ouroboros | 05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-en-20211208
submitted
05-03-2022 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
Size

1.3MB
MD5

815f827cbedec5631f73178fd1ac9aa8
SHA1

faea120b3544f66dd88e237b2422897d50612ba3
SHA256

05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9
SHA512

9ffaf31f9a9cad70af30ffe9fbddff6598632da78cab14e4c83ae6e2a69ef7be219a7fc56fc34980ae4f8682cac021b9c48d197927895e584eb124731db0103e

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 13 IoCs

Processes:

05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2329389628-4064185017-3901522362-1000\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\$Recycle.Bin\S-1-5-21-2329389628-4064185017-3901522362-1000\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 3 http://www.sfml-dev.org/ip-provider.php

description	flow	ioc
HTTP URL	3	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

Processes:

05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcfr.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ko.pak.[[email protected]][JBWNS063K9TCDQH].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\flavormap.properties	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\es-ES\Mahjong.exe.mui	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe.[[email protected]][JBWNS063K9TCDQH].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Khandyga	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts.[[email protected]][JBWNS063K9TCDQH].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.[[email protected]][JBWNS063K9TCDQH].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html.[[email protected]][JBWNS063K9TCDQH].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar.[[email protected]][JBWNS063K9TCDQH].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\PST8PDT.[[email protected]][JBWNS063K9TCDQH].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+4.[[email protected]][JBWNS063K9TCDQH].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaprsr.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiler.jar.[[email protected]][JBWNS063K9TCDQH].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Makassar	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Anadyr	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wake	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kcms.dll.[[email protected]][JBWNS063K9TCDQH].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util.jar.[[email protected]][JBWNS063K9TCDQH].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jre7\bin\libxslt.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\msvcp140.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+3.[[email protected]][JBWNS063K9TCDQH].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\libEGL.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\gu.pak.[[email protected]][JBWNS063K9TCDQH].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\hprof.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Tirane	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Salta.[[email protected]][JBWNS063K9TCDQH].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\La_Rioja	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_zh_4.4.0.v20140623020002.jar	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Iqaluit	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\Chkr.dll.[[email protected]][JBWNS063K9TCDQH].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson.[[email protected]][JBWNS063K9TCDQH].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHEV.DLL	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_zh_CN.jar	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion.[[email protected]][JBWNS063K9TCDQH].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.[[email protected]][JBWNS063K9TCDQH].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\external_extensions.json.[[email protected]][JBWNS063K9TCDQH].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar.[[email protected]][JBWNS063K9TCDQH].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Hermosillo	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Manaus	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Rothera	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Jakarta	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Chagos	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1492 792 WerFault.exe 05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
Runs net.exe

pid	pid_target	process	target process
1492	792	WerFault.exe	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe

pid	process
792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 792 wrote to memory of 1920	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 1920	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 1920	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 1920	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 1920 wrote to memory of 516	1920	cmd.exe	net.exe
PID 1920 wrote to memory of 516	1920	cmd.exe	net.exe
PID 1920 wrote to memory of 516	1920	cmd.exe	net.exe
PID 1920 wrote to memory of 516	1920	cmd.exe	net.exe
PID 516 wrote to memory of 268	516	net.exe	net1.exe
PID 516 wrote to memory of 268	516	net.exe	net1.exe
PID 516 wrote to memory of 268	516	net.exe	net1.exe
PID 516 wrote to memory of 268	516	net.exe	net1.exe
PID 792 wrote to memory of 1496	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 1496	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 1496	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 1496	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 620	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 620	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 620	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 620	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 1572	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 1572	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 1572	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 1572	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 360	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 360	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 360	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 360	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 360 wrote to memory of 2032	360	cmd.exe	net.exe
PID 360 wrote to memory of 2032	360	cmd.exe	net.exe
PID 360 wrote to memory of 2032	360	cmd.exe	net.exe
PID 360 wrote to memory of 2032	360	cmd.exe	net.exe
PID 2032 wrote to memory of 428	2032	net.exe	net1.exe
PID 2032 wrote to memory of 428	2032	net.exe	net1.exe
PID 2032 wrote to memory of 428	2032	net.exe	net1.exe
PID 2032 wrote to memory of 428	2032	net.exe	net1.exe
PID 792 wrote to memory of 1644	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 1644	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 1644	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 1644	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 1644 wrote to memory of 1640	1644	cmd.exe	net.exe
PID 1644 wrote to memory of 1640	1644	cmd.exe	net.exe
PID 1644 wrote to memory of 1640	1644	cmd.exe	net.exe
PID 1644 wrote to memory of 1640	1644	cmd.exe	net.exe
PID 1640 wrote to memory of 1080	1640	net.exe	net1.exe
PID 1640 wrote to memory of 1080	1640	net.exe	net1.exe
PID 1640 wrote to memory of 1080	1640	net.exe	net1.exe
PID 1640 wrote to memory of 1080	1640	net.exe	net1.exe
PID 792 wrote to memory of 1132	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 1132	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 1132	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 1132	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 1132 wrote to memory of 1788	1132	cmd.exe	net.exe
PID 1132 wrote to memory of 1788	1132	cmd.exe	net.exe
PID 1132 wrote to memory of 1788	1132	cmd.exe	net.exe
PID 1132 wrote to memory of 1788	1132	cmd.exe	net.exe
PID 1788 wrote to memory of 1900	1788	net.exe	net1.exe
PID 1788 wrote to memory of 1900	1788	net.exe	net1.exe
PID 1788 wrote to memory of 1900	1788	net.exe	net1.exe
PID 1788 wrote to memory of 1900	1788	net.exe	net1.exe
PID 792 wrote to memory of 1444	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 1444	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 1444	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe
PID 792 wrote to memory of 1444	792	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
"C:\Users\Admin\AppData\Local\Temp\05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:1572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:360
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:1900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:1444
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:1936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    PID:1192
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:2012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:912
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:584
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:1028
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:1124
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:1152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 464
  2⤵
  - Program crash
  PID:1492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1512-54-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download