ouroboros | 0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c

Analysis

max time kernel
165s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
12-02-2022 00:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
Size

994KB
MD5

59121158ef88411544355a5bf293297c
SHA1

636510582fb27d2a23da35eeb55ef577f52caf68
SHA256

0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c
SHA512

fefbe9c3289f3cb410ddd8e742b3d27fba035827764aad47d304b9f0f23aef89a7215d85c6371c9900898b2b332b8b3a45a7fc117e33c43928f22b695609d4e2

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 4 IoCs

Processes:

0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\desktop.ini	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File created	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File created	C:\Program Files\desktop.ini	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 24 http://www.sfml-dev.org/ip-provider.php

description	flow	ioc
HTTP URL	24	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

Processes:

0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\descript.ion	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.[[email protected]][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dt_shmem.dll	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\calendars.properties	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar.[[email protected]][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar.[[email protected]][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\libEGL.dll.[[email protected]][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\UnpublishSearch.rar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\pl.pak	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\manifest.json	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.[[email protected]][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jfxwebkit.dll	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File created	C:\Program Files\CompressConvertFrom.aiff.[[email protected]][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\j2pcsc.dll	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jfxwebkit.dll	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\core_ja.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar.[[email protected]][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-output2.jar.[[email protected]][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt.[[email protected]][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.[[email protected]][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\README.html	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\JavaAccessBridge-64.dll	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-templates.xml	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\org-openide-filesystems.jar.[[email protected]][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.[[email protected]][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pl.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\PYCC.pf	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt.[[email protected]][H5J39RNVDI12Q4B].Spade	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_ja.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_zh_CN.jar	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe

Drops file in Windows directory 2 IoCs

Processes:

TiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe

pid	process
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

TiWorker.exe

description	pid	process
Token: SeSecurityPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeSecurityPrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeSecurityPrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeSecurityPrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeSecurityPrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeSecurityPrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeSecurityPrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeSecurityPrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeSecurityPrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeSecurityPrivilege	2540	TiWorker.exe
Token: SeBackupPrivilege	2540	TiWorker.exe
Token: SeRestorePrivilege	2540	TiWorker.exe
Token: SeSecurityPrivilege	2540	TiWorker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 4596 wrote to memory of 4588	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 4588	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 4588	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4588 wrote to memory of 2632	4588	cmd.exe	net.exe
PID 4588 wrote to memory of 2632	4588	cmd.exe	net.exe
PID 4588 wrote to memory of 2632	4588	cmd.exe	net.exe
PID 2632 wrote to memory of 2752	2632	net.exe	net1.exe
PID 2632 wrote to memory of 2752	2632	net.exe	net1.exe
PID 2632 wrote to memory of 2752	2632	net.exe	net1.exe
PID 4596 wrote to memory of 4848	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 4848	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 4848	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4848 wrote to memory of 4916	4848	cmd.exe	net.exe
PID 4848 wrote to memory of 4916	4848	cmd.exe	net.exe
PID 4848 wrote to memory of 4916	4848	cmd.exe	net.exe
PID 4916 wrote to memory of 4852	4916	net.exe	net1.exe
PID 4916 wrote to memory of 4852	4916	net.exe	net1.exe
PID 4916 wrote to memory of 4852	4916	net.exe	net1.exe
PID 4596 wrote to memory of 1164	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 1164	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 1164	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 1164 wrote to memory of 2392	1164	cmd.exe	net.exe
PID 1164 wrote to memory of 2392	1164	cmd.exe	net.exe
PID 1164 wrote to memory of 2392	1164	cmd.exe	net.exe
PID 2392 wrote to memory of 4444	2392	net.exe	net1.exe
PID 2392 wrote to memory of 4444	2392	net.exe	net1.exe
PID 2392 wrote to memory of 4444	2392	net.exe	net1.exe
PID 4596 wrote to memory of 1272	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 1272	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 1272	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 1272 wrote to memory of 3552	1272	cmd.exe	net.exe
PID 1272 wrote to memory of 3552	1272	cmd.exe	net.exe
PID 1272 wrote to memory of 3552	1272	cmd.exe	net.exe
PID 3552 wrote to memory of 408	3552	net.exe	net1.exe
PID 3552 wrote to memory of 408	3552	net.exe	net1.exe
PID 3552 wrote to memory of 408	3552	net.exe	net1.exe
PID 4596 wrote to memory of 2892	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 2892	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 2892	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 2892 wrote to memory of 1940	2892	cmd.exe	net.exe
PID 2892 wrote to memory of 1940	2892	cmd.exe	net.exe
PID 2892 wrote to memory of 1940	2892	cmd.exe	net.exe
PID 1940 wrote to memory of 1960	1940	net.exe	net1.exe
PID 1940 wrote to memory of 1960	1940	net.exe	net1.exe
PID 1940 wrote to memory of 1960	1940	net.exe	net1.exe
PID 4596 wrote to memory of 3856	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 3856	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 3856	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 2384	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 2384	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 2384	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 2936	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 2936	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 2936	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 216	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 216	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 4596 wrote to memory of 216	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe
PID 216 wrote to memory of 4660	216	cmd.exe	net.exe
PID 216 wrote to memory of 4660	216	cmd.exe	net.exe
PID 216 wrote to memory of 4660	216	cmd.exe	net.exe
PID 4660 wrote to memory of 3600	4660	net.exe	net1.exe
PID 4660 wrote to memory of 3600	4660	net.exe	net1.exe
PID 4660 wrote to memory of 3600	4660	net.exe	net1.exe
PID 4596 wrote to memory of 3464	4596	0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe
"C:\Users\Admin\AppData\Local\Temp\0822aba5ae3a202584bcf7289ea3fcac9b4108cd387e7688a2cf6a1d7691327c.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:4852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:4444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:1960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:3856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:2384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:2936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:3600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:3464
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:4720
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:3636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:5096
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:4216
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:4244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:3572
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1088

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads