ramnit | 5e2d1f6f2603fc4d102b0851cd5a80b05e124a73bf551214b92a940e6204927f

General

Target

5e2d1f6f2603fc4d102b0851cd5a80b05e124a73bf551214b92a940e6204927f.dll
Size

876KB
MD5

57c9d8fe23f8940f2adf63544e5cab34
SHA1

15a8a06fb1f753f090eb3863f931ffd3c5d78daf
SHA256

5e2d1f6f2603fc4d102b0851cd5a80b05e124a73bf551214b92a940e6204927f
SHA512

97f9a998901cc5dee1cb0735d0f46064dfd28297e9b1656708b10761aa82d3fc49892cc0c443450df481c3b1c952662cdf33c705d7bedfa306aeb85e6af48587
SSDEEP

12288:UPTv+CFW4hPdahP/RN2kU7fWS36pweWGJr619QV4qqxEnEk3D6qC5UjuEOTRPa94:UPSH4hQP/RN2fLqNK9QV4qBH1AM94

Score

10^/10

ramnit banker evasion spyware stealer trojan upx worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

rundll32mgr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	rundll32mgr.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	rundll32mgr.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	rundll32mgr.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\rundll32mgr.exe = "C:\\Windows\\SysWOW64\\rundll32mgr.exe:*:enabled:@shell32.dll,-1"	rundll32mgr.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Drops file in Drivers directory 1 IoCs

Processes:

rundll32mgr.exe

description ioc process

File opened for modification C:\Windows\system32\DRIVERS\ETC\HOSTS rundll32mgr.exe
Executes dropped EXE 1 IoCs

Processes:

rundll32mgr.exe

pid process

4904 rundll32mgr.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\ETC\HOSTS	rundll32mgr.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4904-139-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4904-140-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4904-141-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4904-142-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4904-143-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4904-144-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4904-145-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4904-146-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4904-147-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32mgr.exe

description	ioc	process
File opened (read-only)	\??\O:	rundll32mgr.exe
File opened (read-only)	\??\Q:	rundll32mgr.exe
File opened (read-only)	\??\W:	rundll32mgr.exe
File opened (read-only)	\??\X:	rundll32mgr.exe
File opened (read-only)	\??\G:	rundll32mgr.exe
File opened (read-only)	\??\H:	rundll32mgr.exe
File opened (read-only)	\??\J:	rundll32mgr.exe
File opened (read-only)	\??\U:	rundll32mgr.exe
File opened (read-only)	\??\Y:	rundll32mgr.exe
File opened (read-only)	\??\F:	rundll32mgr.exe
File opened (read-only)	\??\N:	rundll32mgr.exe
File opened (read-only)	\??\P:	rundll32mgr.exe
File opened (read-only)	\??\R:	rundll32mgr.exe
File opened (read-only)	\??\S:	rundll32mgr.exe
File opened (read-only)	\??\T:	rundll32mgr.exe
File opened (read-only)	\??\K:	rundll32mgr.exe
File opened (read-only)	\??\L:	rundll32mgr.exe
File opened (read-only)	\??\M:	rundll32mgr.exe
File opened (read-only)	\??\Z:	rundll32mgr.exe
File opened (read-only)	\??\E:	rundll32mgr.exe
File opened (read-only)	\??\I:	rundll32mgr.exe
File opened (read-only)	\??\V:	rundll32mgr.exe

Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Drops file in Program Files directory 3 IoCs

Processes:

rundll32mgr.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px2B65.tmp	rundll32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3816 4904 WerFault.exe rundll32mgr.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32mgr.exe

pid process

4904 rundll32mgr.exe
4904 rundll32mgr.exe

pid	pid_target	process	target process
3816	4904	WerFault.exe	rundll32mgr.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

rundll32mgr.exe

pid	process
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe
4904	rundll32mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32mgr.exe

description pid process

Token: SeDebugPrivilege 4904 rundll32mgr.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

rundll32mgr.exe

pid process

4904 rundll32mgr.exe

description	pid	process
Token: SeDebugPrivilege	4904	rundll32mgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exerundll32mgr.exe

