ramnit | 277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f

Analysis

max time kernel
186s
max time network
167s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe
Size

248KB
MD5

5674d371be612f08af5faab96f2f0c1a
SHA1

1eb5efb0b829f8dd5265ede1907f41a7985f70c8
SHA256

277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f
SHA512

1a2c3d2876b3d3b4b4ced37cb5d4d7f18e7083282e5b7ea4ac5c9dff94eebe5dc6029316528f9909466f515884361509564a80d74b3fb9e76e92f813588cc7ef
SSDEEP

3072:uR2xn3k0CdM1vabyzJYWqyZcFaF504UwPGX1NhG2ozrl8SmaUBzMZqa12DtjSM:uR2J0LS6Vymc0IPGEfzrjmPzMZq2s

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 5 IoCs

Processes:

277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exeWaterMark.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exe

pid	process
276	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
272	WaterMark.exe
824	WaterMark.exe
592	WaterMarkmgr.exe
432	WaterMark.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1448-63-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1448-65-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1448-77-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/276-79-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/592-105-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/272-134-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/272-137-0x0000000000120000-0x000000000014B000-memory.dmp	upx
behavioral1/memory/824-139-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/272-141-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/432-140-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/824-293-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/432-294-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/272-295-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Loads dropped DLL 9 IoCs

Processes:

277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exeWaterMark.exeWaterMarkmgr.exe

pid	process
1448	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe
1448	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe
1448	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe
276	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
1448	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe
276	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
272	WaterMark.exe
272	WaterMark.exe
592	WaterMarkmgr.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe
File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 17 IoCs

Processes:

svchost.exe277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exeWaterMarkmgr.exeWaterMark.exeWaterMark.exeWaterMark.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	WaterMarkmgr.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB75E.tmp	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB9DE.tmp	WaterMarkmgr.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB74F.tmp	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

WaterMark.exeWaterMark.exeWaterMark.exesvchost.exe

pid	process
272	WaterMark.exe
272	WaterMark.exe
824	WaterMark.exe
824	WaterMark.exe
432	WaterMark.exe
432	WaterMark.exe
432	WaterMark.exe
824	WaterMark.exe
824	WaterMark.exe
432	WaterMark.exe
824	WaterMark.exe
432	WaterMark.exe
824	WaterMark.exe
432	WaterMark.exe
272	WaterMark.exe
272	WaterMark.exe
272	WaterMark.exe
272	WaterMark.exe
824	WaterMark.exe
824	WaterMark.exe
432	WaterMark.exe
432	WaterMark.exe
272	WaterMark.exe
272	WaterMark.exe
1440	svchost.exe
1440	svchost.exe
1440	svchost.exe
1440	svchost.exe
1440	svchost.exe
1440	svchost.exe
1440	svchost.exe
1440	svchost.exe
1440	svchost.exe
1440	svchost.exe
1440	svchost.exe
1440	svchost.exe
1440	svchost.exe
1440	svchost.exe
1440	svchost.exe
1440	svchost.exe
1440	svchost.exe
1440	svchost.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

WaterMark.exeWaterMark.exeWaterMark.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	272	WaterMark.exe
Token: SeDebugPrivilege	824	WaterMark.exe
Token: SeDebugPrivilege	432	WaterMark.exe
Token: SeDebugPrivilege	944	svchost.exe
Token: SeDebugPrivilege	1440	svchost.exe
Token: SeDebugPrivilege	1312	svchost.exe
Token: SeDebugPrivilege	824	WaterMark.exe
Token: SeDebugPrivilege	272	WaterMark.exe
Token: SeDebugPrivilege	432	WaterMark.exe
Token: SeDebugPrivilege	2016	svchost.exe
Token: SeDebugPrivilege	288	svchost.exe

Suspicious use of UnmapMainImage 6 IoCs

Processes:

277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exeWaterMark.exe

pid	process
1448	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe
276	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
272	WaterMark.exe
592	WaterMarkmgr.exe
824	WaterMark.exe
432	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exeWaterMark.exe

description	pid	process	target process
PID 1448 wrote to memory of 276	1448	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
PID 1448 wrote to memory of 276	1448	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
PID 1448 wrote to memory of 276	1448	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
PID 1448 wrote to memory of 276	1448	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
PID 1448 wrote to memory of 272	1448	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe	WaterMark.exe
PID 1448 wrote to memory of 272	1448	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe	WaterMark.exe
PID 1448 wrote to memory of 272	1448	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe	WaterMark.exe
PID 1448 wrote to memory of 272	1448	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe	WaterMark.exe
PID 276 wrote to memory of 824	276	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe	WaterMark.exe
PID 276 wrote to memory of 824	276	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe	WaterMark.exe
PID 276 wrote to memory of 824	276	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe	WaterMark.exe
PID 276 wrote to memory of 824	276	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe	WaterMark.exe
PID 272 wrote to memory of 592	272	WaterMark.exe	WaterMarkmgr.exe
PID 272 wrote to memory of 592	272	WaterMark.exe	WaterMarkmgr.exe
PID 272 wrote to memory of 592	272	WaterMark.exe	WaterMarkmgr.exe
PID 272 wrote to memory of 592	272	WaterMark.exe	WaterMarkmgr.exe
PID 592 wrote to memory of 432	592	WaterMarkmgr.exe	WaterMark.exe
PID 592 wrote to memory of 432	592	WaterMarkmgr.exe	WaterMark.exe
PID 592 wrote to memory of 432	592	WaterMarkmgr.exe	WaterMark.exe
PID 592 wrote to memory of 432	592	WaterMarkmgr.exe	WaterMark.exe
PID 432 wrote to memory of 1968	432	WaterMark.exe	svchost.exe
PID 824 wrote to memory of 2016	824	WaterMark.exe	svchost.exe
PID 272 wrote to memory of 288	272	WaterMark.exe	svchost.exe
PID 824 wrote to memory of 2016	824	WaterMark.exe	svchost.exe
PID 824 wrote to memory of 2016	824	WaterMark.exe	svchost.exe
PID 824 wrote to memory of 2016	824	WaterMark.exe	svchost.exe
PID 824 wrote to memory of 2016	824	WaterMark.exe	svchost.exe
PID 824 wrote to memory of 2016	824	WaterMark.exe	svchost.exe
PID 824 wrote to memory of 2016	824	WaterMark.exe	svchost.exe
PID 824 wrote to memory of 2016	824	WaterMark.exe	svchost.exe
PID 824 wrote to memory of 2016	824	WaterMark.exe	svchost.exe
PID 824 wrote to memory of 2016	824	WaterMark.exe	svchost.exe
PID 432 wrote to memory of 1968	432	WaterMark.exe	svchost.exe
PID 432 wrote to memory of 1968	432	WaterMark.exe	svchost.exe
PID 432 wrote to memory of 1968	432	WaterMark.exe	svchost.exe
PID 432 wrote to memory of 1968	432	WaterMark.exe	svchost.exe
PID 432 wrote to memory of 1968	432	WaterMark.exe	svchost.exe
PID 432 wrote to memory of 1968	432	WaterMark.exe	svchost.exe
PID 432 wrote to memory of 1968	432	WaterMark.exe	svchost.exe
PID 432 wrote to memory of 1968	432	WaterMark.exe	svchost.exe
PID 432 wrote to memory of 1968	432	WaterMark.exe	svchost.exe
PID 272 wrote to memory of 288	272	WaterMark.exe	svchost.exe
PID 272 wrote to memory of 288	272	WaterMark.exe	svchost.exe
PID 272 wrote to memory of 288	272	WaterMark.exe	svchost.exe
PID 272 wrote to memory of 288	272	WaterMark.exe	svchost.exe
PID 272 wrote to memory of 288	272	WaterMark.exe	svchost.exe
PID 272 wrote to memory of 288	272	WaterMark.exe	svchost.exe
PID 272 wrote to memory of 288	272	WaterMark.exe	svchost.exe
PID 272 wrote to memory of 288	272	WaterMark.exe	svchost.exe
PID 272 wrote to memory of 288	272	WaterMark.exe	svchost.exe
PID 824 wrote to memory of 944	824	WaterMark.exe	svchost.exe
PID 432 wrote to memory of 1440	432	WaterMark.exe	svchost.exe
PID 824 wrote to memory of 944	824	WaterMark.exe	svchost.exe
PID 824 wrote to memory of 944	824	WaterMark.exe	svchost.exe
PID 824 wrote to memory of 944	824	WaterMark.exe	svchost.exe
PID 824 wrote to memory of 944	824	WaterMark.exe	svchost.exe
PID 824 wrote to memory of 944	824	WaterMark.exe	svchost.exe
PID 824 wrote to memory of 944	824	WaterMark.exe	svchost.exe
PID 824 wrote to memory of 944	824	WaterMark.exe	svchost.exe
PID 824 wrote to memory of 944	824	WaterMark.exe	svchost.exe
PID 824 wrote to memory of 944	824	WaterMark.exe	svchost.exe
PID 432 wrote to memory of 1440	432	WaterMark.exe	svchost.exe
PID 272 wrote to memory of 1312	272	WaterMark.exe	svchost.exe
PID 432 wrote to memory of 1440	432	WaterMark.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:580

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
3⤵
PID:2024

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:340

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:364

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:656

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1972

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe
"C:\Users\Admin\AppData\Local\Temp\277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe"
2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
C:\Users\Admin\AppData\Local\Temp\277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:276

