ouroboros | e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6

Analysis

max time kernel
70s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
05-03-2022 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
Size

1.3MB
MD5

310c70d59334868d4831f9f9cdb879ab
SHA1

7b522bbde3dce99de92fcfb952d672a3923e00c1
SHA256

e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6
SHA512

da1b987065a39c1b83dd1b245550292b6038d34c9113eb720381404d681717593321028fe00f5d835cc99fd0606d65fc3525c8ce218c19eb2e459a8d7603e993

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-790714498-1549421491-1643397139-1000\desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\$Recycle.Bin\S-1-5-21-790714498-1549421491-1643397139-1000\desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\desktop.ini	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	15	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d9.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\measure_poster.jpg	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\deploy.dll.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-60_altform-unplated.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-32_altform-unplated_contrast-black.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\chrome-ext-2x.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\RotateY.PNG	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\MedTile.scale-125.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\msvcr120.dll	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RIntLoc.en-us.16.msi	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-200.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\spectrum_spinner.svg	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-black_scale-125.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-200.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\ui-strings.js	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\es.pak	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-32_altform-unplated.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-64_altform-lightunplated.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-pl.xrm-ms	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\CIEXYZ.pf.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-32_altform-lightunplated.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-16_contrast-black.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msql.xsl	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pt-br\ui-strings.js	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_32	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\1.jpg	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\cloud_secured.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\SoftLandingAssetDark.gif.DATA.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-48_contrast-black.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-16.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-125.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\management.dll.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\ui-strings.js	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.scale-125_contrast-black.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsLargeTile.scale-100.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\ui-strings.js	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.[[email protected]][LOCWPNU2B4XJSDF].legend	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_contrast-white.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-100.png	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

Program crash 5 IoCs

pid	pid_target	Process	procid_target
3900	2456	WerFault.exe	26
2576	3380	WerFault.exe	116
1852	1972	WerFault.exe	123
3324	2540	WerFault.exe	126
3496	3192	WerFault.exe	130

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\S-1-5-21-790714498-1549421491-1643397139-1000\Ư8:箰ù	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-790714498-1549421491-1643397139-1000\Ԁsk8:紘ùȀ	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-790714498-1549421491-1643397139-1000\꙰úsk8:꘨ú	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 2360	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	55
PID 3104 wrote to memory of 2360	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	55
PID 3104 wrote to memory of 2360	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	55
PID 2360 wrote to memory of 3164	2360	cmd.exe	57
PID 2360 wrote to memory of 3164	2360	cmd.exe	57
PID 2360 wrote to memory of 3164	2360	cmd.exe	57
PID 3164 wrote to memory of 3028	3164	net.exe	58
PID 3164 wrote to memory of 3028	3164	net.exe	58
PID 3164 wrote to memory of 3028	3164	net.exe	58
PID 3104 wrote to memory of 1656	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	59
PID 3104 wrote to memory of 1656	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	59
PID 3104 wrote to memory of 1656	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	59
PID 3104 wrote to memory of 3628	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	61
PID 3104 wrote to memory of 3628	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	61
PID 3104 wrote to memory of 3628	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	61
PID 3104 wrote to memory of 2768	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	64
PID 3104 wrote to memory of 2768	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	64
PID 3104 wrote to memory of 2768	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	64
PID 3104 wrote to memory of 1488	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	65
PID 3104 wrote to memory of 1488	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	65
PID 3104 wrote to memory of 1488	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	65
PID 1488 wrote to memory of 2244	1488	cmd.exe	67
PID 1488 wrote to memory of 2244	1488	cmd.exe	67
PID 1488 wrote to memory of 2244	1488	cmd.exe	67
PID 2244 wrote to memory of 3844	2244	net.exe	68
PID 2244 wrote to memory of 3844	2244	net.exe	68
PID 2244 wrote to memory of 3844	2244	net.exe	68
PID 3104 wrote to memory of 3808	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	69
PID 3104 wrote to memory of 3808	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	69
PID 3104 wrote to memory of 3808	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	69
PID 3808 wrote to memory of 3852	3808	cmd.exe	72
PID 3808 wrote to memory of 3852	3808	cmd.exe	72
PID 3808 wrote to memory of 3852	3808	cmd.exe	72
PID 3852 wrote to memory of 2584	3852	net.exe	73
PID 3852 wrote to memory of 2584	3852	net.exe	73
PID 3852 wrote to memory of 2584	3852	net.exe	73
PID 3104 wrote to memory of 1504	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	74
PID 3104 wrote to memory of 1504	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	74
PID 3104 wrote to memory of 1504	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	74
PID 1504 wrote to memory of 2164	1504	cmd.exe	76
PID 1504 wrote to memory of 2164	1504	cmd.exe	76
PID 1504 wrote to memory of 2164	1504	cmd.exe	76
PID 2164 wrote to memory of 1856	2164	net.exe	77
PID 2164 wrote to memory of 1856	2164	net.exe	77
PID 2164 wrote to memory of 1856	2164	net.exe	77
PID 3104 wrote to memory of 640	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	78
PID 3104 wrote to memory of 640	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	78
PID 3104 wrote to memory of 640	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	78
PID 640 wrote to memory of 3004	640	cmd.exe	80
PID 640 wrote to memory of 3004	640	cmd.exe	80
PID 640 wrote to memory of 3004	640	cmd.exe	80
PID 3104 wrote to memory of 1996	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	84
PID 3104 wrote to memory of 1996	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	84
PID 3104 wrote to memory of 1996	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	84
PID 1996 wrote to memory of 2688	1996	cmd.exe	86
PID 1996 wrote to memory of 2688	1996	cmd.exe	86
PID 1996 wrote to memory of 2688	1996	cmd.exe	86
PID 3104 wrote to memory of 2980	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	87
PID 3104 wrote to memory of 2980	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	87
PID 3104 wrote to memory of 2980	3104	e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe	87
PID 2980 wrote to memory of 3596	2980	cmd.exe	89
PID 2980 wrote to memory of 3596	2980	cmd.exe	89
PID 2980 wrote to memory of 3596	2980	cmd.exe	89
PID 3596 wrote to memory of 4044	3596	net.exe	90

C:\Users\Admin\AppData\Local\Temp\e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe
"C:\Users\Admin\AppData\Local\Temp\e008d7bb6343bc6424be5a2a4515a07c8a60d17bfb5a8653ab74822e585f03b6.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:3028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:3628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:2768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:3844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:2584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:1856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:4044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:364
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:2952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:2776
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:3980
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:3984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:2648
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:764
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:676

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 2456 -ip 2456
1⤵
PID:3868

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2456 -s 1448
1⤵
- Program crash
PID:3900

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:924

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3380
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3380 -s 4420
  2⤵
  - Program crash
  PID:2576

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 3380 -ip 3380
1⤵
PID:2700

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1972
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1972 -s 3880
  2⤵
  - Program crash
  PID:1852

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 356 -p 1972 -ip 1972
1⤵
PID:1200

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2540
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2540 -s 4260
  2⤵
  - Program crash
  PID:3324

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 2540 -ip 2540
1⤵
PID:2580

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3192
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3192 -s 3952
  2⤵
  - Program crash
  PID:3496

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 3192 -ip 3192
1⤵
PID:3664

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2540-215-0x0000024341D00000-0x0000024341E00000-memory.dmp

Filesize
1024KB

Download
memory/3380-144-0x000001EF50750000-0x000001EF50758000-memory.dmp

Filesize
32KB

Download