description	pid	process	target process
PID 1224 wrote to memory of 208	1224	rundll32.exe	rundll32.exe
PID 1224 wrote to memory of 208	1224	rundll32.exe	rundll32.exe
PID 1224 wrote to memory of 208	1224	rundll32.exe	rundll32.exe
PID 208 wrote to memory of 4904	208	rundll32.exe	rundll32mgr.exe
PID 208 wrote to memory of 4904	208	rundll32.exe	rundll32mgr.exe
PID 208 wrote to memory of 4904	208	rundll32.exe	rundll32mgr.exe
PID 4904 wrote to memory of 568	4904	rundll32mgr.exe	winlogon.exe
PID 4904 wrote to memory of 568	4904	rundll32mgr.exe	winlogon.exe
PID 4904 wrote to memory of 568	4904	rundll32mgr.exe	winlogon.exe
PID 4904 wrote to memory of 568	4904	rundll32mgr.exe	winlogon.exe
PID 4904 wrote to memory of 568	4904	rundll32mgr.exe	winlogon.exe
PID 4904 wrote to memory of 568	4904	rundll32mgr.exe	winlogon.exe
PID 4904 wrote to memory of 652	4904	rundll32mgr.exe	lsass.exe
PID 4904 wrote to memory of 652	4904	rundll32mgr.exe	lsass.exe
PID 4904 wrote to memory of 652	4904	rundll32mgr.exe	lsass.exe
PID 4904 wrote to memory of 652	4904	rundll32mgr.exe	lsass.exe
PID 4904 wrote to memory of 652	4904	rundll32mgr.exe	lsass.exe
PID 4904 wrote to memory of 652	4904	rundll32mgr.exe	lsass.exe
PID 4904 wrote to memory of 760	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 760	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 760	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 760	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 760	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 760	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 788	4904	rundll32mgr.exe	fontdrvhost.exe
PID 4904 wrote to memory of 788	4904	rundll32mgr.exe	fontdrvhost.exe
PID 4904 wrote to memory of 788	4904	rundll32mgr.exe	fontdrvhost.exe
PID 4904 wrote to memory of 788	4904	rundll32mgr.exe	fontdrvhost.exe
PID 4904 wrote to memory of 788	4904	rundll32mgr.exe	fontdrvhost.exe
PID 4904 wrote to memory of 788	4904	rundll32mgr.exe	fontdrvhost.exe
PID 4904 wrote to memory of 792	4904	rundll32mgr.exe	fontdrvhost.exe
PID 4904 wrote to memory of 792	4904	rundll32mgr.exe	fontdrvhost.exe
PID 4904 wrote to memory of 792	4904	rundll32mgr.exe	fontdrvhost.exe
PID 4904 wrote to memory of 792	4904	rundll32mgr.exe	fontdrvhost.exe
PID 4904 wrote to memory of 792	4904	rundll32mgr.exe	fontdrvhost.exe
PID 4904 wrote to memory of 792	4904	rundll32mgr.exe	fontdrvhost.exe
PID 4904 wrote to memory of 888	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 888	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 888	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 888	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 888	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 888	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 940	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 940	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 940	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 940	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 940	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 940	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 1008	4904	rundll32mgr.exe	dwm.exe
PID 4904 wrote to memory of 1008	4904	rundll32mgr.exe	dwm.exe
PID 4904 wrote to memory of 1008	4904	rundll32mgr.exe	dwm.exe
PID 4904 wrote to memory of 1008	4904	rundll32mgr.exe	dwm.exe
PID 4904 wrote to memory of 1008	4904	rundll32mgr.exe	dwm.exe
PID 4904 wrote to memory of 1008	4904	rundll32mgr.exe	dwm.exe
PID 4904 wrote to memory of 428	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 428	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 428	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 428	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 428	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 428	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 396	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 396	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 396	4904	rundll32mgr.exe	svchost.exe
PID 4904 wrote to memory of 396	4904	rundll32mgr.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:652

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:568

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:1008

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:760

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3436

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
2⤵
PID:856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:1040

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
2⤵
PID:4100

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
2⤵
PID:2136

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:4016

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3696

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
2⤵
PID:3520

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
2⤵
PID:3368

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:3268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:428

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1112

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2200

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2684

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2640

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e2d1f6f2603fc4d102b0851cd5a80b05e124a73bf551214b92a940e6204927f.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e2d1f6f2603fc4d102b0851cd5a80b05e124a73bf551214b92a940e6204927f.dll,#1
3⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
4⤵
- Modifies firewall policy service
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 1304
5⤵
- Program crash
PID:3816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:2256

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:1280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4904 -ip 4904
2⤵
PID:4720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:4012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2668

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2572

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2392

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:1824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:384

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe
Filesize
211KB

MD5
e1b0d496aa15f2189e5ecfad81d36456

SHA1
a58707563d183c55d40f16e461cd0bbe8acca529

SHA256
05690e8e01ff53f41cdb3e3043dedcded9b7306134c416ba2e11dc53e54e245d

SHA512
eeb18da576574b296a077affa792554ed230ffc7fa2289e02f73f73d385d5f8dc37a9e3bc65d4643486be2e7b6243fc9ce798eb478c3e05fafa7932cb58a853a

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe
Filesize
211KB

MD5
e1b0d496aa15f2189e5ecfad81d36456

SHA1
a58707563d183c55d40f16e461cd0bbe8acca529

SHA256
05690e8e01ff53f41cdb3e3043dedcded9b7306134c416ba2e11dc53e54e245d

SHA512
eeb18da576574b296a077affa792554ed230ffc7fa2289e02f73f73d385d5f8dc37a9e3bc65d4643486be2e7b6243fc9ce798eb478c3e05fafa7932cb58a853a

Download Submit
memory/208-132-0x0000000000000000-mapping.dmp

Download
memory/4904-140-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4904-136-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4904-139-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4904-133-0x0000000000000000-mapping.dmp

Download
memory/4904-141-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4904-142-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4904-143-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4904-144-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4904-145-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4904-146-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4904-147-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads