ouroboros | 5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd

Analysis

max time kernel
152s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
06-03-2022 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
Size

1.3MB
MD5

516b7b7da67d36d1311350f751801e0b
SHA1

40964f706ff4ac8a8556ba8fde00c13684347057
SHA256

5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd
SHA512

cc61eb27f69cfd97cf23d87ad46df8c0042caceca2c14010c2d6e84ba9560a9b83a07c28bb404f8c32eae9b1092012412f9a7377620854ee35e1276fa2a1460a

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 6 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-790714498-1549421491-1643397139-1000\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\$Recycle.Bin\S-1-5-21-790714498-1549421491-1643397139-1000\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	16	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-ms.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-125_contrast-white.png	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jli.dll.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\resources.pri	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ul-oob.xrm-ms.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_zh_CN.jar	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-64_altform-unplated.png	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeBadge.scale-125.png	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-400.png	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\net.properties	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\web_edge_permissions.png	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-black_scale-100.png	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\Logo.png.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\t2k.dll.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\msipc.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\Unipulator.mp4	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCacheMini.scale-150.png	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fr.pak.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsymb.ttf	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-lightunplated_devicefamily-colorfulunplated.png	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected.svg	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Confirmation.m4a	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PAPYRUS.ELM	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as90.xsl	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\mfc140.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200.png	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\AppxManifest.xml	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.Native.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\Xusage.txt	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\import_google_contacts\googleImportNoResults.png	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-400.HCWhite.png	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.ArchiverProviders.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\msvcp140.dll.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-200_contrast-white.png	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\19.rsrc	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\manifest.json.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_TW.properties.[[email protected]][AI1ZKJMUC2RS3LB].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\MedTile.scale-200.png	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\oregres.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\RtmMvrUap.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
388	2444	WerFault.exe	11
3900	3632	WerFault.exe	118
2844	3824	WerFault.exe	123
1248	2808	WerFault.exe	128

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\S-1-5-21-790714498-1549421491-1643397139-1000\⅀rsk8:Ṱr	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-790714498-1549421491-1643397139-1000\de8:솘u	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Documents and Settings\\⃸rsk8:ᙈr	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-790714498-1549421491-1643397139-1000\Ȁsk8:₰rȀ\؀ᐴr۫敨tȀŊ۫豻瞨Y夀\Ȁ渼瞨۫鶸sº먀Ŋ熒瞨豻瞨Ȁ	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 388	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	57
PID 2144 wrote to memory of 388	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	57
PID 2144 wrote to memory of 388	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	57
PID 388 wrote to memory of 3380	388	cmd.exe	60
PID 388 wrote to memory of 3380	388	cmd.exe	60
PID 388 wrote to memory of 3380	388	cmd.exe	60
PID 3380 wrote to memory of 3584	3380	net.exe	61
PID 3380 wrote to memory of 3584	3380	net.exe	61
PID 3380 wrote to memory of 3584	3380	net.exe	61
PID 2144 wrote to memory of 116	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	62
PID 2144 wrote to memory of 116	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	62
PID 2144 wrote to memory of 116	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	62
PID 2144 wrote to memory of 3432	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	64
PID 2144 wrote to memory of 3432	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	64
PID 2144 wrote to memory of 3432	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	64
PID 2144 wrote to memory of 2840	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	66
PID 2144 wrote to memory of 2840	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	66
PID 2144 wrote to memory of 2840	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	66
PID 2144 wrote to memory of 648	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	69
PID 2144 wrote to memory of 648	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	69
PID 2144 wrote to memory of 648	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	69
PID 648 wrote to memory of 1876	648	cmd.exe	71
PID 648 wrote to memory of 1876	648	cmd.exe	71
PID 648 wrote to memory of 1876	648	cmd.exe	71
PID 1876 wrote to memory of 3276	1876	net.exe	72
PID 1876 wrote to memory of 3276	1876	net.exe	72
PID 1876 wrote to memory of 3276	1876	net.exe	72
PID 2144 wrote to memory of 2708	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	73
PID 2144 wrote to memory of 2708	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	73
PID 2144 wrote to memory of 2708	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	73
PID 2708 wrote to memory of 2992	2708	cmd.exe	75
PID 2708 wrote to memory of 2992	2708	cmd.exe	75
PID 2708 wrote to memory of 2992	2708	cmd.exe	75
PID 2992 wrote to memory of 3456	2992	net.exe	76
PID 2992 wrote to memory of 3456	2992	net.exe	76
PID 2992 wrote to memory of 3456	2992	net.exe	76
PID 2144 wrote to memory of 220	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	77
PID 2144 wrote to memory of 220	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	77
PID 2144 wrote to memory of 220	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	77
PID 220 wrote to memory of 2756	220	cmd.exe	79
PID 220 wrote to memory of 2756	220	cmd.exe	79
PID 220 wrote to memory of 2756	220	cmd.exe	79
PID 2756 wrote to memory of 1428	2756	net.exe	80
PID 2756 wrote to memory of 1428	2756	net.exe	80
PID 2756 wrote to memory of 1428	2756	net.exe	80
PID 2144 wrote to memory of 1888	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	81
PID 2144 wrote to memory of 1888	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	81
PID 2144 wrote to memory of 1888	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	81
PID 1888 wrote to memory of 3488	1888	cmd.exe	83
PID 1888 wrote to memory of 3488	1888	cmd.exe	83
PID 1888 wrote to memory of 3488	1888	cmd.exe	83
PID 2144 wrote to memory of 2468	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	88
PID 2144 wrote to memory of 2468	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	88
PID 2144 wrote to memory of 2468	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	88
PID 2468 wrote to memory of 2652	2468	cmd.exe	90
PID 2468 wrote to memory of 2652	2468	cmd.exe	90
PID 2468 wrote to memory of 2652	2468	cmd.exe	90
PID 2144 wrote to memory of 3540	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	91
PID 2144 wrote to memory of 3540	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	91
PID 2144 wrote to memory of 3540	2144	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	91
PID 3540 wrote to memory of 540	3540	cmd.exe	93
PID 3540 wrote to memory of 540	3540	cmd.exe	93
PID 3540 wrote to memory of 540	3540	cmd.exe	93
PID 540 wrote to memory of 2696	540	net.exe	94

C:\Users\Admin\AppData\Local\Temp\5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
"C:\Users\Admin\AppData\Local\Temp\5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3380
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:3584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:3432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:2840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:3276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:3456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:1428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:3488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:3568
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:3884
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:3432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:3176
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:2184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:3012
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:3916

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 2444 -ip 2444
1⤵
PID:1404

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2444 -s 2936
1⤵
- Program crash
PID:388

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:684

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:688

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3632
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3632 -s 4052
  2⤵
  - Program crash
  PID:3900

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 492 -p 3632 -ip 3632
1⤵
PID:3372

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3824
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3824 -s 4320
  2⤵
  - Program crash
  PID:2844

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 3824 -ip 3824
1⤵
PID:3200

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2808
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2808 -s 3868
  2⤵
  - Program crash
  PID:1248

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 2808 -ip 2808
1⤵
PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/684-139-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/2808-200-0x0000025F4F050000-0x0000025F4F150000-memory.dmp

Filesize
1024KB

Download