ouroboros | b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f

Analysis

max time kernel
82s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
06-03-2022 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
Size

994KB
MD5

c43c4e32d8f30c6c63aea0d6dc5c11cd
SHA1

93d1bc3f0b9e03a43bcf789928ac12ecdea24588
SHA256

b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f
SHA512

95566d9f393e5bb9ab44834841e757eeb4c326ec454ce34e955e20b499d3ff8a5585fb91abb6ac1043fd76ad6942e447f9d36a353895a74654ce73bf74452d52

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 6 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-790714498-1549421491-1643397139-1000\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\$Recycle.Bin\S-1-5-21-790714498-1549421491-1643397139-1000\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	21	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\Office.UI.Xaml.HxCalendar.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.cpl	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\file_icons.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMK.TTF	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.scale-200.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms.[[email protected]][BFTHA10LU723EZN].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libps_plugin.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_zh_4.4.0.v20140623020002.jar.[[email protected]][BFTHA10LU723EZN].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.[[email protected]][BFTHA10LU723EZN].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-400.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-150.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_WideTile.scale-100.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-125.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-en_us.gif.[[email protected]][BFTHA10LU723EZN].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBOB6.CHM	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe.[[email protected]][BFTHA10LU723EZN].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-150.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-32_altform-unplated.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.[[email protected]][BFTHA10LU723EZN].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hr-hr\ui-strings.js	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dcpr.dll.[[email protected]][BFTHA10LU723EZN].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar.[[email protected]][BFTHA10LU723EZN].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms.[[email protected]][BFTHA10LU723EZN].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt.[[email protected]][BFTHA10LU723EZN].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar.[[email protected]][BFTHA10LU723EZN].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgaussianblur_plugin.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-black_scale-100.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\msointlimm.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailSmallTile.scale-125.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN081.XML	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.[[email protected]][BFTHA10LU723EZN].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\clrcompression.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-32_altform-unplated_contrast-white.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\ui-strings.js	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms.[[email protected]][BFTHA10LU723EZN].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODTXT.DLL	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\FM20.CHM	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\GlowInTheDark.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FR_Back_Landscape_Med_1920x1080.jpg	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.tree.dat	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\plugins.dat.[[email protected]][BFTHA10LU723EZN].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll.[[email protected]][BFTHA10LU723EZN].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleSplashScreen.scale-200.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources.pri	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar.[[email protected]][BFTHA10LU723EZN].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js.[[email protected]][BFTHA10LU723EZN].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-125_contrast-white.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-up.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1844	2428	WerFault.exe	34
3180	3740	WerFault.exe	117
1888	3652	WerFault.exe	125
3524	4008	WerFault.exe	129

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 3324	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	57
PID 4044 wrote to memory of 3324	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	57
PID 4044 wrote to memory of 3324	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	57
PID 3324 wrote to memory of 3520	3324	cmd.exe	59
PID 3324 wrote to memory of 3520	3324	cmd.exe	59
PID 3324 wrote to memory of 3520	3324	cmd.exe	59
PID 3520 wrote to memory of 3284	3520	net.exe	60
PID 3520 wrote to memory of 3284	3520	net.exe	60
PID 3520 wrote to memory of 3284	3520	net.exe	60
PID 4044 wrote to memory of 2584	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	64
PID 4044 wrote to memory of 2584	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	64
PID 4044 wrote to memory of 2584	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	64
PID 2584 wrote to memory of 3648	2584	cmd.exe	66
PID 2584 wrote to memory of 3648	2584	cmd.exe	66
PID 2584 wrote to memory of 3648	2584	cmd.exe	66
PID 3648 wrote to memory of 780	3648	net.exe	67
PID 3648 wrote to memory of 780	3648	net.exe	67
PID 3648 wrote to memory of 780	3648	net.exe	67
PID 4044 wrote to memory of 872	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	68
PID 4044 wrote to memory of 872	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	68
PID 4044 wrote to memory of 872	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	68
PID 872 wrote to memory of 564	872	cmd.exe	70
PID 872 wrote to memory of 564	872	cmd.exe	70
PID 872 wrote to memory of 564	872	cmd.exe	70
PID 564 wrote to memory of 1932	564	net.exe	71
PID 564 wrote to memory of 1932	564	net.exe	71
PID 564 wrote to memory of 1932	564	net.exe	71
PID 4044 wrote to memory of 636	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	72
PID 4044 wrote to memory of 636	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	72
PID 4044 wrote to memory of 636	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	72
PID 636 wrote to memory of 3112	636	cmd.exe	74
PID 636 wrote to memory of 3112	636	cmd.exe	74
PID 636 wrote to memory of 3112	636	cmd.exe	74
PID 3112 wrote to memory of 3440	3112	net.exe	75
PID 3112 wrote to memory of 3440	3112	net.exe	75
PID 3112 wrote to memory of 3440	3112	net.exe	75
PID 4044 wrote to memory of 1976	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	76
PID 4044 wrote to memory of 1976	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	76
PID 4044 wrote to memory of 1976	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	76
PID 1976 wrote to memory of 3700	1976	cmd.exe	78
PID 1976 wrote to memory of 3700	1976	cmd.exe	78
PID 1976 wrote to memory of 3700	1976	cmd.exe	78
PID 3700 wrote to memory of 1948	3700	net.exe	79
PID 3700 wrote to memory of 1948	3700	net.exe	79
PID 3700 wrote to memory of 1948	3700	net.exe	79
PID 4044 wrote to memory of 1488	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	80
PID 4044 wrote to memory of 1488	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	80
PID 4044 wrote to memory of 1488	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	80
PID 4044 wrote to memory of 1292	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	82
PID 4044 wrote to memory of 1292	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	82
PID 4044 wrote to memory of 1292	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	82
PID 4044 wrote to memory of 2096	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	85
PID 4044 wrote to memory of 2096	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	85
PID 4044 wrote to memory of 2096	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	85
PID 4044 wrote to memory of 2076	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	87
PID 4044 wrote to memory of 2076	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	87
PID 4044 wrote to memory of 2076	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	87
PID 2076 wrote to memory of 524	2076	cmd.exe	89
PID 2076 wrote to memory of 524	2076	cmd.exe	89
PID 2076 wrote to memory of 524	2076	cmd.exe	89
PID 524 wrote to memory of 732	524	net.exe	90
PID 524 wrote to memory of 732	524	net.exe	90
PID 524 wrote to memory of 732	524	net.exe	90
PID 4044 wrote to memory of 1360	4044	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	91

C:\Users\Admin\AppData\Local\Temp\b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
"C:\Users\Admin\AppData\Local\Temp\b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:3284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:3440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:1948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:2096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1360
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:2184
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:2072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:4084
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:1548
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:2984
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:3468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:3400
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:3064

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 2428 -ip 2428
1⤵
PID:2304

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2428 -s 2984
1⤵
- Program crash
PID:1844

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:524

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:756

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3740
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3740 -s 4308
  2⤵
  - Program crash
  PID:3180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 3740 -ip 3740
1⤵
PID:2548

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3652
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3652 -s 3932
  2⤵
  - Program crash
  PID:1888

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 3652 -ip 3652
1⤵
PID:2312

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4008
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4008 -s 4280
  2⤵
  - Program crash
  PID:3524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 4008 -ip 4008
1⤵
PID:2944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/524-138-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download