memory of 4916 4848 cmd.exe 89 PID 4848 wrote to memory of 4916 4848 cmd.exe 89 PID 4848 wrote to memory of 4916 4848 cmd.exe 89 PID 4916 wrote to memory of 4852 4916 net.exe 90 PID 4916 wrote to memory of 4852 4916 net.exe 90 PID 4916 wrote to memory of 4852 4916 net.exe 90 PID 4596 wrote to memory of 1164 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 91 PID 4596 wrote to memory of 1164 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 91 PID 4596 wrote to memory of 1164 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 91 PID 1164 wrote to memory of 2392 1164 cmd.exe 93 PID 1164 wrote to memory of 2392 1164 cmd.exe 93 PID 1164 wrote to memory of 2392 1164 cmd.exe 93 PID 2392 wrote to memory of 4444 2392 net.exe 94 PID 2392 wrote to memory of 4444 2392 net.exe 94 PID 2392 wrote to memory of 4444 2392 net.exe 94 PID 4596 wrote to memory of 1272 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 95 PID 4596 wrote to memory of 1272 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 95 PID 4596 wrote to memory of 1272 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 95 PID 1272 wrote to memory of 3552 1272 cmd.exe 97 PID 1272 wrote to memory of 3552 1272 cmd.exe 97 PID 1272 wrote to memory of 3552 1272 cmd.exe 97 PID 3552 wrote to memory of 408 3552 net.exe 98 PID 3552 wrote to memory of 408 3552 net.exe 98 PID 3552 wrote to memory of 408 3552 net.exe 98 PID 4596 wrote to memory of 2892 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 99 PID 4596 wrote to memory of 2892 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 99 PID 4596 wrote to memory of 2892 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 99 PID 2892 wrote to memory of 1940 2892 cmd.exe 101 PID 2892 wrote to memory of 1940 2892 cmd.exe 101 PID 2892 wrote to memory of 1940 2892 cmd.exe 101 PID 1940 wrote to memory of 1960 1940 net.exe 102 PID 1940 wrote to memory of 1960 1940 net.exe 102 PID 1940 wrote to memory of 1960 1940 net.exe 102 PID 4596 wrote to memory of 3856 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 103 PID 4596 wrote to memory of 3856 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 103 PID 4596 wrote to memory of 3856 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 103 PID 4596 wrote to memory of 2384 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 105 PID 4596 wrote to memory of 2384 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 105 PID 4596 wrote to memory of 2384 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 105 PID 4596 wrote to memory of 2936 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 107 PID 4596 wrote to memory of 2936 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 107 PID 4596 wrote to memory of 2936 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 107 PID 4596 wrote to memory of 216 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 110 PID 4596 wrote to memory of 216 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 110 PID 4596 wrote to memory of 216 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 110 PID 216 wrote to memory of 4660 216 cmd.exe 112 PID 216 wrote to memory of 4660 216 cmd.exe 112 PID 216 wrote to memory of 4660 216 cmd.exe 112 PID 4660 wrote to memory of 3600 4660 net.exe 113 PID 4660 wrote to memory of 3600 4660 net.exe 113 PID 4660 wrote to memory of 3600 4660 net.exe 113 PID 4596 wrote to memory of 3464 4596 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe"C:\Users\Admin\AppData\Local\Temp\0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLWriter2⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵PID:2752
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLBrowser2⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵PID:4852
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵PID:4444
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO12⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\net.exenet stop MSSQL$CONTOSO13⤵
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$CONTOSO14⤵PID:408
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSDTC2⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\net.exenet stop MSDTC3⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSDTC4⤵PID:1960
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵PID:3856
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no2⤵PID:2384
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet2⤵PID:2936
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT2⤵
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\net.exenet stop SQLSERVERAGENT3⤵
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT4⤵PID:3600
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵PID:3464
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵PID:4720
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵PID:3636
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop vds2⤵PID:5096
-
C:\Windows\SysWOW64\net.exenet stop vds3⤵PID:4216
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vds4⤵PID:4244
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off2⤵PID:3572
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵PID:948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable2⤵PID:1784
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵PID:2356
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:1088
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2540