ramnit | 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78

General

Target

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
Size

107KB
MD5

0a7135dfdb1bd11de9ce5b3f18fc24af
SHA1

7b3afbbc6d639ec0419be1ce9f7d27e3978db290
SHA256

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78
SHA512

dd88227dd1cee7f28ec5a9c287f2ca28cc4f08b771618ab48b2cbe4f0cad579e45b58d73ab2243e4e45c54c57ec601ce9766ff43a10130dacc40228600b9f66d

Score

10^/10

ramnit banker spyware stealer suricata trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
suricata: ET MALWARE Win32.ServStart.D Checkin
suricata: ET MALWARE Win32.ServStart.D Checkin
suricata
suricata: ET MALWARE [PTsecurity] Botnet Nitol.B Checkin
suricata: ET MALWARE [PTsecurity] Botnet Nitol.B Checkin
suricata
Executes dropped EXE 3 IoCs

Processes:

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.execaycwq.execaycwqSrv.exe

pid process

1096 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
1056 caycwq.exe
1900 caycwqSrv.exe

pid	process
1096	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
1056	caycwq.exe
1900	caycwqSrv.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe	upx
behavioral1/memory/1096-60-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Windows\caycwq.exe	upx
C:\Windows\caycwqSrv.exe	upx
C:\WINDOWS\CAYCWQSRV.EXE	upx
behavioral1/memory/1900-69-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\PROGRAM FILES (X86)\MICROSOFT\DESKTOPLAYER.EXE	upx
behavioral1/memory/1504-71-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1056-73-0x0000000000400000-0x0000000000427000-memory.dmp	upx
C:\WINDOWS\CAYCWQ.EXE	upx
behavioral1/memory/1056-76-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe

pid process

1504 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
Drops file in System32 directory 1 IoCs

Processes:

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe

description ioc process

File opened for modification C:\WINDOWS\SysWOW64\CMD.EXE 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe

description	ioc	process
File opened for modification	C:\WINDOWS\SysWOW64\CMD.EXE	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe

Drops file in Program Files directory 6 IoCs

Processes:

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.execaycwqSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px474.tmp	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px58D.tmp	caycwqSrv.exe
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT\DESKTOPLAYER.EXE	caycwqSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	caycwqSrv.exe

Drops file in Windows directory 4 IoCs

Processes:

caycwqSrv.exe0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.execaycwq.exe

description	ioc	process
File opened for modification	C:\WINDOWS\CAYCWQSRV.EXE	caycwqSrv.exe
File created	C:\Windows\caycwq.exe	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened for modification	C:\Windows\caycwq.exe	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File created	C:\Windows\caycwqSrv.exe	caycwq.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

caycwq.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	caycwq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	caycwq.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.execaycwq.exe

pid process

1504 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1056 caycwq.exe

Suspicious behavior: MapViewOfSection 45 IoCs

Processes:

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.execaycwq.exe

pid	process
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe
1056	caycwq.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.execaycwq.execaycwqSrv.exe

description	pid	process
Token: SeDebugPrivilege	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
Token: SeDebugPrivilege	1056	caycwq.exe
Token: SeTakeOwnershipPrivilege	1900	caycwqSrv.exe
Token: SeRestorePrivilege	1900	caycwqSrv.exe
Token: SeBackupPrivilege	1900	caycwqSrv.exe
Token: SeChangeNotifyPrivilege	1900	caycwqSrv.exe
Token: SeTakeOwnershipPrivilege	1900	caycwqSrv.exe
Token: SeRestorePrivilege	1900	caycwqSrv.exe
Token: SeBackupPrivilege	1900	caycwqSrv.exe
Token: SeChangeNotifyPrivilege	1900	caycwqSrv.exe
Token: SeTakeOwnershipPrivilege	1900	caycwqSrv.exe
Token: SeRestorePrivilege	1900	caycwqSrv.exe
Token: SeBackupPrivilege	1900	caycwqSrv.exe
Token: SeChangeNotifyPrivilege	1900	caycwqSrv.exe
Token: SeTakeOwnershipPrivilege	1900	caycwqSrv.exe
Token: SeRestorePrivilege	1900	caycwqSrv.exe
Token: SeBackupPrivilege	1900	caycwqSrv.exe
Token: SeChangeNotifyPrivilege	1900	caycwqSrv.exe
Token: SeTakeOwnershipPrivilege	1900	caycwqSrv.exe
Token: SeRestorePrivilege	1900	caycwqSrv.exe
Token: SeBackupPrivilege	1900	caycwqSrv.exe
Token: SeChangeNotifyPrivilege	1900	caycwqSrv.exe
Token: SeTakeOwnershipPrivilege	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
Token: SeRestorePrivilege	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
Token: SeBackupPrivilege	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
Token: SeChangeNotifyPrivilege	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe

description	pid	process	target process
PID 1504 wrote to memory of 1096	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
PID 1504 wrote to memory of 1096	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
PID 1504 wrote to memory of 1096	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
PID 1504 wrote to memory of 1096	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
PID 1504 wrote to memory of 368	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	wininit.exe
PID 1504 wrote to memory of 368	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	wininit.exe
PID 1504 wrote to memory of 368	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	wininit.exe
PID 1504 wrote to memory of 368	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	wininit.exe
PID 1504 wrote to memory of 368	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	wininit.exe
PID 1504 wrote to memory of 368	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	wininit.exe
PID 1504 wrote to memory of 368	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	wininit.exe
PID 1504 wrote to memory of 376	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	csrss.exe
PID 1504 wrote to memory of 376	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	csrss.exe
PID 1504 wrote to memory of 376	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	csrss.exe
PID 1504 wrote to memory of 376	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	csrss.exe
PID 1504 wrote to memory of 376	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	csrss.exe
PID 1504 wrote to memory of 376	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	csrss.exe
PID 1504 wrote to memory of 376	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	csrss.exe
PID 1504 wrote to memory of 416	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	winlogon.exe
PID 1504 wrote to memory of 416	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	winlogon.exe
PID 1504 wrote to memory of 416	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	winlogon.exe
PID 1504 wrote to memory of 416	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	winlogon.exe
PID 1504 wrote to memory of 416	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	winlogon.exe
PID 1504 wrote to memory of 416	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	winlogon.exe
PID 1504 wrote to memory of 416	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	winlogon.exe
PID 1504 wrote to memory of 460	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	services.exe
PID 1504 wrote to memory of 460	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	services.exe
PID 1504 wrote to memory of 460	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	services.exe
PID 1504 wrote to memory of 460	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	services.exe
PID 1504 wrote to memory of 460	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	services.exe
PID 1504 wrote to memory of 460	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	services.exe
PID 1504 wrote to memory of 460	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	services.exe
PID 1504 wrote to memory of 472	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	lsass.exe
PID 1504 wrote to memory of 472	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	lsass.exe
PID 1504 wrote to memory of 472	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	lsass.exe
PID 1504 wrote to memory of 472	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	lsass.exe
PID 1504 wrote to memory of 472	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	lsass.exe
PID 1504 wrote to memory of 472	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	lsass.exe
PID 1504 wrote to memory of 472	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	lsass.exe
PID 1504 wrote to memory of 480	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	lsm.exe
PID 1504 wrote to memory of 480	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	lsm.exe
PID 1504 wrote to memory of 480	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	lsm.exe
PID 1504 wrote to memory of 480	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	lsm.exe
PID 1504 wrote to memory of 480	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	lsm.exe
PID 1504 wrote to memory of 480	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	lsm.exe
PID 1504 wrote to memory of 480	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	lsm.exe
PID 1504 wrote to memory of 576	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 1504 wrote to memory of 576	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 1504 wrote to memory of 576	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 1504 wrote to memory of 576	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 1504 wrote to memory of 576	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 1504 wrote to memory of 576	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 1504 wrote to memory of 576	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 1504 wrote to memory of 652	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 1504 wrote to memory of 652	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 1504 wrote to memory of 652	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 1504 wrote to memory of 652	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 1504 wrote to memory of 652	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 1504 wrote to memory of 652	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 1504 wrote to memory of 652	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 1504 wrote to memory of 740	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 1504 wrote to memory of 740	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 1504 wrote to memory of 740	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 1504 wrote to memory of 740	1504	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:472

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:652

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1192

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1028

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:576

C:\Windows\caycwq.exe
C:\Windows\caycwq.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\caycwqSrv.exe
C:\Windows\caycwqSrv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:376

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
"C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1096

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1284

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:480

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAM FILES (X86)\MICROSOFT\DESKTOPLAYER.EXE
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\WINDOWS\CAYCWQ.EXE
Filesize
107KB

MD5
0a7135dfdb1bd11de9ce5b3f18fc24af

SHA1
7b3afbbc6d639ec0419be1ce9f7d27e3978db290

SHA256
0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78

SHA512
dd88227dd1cee7f28ec5a9c287f2ca28cc4f08b771618ab48b2cbe4f0cad579e45b58d73ab2243e4e45c54c57ec601ce9766ff43a10130dacc40228600b9f66d

Download Submit
C:\WINDOWS\CAYCWQSRV.EXE
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\caycwq.exe
Filesize
107KB

MD5
0a7135dfdb1bd11de9ce5b3f18fc24af

SHA1
7b3afbbc6d639ec0419be1ce9f7d27e3978db290

SHA256
0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78

SHA512
dd88227dd1cee7f28ec5a9c287f2ca28cc4f08b771618ab48b2cbe4f0cad579e45b58d73ab2243e4e45c54c57ec601ce9766ff43a10130dacc40228600b9f66d

Download Submit
C:\Windows\caycwqSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1056-77-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/1056-76-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1056-74-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/1056-73-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1096-60-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1096-61-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/1096-56-0x0000000000000000-mapping.dmp

Download
memory/1504-71-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1504-72-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/1504-54-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/1900-70-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/1900-69-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1900-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads