ramnit | 294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a

Analysis

max time kernel
140s
max time network
178s
platform
windows7_x64
resource
win7-20220414-en
submitted
15-06-2022 14:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
Size

284KB
MD5

0c74c898a73adfbfc35975a833186d5b
SHA1

ab246c4d8c50385c722215caf2b038bb04a92e74
SHA256

294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a
SHA512

c80c92797c64f9ba6e1124a1e8cf281d0b8c79231d9e582187ee826280f5024c5e1a6e2addb8b3ed06cf30e8569821665f77b8e3efba06cdd0be3f41b21d1dde

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\fjk6134.tmp	acprotect
\Windows\Temp\qzkFDA1.tmp	acprotect

Executes dropped EXE 3 IoCs

Processes:

294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686aSrv.exeSystem.exeSystemSrv.exe

pid process

1352 294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686aSrv.exe
1996 System.exe
1764 SystemSrv.exe

pid	process
1352	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686aSrv.exe
1996	System.exe
1764	SystemSrv.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686aSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686aSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686aSrv.exe	upx
behavioral1/memory/1352-60-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\WINDOWS\SYSTEMSRV.EXE	upx
C:\Windows\SystemSrv.exe	upx
C:\PROGRAM FILES (X86)\MICROSOFT\DESKTOPLAYER.EXE	upx
behavioral1/memory/1764-77-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exeSystem.exe

pid	process
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1996	System.exe

Drops file in Program Files directory 6 IoCs

Processes:

SystemSrv.exe294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686aSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxFE9B.tmp	SystemSrv.exe
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT\DESKTOPLAYER.EXE	SystemSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	SystemSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px629B.tmp	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686aSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686aSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686aSrv.exe

Drops file in Windows directory 4 IoCs

Processes:

SystemSrv.exe294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exeSystem.exe

description	ioc	process
File opened for modification	C:\WINDOWS\SYSTEMSRV.EXE	SystemSrv.exe
File created	C:\Windows\System.exe	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
File opened for modification	C:\Windows\System.exe	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
File created	C:\Windows\SystemSrv.exe	System.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

System.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	System.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	System.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exeSystem.exe

pid process

1284 294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1996 System.exe

Suspicious behavior: MapViewOfSection 45 IoCs

Processes:

294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exeSystem.exe

pid	process
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1996	System.exe
1996	System.exe
1996	System.exe
1996	System.exe
1996	System.exe
1996	System.exe
1996	System.exe
1996	System.exe
1996	System.exe
1996	System.exe
1996	System.exe
1996	System.exe
1996	System.exe
1996	System.exe
1996	System.exe
1996	System.exe
1996	System.exe
1996	System.exe
1996	System.exe
1996	System.exe
1996	System.exe
1996	System.exe
1996	System.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe

pid process

1284 294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exeSystem.exeSystemSrv.exe

description	pid	process
Token: SeDebugPrivilege	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
Token: SeDebugPrivilege	1996	System.exe
Token: SeTakeOwnershipPrivilege	1764	SystemSrv.exe
Token: SeRestorePrivilege	1764	SystemSrv.exe
Token: SeBackupPrivilege	1764	SystemSrv.exe
Token: SeChangeNotifyPrivilege	1764	SystemSrv.exe
Token: SeTakeOwnershipPrivilege	1764	SystemSrv.exe
Token: SeRestorePrivilege	1764	SystemSrv.exe
Token: SeBackupPrivilege	1764	SystemSrv.exe
Token: SeChangeNotifyPrivilege	1764	SystemSrv.exe
Token: SeTakeOwnershipPrivilege	1764	SystemSrv.exe
Token: SeRestorePrivilege	1764	SystemSrv.exe
Token: SeBackupPrivilege	1764	SystemSrv.exe
Token: SeChangeNotifyPrivilege	1764	SystemSrv.exe
Token: SeTakeOwnershipPrivilege	1764	SystemSrv.exe
Token: SeRestorePrivilege	1764	SystemSrv.exe
Token: SeBackupPrivilege	1764	SystemSrv.exe
Token: SeChangeNotifyPrivilege	1764	SystemSrv.exe
Token: SeTakeOwnershipPrivilege	1764	SystemSrv.exe
Token: SeRestorePrivilege	1764	SystemSrv.exe
Token: SeBackupPrivilege	1764	SystemSrv.exe
Token: SeChangeNotifyPrivilege	1764	SystemSrv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exeSystem.exe

pid process

1284 294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
1996 System.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe

description	pid	process	target process
PID 1284 wrote to memory of 1352	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686aSrv.exe
PID 1284 wrote to memory of 1352	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686aSrv.exe
PID 1284 wrote to memory of 1352	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686aSrv.exe
PID 1284 wrote to memory of 1352	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686aSrv.exe
PID 1284 wrote to memory of 372	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	wininit.exe
PID 1284 wrote to memory of 372	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	wininit.exe
PID 1284 wrote to memory of 372	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	wininit.exe
PID 1284 wrote to memory of 372	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	wininit.exe
PID 1284 wrote to memory of 372	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	wininit.exe
PID 1284 wrote to memory of 372	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	wininit.exe
PID 1284 wrote to memory of 372	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	wininit.exe
PID 1284 wrote to memory of 384	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	csrss.exe
PID 1284 wrote to memory of 384	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	csrss.exe
PID 1284 wrote to memory of 384	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	csrss.exe
PID 1284 wrote to memory of 384	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	csrss.exe
PID 1284 wrote to memory of 384	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	csrss.exe
PID 1284 wrote to memory of 384	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	csrss.exe
PID 1284 wrote to memory of 384	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	csrss.exe
PID 1284 wrote to memory of 420	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	winlogon.exe
PID 1284 wrote to memory of 420	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	winlogon.exe
PID 1284 wrote to memory of 420	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	winlogon.exe
PID 1284 wrote to memory of 420	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	winlogon.exe
PID 1284 wrote to memory of 420	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	winlogon.exe
PID 1284 wrote to memory of 420	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	winlogon.exe
PID 1284 wrote to memory of 420	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	winlogon.exe
PID 1284 wrote to memory of 464	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	services.exe
PID 1284 wrote to memory of 464	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	services.exe
PID 1284 wrote to memory of 464	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	services.exe
PID 1284 wrote to memory of 464	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	services.exe
PID 1284 wrote to memory of 464	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	services.exe
PID 1284 wrote to memory of 464	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	services.exe
PID 1284 wrote to memory of 464	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	services.exe
PID 1284 wrote to memory of 480	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	lsass.exe
PID 1284 wrote to memory of 480	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	lsass.exe
PID 1284 wrote to memory of 480	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	lsass.exe
PID 1284 wrote to memory of 480	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	lsass.exe
PID 1284 wrote to memory of 480	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	lsass.exe
PID 1284 wrote to memory of 480	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	lsass.exe
PID 1284 wrote to memory of 480	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	lsass.exe
PID 1284 wrote to memory of 488	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	lsm.exe
PID 1284 wrote to memory of 488	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	lsm.exe
PID 1284 wrote to memory of 488	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	lsm.exe
PID 1284 wrote to memory of 488	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	lsm.exe
PID 1284 wrote to memory of 488	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	lsm.exe
PID 1284 wrote to memory of 488	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	lsm.exe
PID 1284 wrote to memory of 488	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	lsm.exe
PID 1284 wrote to memory of 600	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	svchost.exe
PID 1284 wrote to memory of 600	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	svchost.exe
PID 1284 wrote to memory of 600	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	svchost.exe
PID 1284 wrote to memory of 600	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	svchost.exe
PID 1284 wrote to memory of 600	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	svchost.exe
PID 1284 wrote to memory of 600	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	svchost.exe
PID 1284 wrote to memory of 600	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	svchost.exe
PID 1284 wrote to memory of 676	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	svchost.exe
PID 1284 wrote to memory of 676	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	svchost.exe
PID 1284 wrote to memory of 676	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	svchost.exe
PID 1284 wrote to memory of 676	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	svchost.exe
PID 1284 wrote to memory of 676	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	svchost.exe
PID 1284 wrote to memory of 676	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	svchost.exe
PID 1284 wrote to memory of 676	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	svchost.exe
PID 1284 wrote to memory of 760	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	svchost.exe
PID 1284 wrote to memory of 760	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	svchost.exe
PID 1284 wrote to memory of 760	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	svchost.exe
PID 1284 wrote to memory of 760	1284	294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:808

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
3⤵
PID:1192

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1620

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1048

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:600

C:\Windows\System.exe
C:\Windows\System.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Windows\SystemSrv.exe
C:\Windows\SystemSrv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1088

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe
"C:\Users\Admin\AppData\Local\Temp\294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686aSrv.exe
C:\Users\Admin\AppData\Local\Temp\294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686aSrv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1352

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAM FILES (X86)\MICROSOFT\DESKTOPLAYER.EXE
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686aSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686aSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\WINDOWS\SYSTEMSRV.EXE
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\System.exe
Filesize
284KB

MD5
0c74c898a73adfbfc35975a833186d5b

SHA1
ab246c4d8c50385c722215caf2b038bb04a92e74

SHA256
294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a

SHA512
c80c92797c64f9ba6e1124a1e8cf281d0b8c79231d9e582187ee826280f5024c5e1a6e2addb8b3ed06cf30e8569821665f77b8e3efba06cdd0be3f41b21d1dde

Download Submit
C:\Windows\System.exe
Filesize
284KB

MD5
0c74c898a73adfbfc35975a833186d5b

SHA1
ab246c4d8c50385c722215caf2b038bb04a92e74

SHA256
294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686a

SHA512
c80c92797c64f9ba6e1124a1e8cf281d0b8c79231d9e582187ee826280f5024c5e1a6e2addb8b3ed06cf30e8569821665f77b8e3efba06cdd0be3f41b21d1dde

Download Submit
C:\Windows\SystemSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\294302fb47b5b82ca865cd2d5a8b82ebc02dfbdb91f8d0dee3d3b0159190686aSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\fjk6134.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Windows\Temp\qzkFDA1.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/1284-74-0x000000007EF80000-0x000000007EF8C000-memory.dmp

Filesize
48KB

Download
memory/1284-73-0x0000000000310000-0x0000000000383000-memory.dmp

Filesize
460KB

Download
memory/1284-62-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1284-63-0x0000000000310000-0x0000000000383000-memory.dmp

Filesize
460KB

Download
memory/1284-64-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/1284-71-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1352-56-0x0000000000000000-mapping.dmp

Download
memory/1352-61-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/1352-60-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1352-58-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/1764-68-0x0000000000000000-mapping.dmp

Download
memory/1764-76-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/1764-77-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1996-78-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1996-79-0x0000000000220000-0x0000000000293000-memory.dmp

Filesize
460KB

Download