ouroboros | e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6

General

Target

e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
Size

1.3MB
MD5

310c70d59334868d4831f9f9cdb879ab
SHA1

7b522bbde3dce99de92fcfb952d672a3923e00c1
SHA256

e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6
SHA512

da1b987065a39c1b83dd1b245550292b6038d34c9113eb720381404d681717593321028fe00f5d835cc99fd0606d65fc3525c8ce218c19eb2e459a8d7603e993

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 6 IoCs

Processes:

e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1405931862-909307831-4085185274-1000\desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\$Recycle.Bin\S-1-5-21-1405931862-909307831-4085185274-1000\desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 3 http://www.sfml-dev.org/ip-provider.php

description	flow	ioc
HTTP URL	3	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

Processes:

e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fil.pak.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoCanary.png.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\Services\verisign.bmp	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DissolveNoise.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-font.dll.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\PipeTran.dll	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\COPYRIGHT	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightRegular.ttf	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fr.pak.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ru.pak	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\7-Zip\readme.txt.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\ApproveUse.png.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ms.pak.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\UpdateConnect.zip.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\gmail.crx.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\ResumeUnlock.M2V.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_TW.jar.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\WMM2CLIP.dll.mui	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.[legendencrypt1@criptext.com][76TAMY2SOC9EU3N].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1488 1712 WerFault.exe e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
Runs net.exe

pid	pid_target	process	target process
1488	1712	WerFault.exe	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

pid	process
1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1712 wrote to memory of 1900	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1900	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1900	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1900	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1900 wrote to memory of 1248	1900	cmd.exe	net.exe
PID 1900 wrote to memory of 1248	1900	cmd.exe	net.exe
PID 1900 wrote to memory of 1248	1900	cmd.exe	net.exe
PID 1900 wrote to memory of 1248	1900	cmd.exe	net.exe
PID 1248 wrote to memory of 1128	1248	net.exe	net1.exe
PID 1248 wrote to memory of 1128	1248	net.exe	net1.exe
PID 1248 wrote to memory of 1128	1248	net.exe	net1.exe
PID 1248 wrote to memory of 1128	1248	net.exe	net1.exe
PID 1712 wrote to memory of 1080	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1080	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1080	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1080	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1504	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1504	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1504	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1504	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1696	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1696	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1696	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1696	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1976	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1976	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1976	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1976	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1976 wrote to memory of 1940	1976	cmd.exe	net.exe
PID 1976 wrote to memory of 1940	1976	cmd.exe	net.exe
PID 1976 wrote to memory of 1940	1976	cmd.exe	net.exe
PID 1976 wrote to memory of 1940	1976	cmd.exe	net.exe
PID 1940 wrote to memory of 948	1940	net.exe	net1.exe
PID 1940 wrote to memory of 948	1940	net.exe	net1.exe
PID 1940 wrote to memory of 948	1940	net.exe	net1.exe
PID 1940 wrote to memory of 948	1940	net.exe	net1.exe
PID 1712 wrote to memory of 316	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 316	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 316	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 316	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 316 wrote to memory of 1928	316	cmd.exe	net.exe
PID 316 wrote to memory of 1928	316	cmd.exe	net.exe
PID 316 wrote to memory of 1928	316	cmd.exe	net.exe
PID 316 wrote to memory of 1928	316	cmd.exe	net.exe
PID 1928 wrote to memory of 2016	1928	net.exe	net1.exe
PID 1928 wrote to memory of 2016	1928	net.exe	net1.exe
PID 1928 wrote to memory of 2016	1928	net.exe	net1.exe
PID 1928 wrote to memory of 2016	1928	net.exe	net1.exe
PID 1712 wrote to memory of 2000	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 2000	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 2000	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 2000	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 2000 wrote to memory of 876	2000	cmd.exe	net.exe
PID 2000 wrote to memory of 876	2000	cmd.exe	net.exe
PID 2000 wrote to memory of 876	2000	cmd.exe	net.exe
PID 2000 wrote to memory of 876	2000	cmd.exe	net.exe
PID 876 wrote to memory of 648	876	net.exe	net1.exe
PID 876 wrote to memory of 648	876	net.exe	net1.exe
PID 876 wrote to memory of 648	876	net.exe	net1.exe
PID 876 wrote to memory of 648	876	net.exe	net1.exe
PID 1712 wrote to memory of 1896	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1896	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1896	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe
PID 1712 wrote to memory of 1896	1712	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
"C:\Users\Admin\AppData\Local\Temp\e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
2⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\net.exe
net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
4⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
2⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
3⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
4⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
2⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\net.exe
net stop vds
3⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
4⤵
PID:648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
2⤵
PID:1896

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
2⤵
PID:764

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
2⤵
PID:1236

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
PID:692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
2⤵
PID:1908

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
PID:1996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
PID:1372

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
PID:780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:1220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
2⤵
PID:1652

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
3⤵
PID:1628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
4⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 440
2⤵
- Program crash
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1584-54-0x00000000757F1000-0x00000000757F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads