ouroboros | e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6

Analysis

max time kernel
4294181s
max time network
123s
platform
windows7_x64
resource
win7-20220223-en
submitted
05-03-2022 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
Size

1.3MB
MD5

310c70d59334868d4831f9f9cdb879ab
SHA1

7b522bbde3dce99de92fcfb952d672a3923e00c1
SHA256

e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6
SHA512

da1b987065a39c1b83dd1b245550292b6038d34c9113eb720381404d681717593321028fe00f5d835cc99fd0606d65fc3525c8ce218c19eb2e459a8d7603e993

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1405931862-909307831-4085185274-1000\desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\$Recycle.Bin\S-1-5-21-1405931862-909307831-4085185274-1000\desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	3	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fil.pak.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoCanary.png.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\Services\verisign.bmp	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DissolveNoise.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-font.dll.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\PipeTran.dll	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\COPYRIGHT	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightRegular.ttf	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fr.pak.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ru.pak	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\7-Zip\readme.txt.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\ApproveUse.png.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ms.pak.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\UpdateConnect.zip.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\gmail.crx.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\ResumeUnlock.M2V.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_TW.jar.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\WMM2CLIP.dll.mui	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.[[email protected]][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1488	1712	WerFault.exe	26

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1900	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	28
PID 1712 wrote to memory of 1900	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	28
PID 1712 wrote to memory of 1900	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	28
PID 1712 wrote to memory of 1900	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	28
PID 1900 wrote to memory of 1248	1900	cmd.exe	30
PID 1900 wrote to memory of 1248	1900	cmd.exe	30
PID 1900 wrote to memory of 1248	1900	cmd.exe	30
PID 1900 wrote to memory of 1248	1900	cmd.exe	30
PID 1248 wrote to memory of 1128	1248	net.exe	31
PID 1248 wrote to memory of 1128	1248	net.exe	31
PID 1248 wrote to memory of 1128	1248	net.exe	31
PID 1248 wrote to memory of 1128	1248	net.exe	31
PID 1712 wrote to memory of 1080	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	32
PID 1712 wrote to memory of 1080	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	32
PID 1712 wrote to memory of 1080	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	32
PID 1712 wrote to memory of 1080	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	32
PID 1712 wrote to memory of 1504	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	34
PID 1712 wrote to memory of 1504	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	34
PID 1712 wrote to memory of 1504	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	34
PID 1712 wrote to memory of 1504	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	34
PID 1712 wrote to memory of 1696	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	36
PID 1712 wrote to memory of 1696	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	36
PID 1712 wrote to memory of 1696	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	36
PID 1712 wrote to memory of 1696	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	36
PID 1712 wrote to memory of 1976	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	38
PID 1712 wrote to memory of 1976	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	38
PID 1712 wrote to memory of 1976	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	38
PID 1712 wrote to memory of 1976	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	38
PID 1976 wrote to memory of 1940	1976	cmd.exe	40
PID 1976 wrote to memory of 1940	1976	cmd.exe	40
PID 1976 wrote to memory of 1940	1976	cmd.exe	40
PID 1976 wrote to memory of 1940	1976	cmd.exe	40
PID 1940 wrote to memory of 948	1940	net.exe	41
PID 1940 wrote to memory of 948	1940	net.exe	41
PID 1940 wrote to memory of 948	1940	net.exe	41
PID 1940 wrote to memory of 948	1940	net.exe	41
PID 1712 wrote to memory of 316	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	42
PID 1712 wrote to memory of 316	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	42
PID 1712 wrote to memory of 316	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	42
PID 1712 wrote to memory of 316	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	42
PID 316 wrote to memory of 1928	316	cmd.exe	44
PID 316 wrote to memory of 1928	316	cmd.exe	44
PID 316 wrote to memory of 1928	316	cmd.exe	44
PID 316 wrote to memory of 1928	316	cmd.exe	44
PID 1928 wrote to memory of 2016	1928	net.exe	45
PID 1928 wrote to memory of 2016	1928	net.exe	45
PID 1928 wrote to memory of 2016	1928	net.exe	45
PID 1928 wrote to memory of 2016	1928	net.exe	45
PID 1712 wrote to memory of 2000	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	46
PID 1712 wrote to memory of 2000	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	46
PID 1712 wrote to memory of 2000	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	46
PID 1712 wrote to memory of 2000	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	46
PID 2000 wrote to memory of 876	2000	cmd.exe	48
PID 2000 wrote to memory of 876	2000	cmd.exe	48
PID 2000 wrote to memory of 876	2000	cmd.exe	48
PID 2000 wrote to memory of 876	2000	cmd.exe	48
PID 876 wrote to memory of 648	876	net.exe	49
PID 876 wrote to memory of 648	876	net.exe	49
PID 876 wrote to memory of 648	876	net.exe	49
PID 876 wrote to memory of 648	876	net.exe	49
PID 1712 wrote to memory of 1896	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	50
PID 1712 wrote to memory of 1896	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	50
PID 1712 wrote to memory of 1896	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	50
PID 1712 wrote to memory of 1896	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	50

C:\Users\Admin\AppData\Local\Temp\e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
"C:\Users\Admin\AppData\Local\Temp\e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:1128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:1696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:2016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:1896
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:1584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:764
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  PID:1236
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    PID:692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:1996
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1372
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:780
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:1628
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:1636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 440
  2⤵
  - Program crash
  PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1584-54-0x00000000757F1000-0x00000000757F3000-memory.dmp

Filesize
8KB

Download