ouroboros | c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa

General

Target

c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
Size

1011KB
MD5

73528b74e4edb1c32a4d88abe34ae437
SHA1

b97c0fc8a34e88c03704e43829c550d765398a3c
SHA256

c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa
SHA512

523cd56a44e91fc3084b76d68dbce6e77dac190716833cce455d2091894b403def7132475ec748b0d26fed90a4fcfc5d5f65f0eba098bc7d8ac4853ae9e547ec

Score

10^/10

ouroboros evasion ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 5 IoCs

Processes:

c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 12 http://www.sfml-dev.org/ip-provider.php

description	flow	ioc
HTTP URL	12	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

Processes:

c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-40_altform-unplated.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\3039_40x40x32.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado27.tlb	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-black_scale-125.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_th.json	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\vccorlib140.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp140.dll.Email=[[email protected]]ID=[V1AB5HM0CFSN76I].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\MOFL.DLL	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.Email=[[email protected]]ID=[V1AB5HM0CFSN76I].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_read_plugin.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\wdt.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoev.exe	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libstl_plugin.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\libvlc.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\msvcp140.dll.Email=[[email protected]]ID=[V1AB5HM0CFSN76I].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ucrtbase.dll.Email=[[email protected]]ID=[V1AB5HM0CFSN76I].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_zh_4.4.0.v20140623020002.jar	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.AdomdClient.dll.Email=[[email protected]]ID=[V1AB5HM0CFSN76I].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.ITS.Email=[[email protected]]ID=[V1AB5HM0CFSN76I].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Resources.pri	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin.Email=[[email protected]]ID=[V1AB5HM0CFSN76I].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml.Email=[[email protected]]ID=[V1AB5HM0CFSN76I].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar.Email=[[email protected]]ID=[V1AB5HM0CFSN76I].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextDark.scale-125.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar.Email=[[email protected]]ID=[V1AB5HM0CFSN76I].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo.Email=[[email protected]]ID=[V1AB5HM0CFSN76I].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\vlc.mo.Email=[[email protected]]ID=[V1AB5HM0CFSN76I].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\SEGOEUISL.TTF.Email=[[email protected]]ID=[V1AB5HM0CFSN76I].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\SmartSelect\AddStroke_Illustration.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.Email=[[email protected]]ID=[V1AB5HM0CFSN76I].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcp120.dll.Email=[[email protected]]ID=[V1AB5HM0CFSN76I].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AirSpace.Etw.man	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmagnify_plugin.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-48.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.scale-200_contrast-black.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunjce_provider.jar.Email=[[email protected]]ID=[V1AB5HM0CFSN76I].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\logging.properties	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\gu.pak.Email=[[email protected]]ID=[V1AB5HM0CFSN76I].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_ru.json	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-24_altform-unplated_contrast-black.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll.Email=[[email protected]]ID=[V1AB5HM0CFSN76I].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

NTFS ADS 4 IoCs

Processes:

c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\S-1-5-21-2632097139-1792035885-811742494-1000\隨Ãsk8:钰Ã	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2632097139-1792035885-811742494-1000\韈Ãsk8:阘Ã	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2632097139-1792035885-811742494-1000\de8:հÄ	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2632097139-1792035885-811742494-1000\᠀Ésk8:ᥨÉ	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

pid	process
1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1740 wrote to memory of 2420	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 2420	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 2420	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 2420 wrote to memory of 3532	2420	cmd.exe	net.exe
PID 2420 wrote to memory of 3532	2420	cmd.exe	net.exe
PID 2420 wrote to memory of 3532	2420	cmd.exe	net.exe
PID 3532 wrote to memory of 3356	3532	net.exe	net1.exe
PID 3532 wrote to memory of 3356	3532	net.exe	net1.exe
PID 3532 wrote to memory of 3356	3532	net.exe	net1.exe
PID 1740 wrote to memory of 4236	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 4236	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 4236	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 4236 wrote to memory of 3604	4236	cmd.exe	net.exe
PID 4236 wrote to memory of 3604	4236	cmd.exe	net.exe
PID 4236 wrote to memory of 3604	4236	cmd.exe	net.exe
PID 3604 wrote to memory of 4104	3604	net.exe	net1.exe
PID 3604 wrote to memory of 4104	3604	net.exe	net1.exe
PID 3604 wrote to memory of 4104	3604	net.exe	net1.exe
PID 1740 wrote to memory of 3108	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 3108	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 3108	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 3108 wrote to memory of 4372	3108	cmd.exe	net.exe
PID 3108 wrote to memory of 4372	3108	cmd.exe	net.exe
PID 3108 wrote to memory of 4372	3108	cmd.exe	net.exe
PID 4372 wrote to memory of 4720	4372	net.exe	net1.exe
PID 4372 wrote to memory of 4720	4372	net.exe	net1.exe
PID 4372 wrote to memory of 4720	4372	net.exe	net1.exe
PID 1740 wrote to memory of 4912	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 4912	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 4912	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 4912 wrote to memory of 384	4912	cmd.exe	net.exe
PID 4912 wrote to memory of 384	4912	cmd.exe	net.exe
PID 4912 wrote to memory of 384	4912	cmd.exe	net.exe
PID 384 wrote to memory of 1832	384	net.exe	net1.exe
PID 384 wrote to memory of 1832	384	net.exe	net1.exe
PID 384 wrote to memory of 1832	384	net.exe	net1.exe
PID 1740 wrote to memory of 4000	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 4000	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 4000	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 4000 wrote to memory of 4396	4000	cmd.exe	net.exe
PID 4000 wrote to memory of 4396	4000	cmd.exe	net.exe
PID 4000 wrote to memory of 4396	4000	cmd.exe	net.exe
PID 4396 wrote to memory of 2284	4396	net.exe	net1.exe
PID 4396 wrote to memory of 2284	4396	net.exe	net1.exe
PID 4396 wrote to memory of 2284	4396	net.exe	net1.exe
PID 1740 wrote to memory of 1768	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 1768	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 1768	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 2000	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 2000	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 2000	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 2352	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 2352	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 2352	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 3472	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 3472	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1740 wrote to memory of 3472	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 3472 wrote to memory of 3172	3472	cmd.exe	net.exe
PID 3472 wrote to memory of 3172	3472	cmd.exe	net.exe
PID 3472 wrote to memory of 3172	3472	cmd.exe	net.exe
PID 3172 wrote to memory of 4328	3172	net.exe	net1.exe
PID 3172 wrote to memory of 4328	3172	net.exe	net1.exe
PID 3172 wrote to memory of 4328	3172	net.exe	net1.exe
PID 1740 wrote to memory of 4004	1740	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
"C:\Users\Admin\AppData\Local\Temp\c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
2⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
- Suspicious use of WriteProcessMemory
PID:3532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:3356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
2⤵
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:4104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
2⤵
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
3⤵
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
4⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
2⤵
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\SysWOW64\net.exe
net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
4⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
2⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
2⤵
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
3⤵
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
4⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
PID:4004

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
PID:208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
2⤵
PID:1064

C:\Windows\SysWOW64\net.exe
net stop vds
3⤵
PID:968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
4⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
2⤵
PID:1876

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
2⤵
PID:3468

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/208-152-0x0000000000000000-mapping.dmp

Download
memory/384-140-0x0000000000000000-mapping.dmp

Download
memory/968-155-0x0000000000000000-mapping.dmp

Download
memory/1064-154-0x0000000000000000-mapping.dmp

Download
memory/1676-160-0x0000000000000000-mapping.dmp

Download
memory/1768-145-0x0000000000000000-mapping.dmp

Download
memory/1832-141-0x0000000000000000-mapping.dmp

Download
memory/1860-156-0x0000000000000000-mapping.dmp

Download
memory/1876-157-0x0000000000000000-mapping.dmp

Download
memory/1976-158-0x0000000000000000-mapping.dmp

Download
memory/2000-146-0x0000000000000000-mapping.dmp

Download
memory/2284-144-0x0000000000000000-mapping.dmp

Download
memory/2352-147-0x0000000000000000-mapping.dmp

Download
memory/2364-153-0x0000000000000000-mapping.dmp

Download
memory/2420-130-0x0000000000000000-mapping.dmp

Download
memory/3108-136-0x0000000000000000-mapping.dmp

Download
memory/3172-149-0x0000000000000000-mapping.dmp

Download
memory/3356-132-0x0000000000000000-mapping.dmp

Download
memory/3468-159-0x0000000000000000-mapping.dmp

Download
memory/3472-148-0x0000000000000000-mapping.dmp

Download
memory/3532-131-0x0000000000000000-mapping.dmp

Download
memory/3604-134-0x0000000000000000-mapping.dmp

Download
memory/4000-142-0x0000000000000000-mapping.dmp

Download
memory/4004-151-0x0000000000000000-mapping.dmp

Download
memory/4104-135-0x0000000000000000-mapping.dmp

Download
memory/4236-133-0x0000000000000000-mapping.dmp

Download
memory/4328-150-0x0000000000000000-mapping.dmp

Download
memory/4372-137-0x0000000000000000-mapping.dmp

Download
memory/4396-143-0x0000000000000000-mapping.dmp

Download
memory/4720-138-0x0000000000000000-mapping.dmp

Download
memory/4912-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads