ramnit | 64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac

Analysis

max time kernel
91s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 23:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Size

490KB
MD5

a16cc610dec8f49ece698e64750de090
SHA1

56fd8a3fc76a26d2e4c228fcf383450f0e8af48b
SHA256

64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac
SHA512

d8ea9e3754918793d6f468055a84ceb61767885f36f0998ceaabbc7a51c7b95f417112838c2acd6bd9ff5de60d097409bf5ed0e302e63d727b967d77c05a42f5
SSDEEP

12288:ma0BGMCI+p8deJkwZJjNk3YssSq0wbRy/u:mjGDWw1jNk3aXRy2

Score

10^/10

ramnit banker evasion spyware stealer trojan upx worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe:*:enabled:@shell32.dll,-1"	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\ETC\HOSTS	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe

Executes dropped EXE 2 IoCs

pid	Process
4492	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eacmgr.exe
4480	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eacmgrmgr.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022f63-138.dat	upx
behavioral2/files/0x0006000000022f63-139.dat	upx
behavioral2/memory/4492-144-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4492-146-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4480-149-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4492-150-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4284-152-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral2/memory/4492-154-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4284-155-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral2/memory/4492-156-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4284-157-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral2/memory/4492-159-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4284-160-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxFCD3.tmp	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eacmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eacmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eacmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxFF15.tmp	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT\WATERMARK.EXE	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1516	4492	WerFault.exe	78
3696	4480	WerFault.exe	79
2164	4284	WerFault.exe	77

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4480	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eacmgrmgr.exe
4480	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eacmgrmgr.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Token: SeDebugPrivilege	4480	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eacmgrmgr.exe
Token: SeTakeOwnershipPrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Token: SeRestorePrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Token: SeBackupPrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Token: SeChangeNotifyPrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Token: SeTakeOwnershipPrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Token: SeRestorePrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Token: SeBackupPrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Token: SeChangeNotifyPrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Token: SeTakeOwnershipPrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Token: SeRestorePrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Token: SeBackupPrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Token: SeChangeNotifyPrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Token: SeTakeOwnershipPrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Token: SeRestorePrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Token: SeBackupPrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Token: SeChangeNotifyPrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Token: SeTakeOwnershipPrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Token: SeRestorePrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Token: SeBackupPrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
Token: SeChangeNotifyPrivilege	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4492	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eacmgr.exe
4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 4492	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	78
PID 4284 wrote to memory of 4492	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	78
PID 4284 wrote to memory of 4492	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	78
PID 4492 wrote to memory of 4480	4492	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eacmgr.exe	79
PID 4492 wrote to memory of 4480	4492	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eacmgr.exe	79
PID 4492 wrote to memory of 4480	4492	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eacmgr.exe	79
PID 4284 wrote to memory of 604	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	3
PID 4284 wrote to memory of 604	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	3
PID 4284 wrote to memory of 604	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	3
PID 4284 wrote to memory of 604	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	3
PID 4284 wrote to memory of 604	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	3
PID 4284 wrote to memory of 604	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	3
PID 4284 wrote to memory of 676	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	4
PID 4284 wrote to memory of 676	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	4
PID 4284 wrote to memory of 676	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	4
PID 4284 wrote to memory of 676	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	4
PID 4284 wrote to memory of 676	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	4
PID 4284 wrote to memory of 676	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	4
PID 4284 wrote to memory of 792	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	8
PID 4284 wrote to memory of 792	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	8
PID 4284 wrote to memory of 792	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	8
PID 4284 wrote to memory of 792	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	8
PID 4284 wrote to memory of 792	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	8
PID 4284 wrote to memory of 792	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	8
PID 4284 wrote to memory of 800	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	76
PID 4284 wrote to memory of 800	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	76
PID 4284 wrote to memory of 800	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	76
PID 4284 wrote to memory of 800	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	76
PID 4284 wrote to memory of 800	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	76
PID 4284 wrote to memory of 800	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	76
PID 4284 wrote to memory of 808	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	75
PID 4284 wrote to memory of 808	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	75
PID 4284 wrote to memory of 808	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	75
PID 4284 wrote to memory of 808	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	75
PID 4284 wrote to memory of 808	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	75
PID 4284 wrote to memory of 808	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	75
PID 4284 wrote to memory of 904	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	9
PID 4284 wrote to memory of 904	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	9
PID 4284 wrote to memory of 904	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	9
PID 4284 wrote to memory of 904	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	9
PID 4284 wrote to memory of 904	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	9
PID 4284 wrote to memory of 904	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	9
PID 4284 wrote to memory of 960	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	74
PID 4284 wrote to memory of 960	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	74
PID 4284 wrote to memory of 960	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	74
PID 4284 wrote to memory of 960	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	74
PID 4284 wrote to memory of 960	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	74
PID 4284 wrote to memory of 960	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	74
PID 4284 wrote to memory of 336	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	10
PID 4284 wrote to memory of 336	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	10
PID 4284 wrote to memory of 336	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	10
PID 4284 wrote to memory of 336	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	10
PID 4284 wrote to memory of 336	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	10
PID 4284 wrote to memory of 336	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	10
PID 4284 wrote to memory of 516	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	11
PID 4284 wrote to memory of 516	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	11
PID 4284 wrote to memory of 516	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	11
PID 4284 wrote to memory of 516	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	11
PID 4284 wrote to memory of 516	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	11
PID 4284 wrote to memory of 516	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	11
PID 4284 wrote to memory of 900	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	73
PID 4284 wrote to memory of 900	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	73
PID 4284 wrote to memory of 900	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	73
PID 4284 wrote to memory of 900	4284	64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe	73

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:604
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:336
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:800

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1152
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1384
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1832

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2456

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2708

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:2724

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4200

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3964

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3724

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3500

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3492

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3196

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1996
- C:\Users\Admin\AppData\Local\Temp\64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe
  "C:\Users\Admin\AppData\Local\Temp\64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eac.exe"
  2⤵
  - Modifies firewall policy service
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Users\Admin\AppData\Local\Temp\64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eacmgr.exe
    C:\Users\Admin\AppData\Local\Temp\64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eacmgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eacmgrmgr.exe
      C:\Users\Admin\AppData\Local\Temp\64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eacmgrmgr.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4480
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 304
        5⤵
        Program crash
        
        PID:3696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 376
      4⤵
      Program crash
      PID:1516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 376
    3⤵
    - Program crash
    PID:2164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4492 -ip 4492
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4480 -ip 4480
1⤵
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4284 -ip 4284
1⤵
PID:368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAM FILES (X86)\MICROSOFT\WATERMARK.EXE

Filesize
365KB

MD5
557ef508229fdaf91aa7809e07316312

SHA1
ac3d77edf82a434c868663dedf9f9a76ebacbc6c

SHA256
9710d16186acc69969d3e0085d233cfe02b293396145f3f01843b5c8be182d60

SHA512
57d39e4e5350d024adc1b7fd0f67d1871cdebe0f9067de2f12f1bdee1aa5eb003763231a2a86a5ab991f010afc1747a349629b5d5397a93f63ddb621ed987baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eacmgr.exe

Filesize
336KB

MD5
adf5ca0cb4b2794d821b68c5cf898aab

SHA1
db723a49d043d9792c1b04adf1442be07e0a7fb1

SHA256
14bbd2ac2316aee36e6e5d16fa118dd5225a377e67cbfc7d756c78b235ea874a

SHA512
90b8af09605a5c573323b0210d0cee2b4ad8eb608d553240f0c2a9e92bffe26486ae826f690d466788e52bfc6b8a1980448e8f5720b70a6147ebbbe457a86bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eacmgr.exe

Filesize
336KB

MD5
adf5ca0cb4b2794d821b68c5cf898aab

SHA1
db723a49d043d9792c1b04adf1442be07e0a7fb1

SHA256
14bbd2ac2316aee36e6e5d16fa118dd5225a377e67cbfc7d756c78b235ea874a

SHA512
90b8af09605a5c573323b0210d0cee2b4ad8eb608d553240f0c2a9e92bffe26486ae826f690d466788e52bfc6b8a1980448e8f5720b70a6147ebbbe457a86bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eacmgrmgr.exe

Filesize
183KB

MD5
6439ae51e6cfb4c7bc4a01d6b82a6dd8

SHA1
1154f810662e5b036f6c20261838c3a0a71428b5

SHA256
d077007fba9180e77c325f05cda2da30511e837ae5fd872eff3a956ee496202a

SHA512
77ea34ce58eca1281a374078a5cb63bc4eae20a129ab908e872f285ae276f2959a363918e869a31c7c7dbe8c7d8b5409294c21b9cee997a60e1f50150c778255

Download Submit
C:\Users\Admin\AppData\Local\Temp\64b1bfcdf6ce49a3aa04f770477240febd03bddfd19de4e533e5a3eb5ba05eacmgrmgr.exe

Filesize
183KB

MD5
6439ae51e6cfb4c7bc4a01d6b82a6dd8

SHA1
1154f810662e5b036f6c20261838c3a0a71428b5

SHA256
d077007fba9180e77c325f05cda2da30511e837ae5fd872eff3a956ee496202a

SHA512
77ea34ce58eca1281a374078a5cb63bc4eae20a129ab908e872f285ae276f2959a363918e869a31c7c7dbe8c7d8b5409294c21b9cee997a60e1f50150c778255

Download Submit
memory/4284-160-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4284-155-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4284-158-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/4284-157-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4284-161-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/4284-132-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4284-152-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4480-149-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4480-151-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4492-150-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4492-154-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4492-153-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4492-156-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4492-146-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4492-144-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4492-159-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4492-136-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download