Analysis
-
max time kernel
42s -
max time network
138s -
platform
windows7_x64 -
resource
win7 -
submitted
06-07-2020 08:58
General
-
Target
decoderma@tutanota.com.exe
-
Size
998KB
-
MD5
7bc5183b207888e9c01193fe2f1d0976
-
SHA1
e679f69eb28ab3462cc308143d9d372b40d936d1
-
SHA256
9e3d7b2163b865375d1b14a37c9130c55b9de8a6eb74b54f0d6f1a8b820eceae
-
SHA512
ce38603c3e21a716124bc4cc627f3c983685849625ec2cec5a1391eb904a84dff8681204cc3944c73e19c4398ed37fb8658927ed0f953c037afea98eea989aaf
Score
10/10
Malware Config
Signatures
-
Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Drops file in Drivers directory 9 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
NTFS ADS 43 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\decoderma@tutanota.com.exe"C:\Users\Admin\AppData\Local\Temp\decoderma@tutanota.com.exe"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLWriter2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLBrowser2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$CONTOSO13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$CONTOSO14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSDTC2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSDTC3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSDTC4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT2⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLSERVERAGENT3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop vds2⤵
-
C:\Windows\SysWOW64\net.exenet stop vds3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vds4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/296-4-0x0000000000000000-mapping.dmp
-
memory/644-5-0x0000000000000000-mapping.dmp
-
memory/788-6-0x0000000000000000-mapping.dmp
-
memory/884-30-0x0000000000000000-mapping.dmp
-
memory/1040-27-0x0000000000000000-mapping.dmp
-
memory/1048-7-0x0000000000000000-mapping.dmp
-
memory/1072-33-0x00000000013B0000-0x00000000013C1000-memory.dmpFilesize
68KB
-
memory/1072-31-0x00000000013B0000-0x00000000013C1000-memory.dmpFilesize
68KB
-
memory/1072-32-0x00000000017C0000-0x00000000017D1000-memory.dmpFilesize
68KB
-
memory/1096-9-0x0000000000000000-mapping.dmp
-
memory/1112-8-0x0000000000000000-mapping.dmp
-
memory/1260-14-0x0000000000000000-mapping.dmp
-
memory/1308-0-0x0000000000000000-mapping.dmp
-
memory/1392-13-0x0000000000000000-mapping.dmp
-
memory/1432-1-0x0000000000000000-mapping.dmp
-
memory/1440-2-0x0000000000000000-mapping.dmp
-
memory/1496-3-0x0000000000000000-mapping.dmp
-
memory/1500-29-0x0000000000000000-mapping.dmp
-
memory/1512-11-0x0000000000000000-mapping.dmp
-
memory/1536-10-0x0000000000000000-mapping.dmp
-
memory/1576-19-0x0000000000000000-mapping.dmp
-
memory/1636-20-0x0000000000000000-mapping.dmp
-
memory/1648-17-0x0000000000000000-mapping.dmp
-
memory/1652-18-0x0000000000000000-mapping.dmp
-
memory/1720-12-0x0000000000000000-mapping.dmp
-
memory/1784-16-0x0000000000000000-mapping.dmp
-
memory/1804-15-0x0000000000000000-mapping.dmp
-
memory/1860-22-0x0000000000000000-mapping.dmp
-
memory/1904-21-0x0000000000000000-mapping.dmp
-
memory/1932-25-0x0000000000000000-mapping.dmp
-
memory/1940-24-0x0000000000000000-mapping.dmp
-
memory/1964-23-0x0000000000000000-mapping.dmp
-
memory/1988-28-0x0000000000000000-mapping.dmp
-
memory/1996-26-0x0000000000000000-mapping.dmp