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:272

C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:592

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1968

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1228

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
248KB

MD5
5674d371be612f08af5faab96f2f0c1a

SHA1
1eb5efb0b829f8dd5265ede1907f41a7985f70c8

SHA256
277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f

SHA512
1a2c3d2876b3d3b4b4ced37cb5d4d7f18e7083282e5b7ea4ac5c9dff94eebe5dc6029316528f9909466f515884361509564a80d74b3fb9e76e92f813588cc7ef

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
248KB

MD5
5674d371be612f08af5faab96f2f0c1a

SHA1
1eb5efb0b829f8dd5265ede1907f41a7985f70c8

SHA256
277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f

SHA512
1a2c3d2876b3d3b4b4ced37cb5d4d7f18e7083282e5b7ea4ac5c9dff94eebe5dc6029316528f9909466f515884361509564a80d74b3fb9e76e92f813588cc7ef

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
248KB

MD5
5674d371be612f08af5faab96f2f0c1a

SHA1
1eb5efb0b829f8dd5265ede1907f41a7985f70c8

SHA256
277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f

SHA512
1a2c3d2876b3d3b4b4ced37cb5d4d7f18e7083282e5b7ea4ac5c9dff94eebe5dc6029316528f9909466f515884361509564a80d74b3fb9e76e92f813588cc7ef

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
248KB

MD5
5674d371be612f08af5faab96f2f0c1a

SHA1
1eb5efb0b829f8dd5265ede1907f41a7985f70c8

SHA256
277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f

SHA512
1a2c3d2876b3d3b4b4ced37cb5d4d7f18e7083282e5b7ea4ac5c9dff94eebe5dc6029316528f9909466f515884361509564a80d74b3fb9e76e92f813588cc7ef

Download Submit
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe

Filesize
123KB

MD5
04161f533ee93611681445f8a165ed68

SHA1
d3f4b2bfc8b384d2602989082056751ae21b8105

SHA256
97e8d8fefbd8aef88875b7373e6a5ec0ff0fa02fc1b63af254d8116e6d959f81

SHA512
4e3ad0bd23e728966e7f0d86fda0883bb8196d9eca93c6c9633c3b786c451864fabd9f300fb7355277fb8de334c1fe5cb54b01c2ad88c3e51ad7fa221a57119f

Download Submit
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe

Filesize
123KB

MD5
04161f533ee93611681445f8a165ed68

SHA1
d3f4b2bfc8b384d2602989082056751ae21b8105

SHA256
97e8d8fefbd8aef88875b7373e6a5ec0ff0fa02fc1b63af254d8116e6d959f81

SHA512
4e3ad0bd23e728966e7f0d86fda0883bb8196d9eca93c6c9633c3b786c451864fabd9f300fb7355277fb8de334c1fe5cb54b01c2ad88c3e51ad7fa221a57119f

Download Submit
C:\Users\Admin\AppData\Local\Temp\277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe

Filesize
123KB

MD5
04161f533ee93611681445f8a165ed68

SHA1
d3f4b2bfc8b384d2602989082056751ae21b8105

SHA256
97e8d8fefbd8aef88875b7373e6a5ec0ff0fa02fc1b63af254d8116e6d959f81

SHA512
4e3ad0bd23e728966e7f0d86fda0883bb8196d9eca93c6c9633c3b786c451864fabd9f300fb7355277fb8de334c1fe5cb54b01c2ad88c3e51ad7fa221a57119f

Download Submit
C:\Users\Admin\AppData\Local\Temp\277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe

Filesize
123KB

MD5
04161f533ee93611681445f8a165ed68

SHA1
d3f4b2bfc8b384d2602989082056751ae21b8105

SHA256
97e8d8fefbd8aef88875b7373e6a5ec0ff0fa02fc1b63af254d8116e6d959f81

SHA512
4e3ad0bd23e728966e7f0d86fda0883bb8196d9eca93c6c9633c3b786c451864fabd9f300fb7355277fb8de334c1fe5cb54b01c2ad88c3e51ad7fa221a57119f

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
248KB

MD5
5674d371be612f08af5faab96f2f0c1a

SHA1
1eb5efb0b829f8dd5265ede1907f41a7985f70c8

SHA256
277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f

SHA512
1a2c3d2876b3d3b4b4ced37cb5d4d7f18e7083282e5b7ea4ac5c9dff94eebe5dc6029316528f9909466f515884361509564a80d74b3fb9e76e92f813588cc7ef

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
248KB

MD5
5674d371be612f08af5faab96f2f0c1a

SHA1
1eb5efb0b829f8dd5265ede1907f41a7985f70c8

SHA256
277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f

SHA512
1a2c3d2876b3d3b4b4ced37cb5d4d7f18e7083282e5b7ea4ac5c9dff94eebe5dc6029316528f9909466f515884361509564a80d74b3fb9e76e92f813588cc7ef

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
248KB

MD5
5674d371be612f08af5faab96f2f0c1a

SHA1
1eb5efb0b829f8dd5265ede1907f41a7985f70c8

SHA256
277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f

SHA512
1a2c3d2876b3d3b4b4ced37cb5d4d7f18e7083282e5b7ea4ac5c9dff94eebe5dc6029316528f9909466f515884361509564a80d74b3fb9e76e92f813588cc7ef

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
248KB

MD5
5674d371be612f08af5faab96f2f0c1a

SHA1
1eb5efb0b829f8dd5265ede1907f41a7985f70c8

SHA256
277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f

SHA512
1a2c3d2876b3d3b4b4ced37cb5d4d7f18e7083282e5b7ea4ac5c9dff94eebe5dc6029316528f9909466f515884361509564a80d74b3fb9e76e92f813588cc7ef

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
248KB

MD5
5674d371be612f08af5faab96f2f0c1a

SHA1
1eb5efb0b829f8dd5265ede1907f41a7985f70c8

SHA256
277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f

SHA512
1a2c3d2876b3d3b4b4ced37cb5d4d7f18e7083282e5b7ea4ac5c9dff94eebe5dc6029316528f9909466f515884361509564a80d74b3fb9e76e92f813588cc7ef

Download Submit
\Program Files (x86)\Microsoft\WaterMarkmgr.exe

Filesize
123KB

MD5
04161f533ee93611681445f8a165ed68

SHA1
d3f4b2bfc8b384d2602989082056751ae21b8105

SHA256
97e8d8fefbd8aef88875b7373e6a5ec0ff0fa02fc1b63af254d8116e6d959f81

SHA512
4e3ad0bd23e728966e7f0d86fda0883bb8196d9eca93c6c9633c3b786c451864fabd9f300fb7355277fb8de334c1fe5cb54b01c2ad88c3e51ad7fa221a57119f

Download Submit
\Program Files (x86)\Microsoft\WaterMarkmgr.exe

Filesize
123KB

MD5
04161f533ee93611681445f8a165ed68

SHA1
d3f4b2bfc8b384d2602989082056751ae21b8105

SHA256
97e8d8fefbd8aef88875b7373e6a5ec0ff0fa02fc1b63af254d8116e6d959f81

SHA512
4e3ad0bd23e728966e7f0d86fda0883bb8196d9eca93c6c9633c3b786c451864fabd9f300fb7355277fb8de334c1fe5cb54b01c2ad88c3e51ad7fa221a57119f

Download Submit
\Users\Admin\AppData\Local\Temp\277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe

Filesize
123KB

MD5
04161f533ee93611681445f8a165ed68

SHA1
d3f4b2bfc8b384d2602989082056751ae21b8105

SHA256
97e8d8fefbd8aef88875b7373e6a5ec0ff0fa02fc1b63af254d8116e6d959f81

SHA512
4e3ad0bd23e728966e7f0d86fda0883bb8196d9eca93c6c9633c3b786c451864fabd9f300fb7355277fb8de334c1fe5cb54b01c2ad88c3e51ad7fa221a57119f

Download Submit
\Users\Admin\AppData\Local\Temp\277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe

Filesize
123KB

MD5
04161f533ee93611681445f8a165ed68

SHA1
d3f4b2bfc8b384d2602989082056751ae21b8105

SHA256
97e8d8fefbd8aef88875b7373e6a5ec0ff0fa02fc1b63af254d8116e6d959f81

SHA512
4e3ad0bd23e728966e7f0d86fda0883bb8196d9eca93c6c9633c3b786c451864fabd9f300fb7355277fb8de334c1fe5cb54b01c2ad88c3e51ad7fa221a57119f

Download Submit
memory/272-141-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/272-134-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/272-74-0x0000000000000000-mapping.dmp

Download
memory/272-295-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/272-137-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/276-79-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/276-58-0x0000000000000000-mapping.dmp

Download
memory/288-122-0x0000000000000000-mapping.dmp

Download
memory/432-294-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/432-102-0x0000000000000000-mapping.dmp

Download
memory/432-140-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/592-85-0x0000000000000000-mapping.dmp

Download
memory/592-105-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/824-76-0x0000000000000000-mapping.dmp

Download
memory/824-293-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/824-139-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/944-154-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/944-149-0x0000000000000000-mapping.dmp

Download
memory/1312-156-0x0000000000000000-mapping.dmp

Download
memory/1440-145-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1440-151-0x0000000000000000-mapping.dmp

Download
memory/1448-77-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1448-65-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1448-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1448-63-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1448-55-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1968-142-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1968-112-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1968-119-0x0000000000000000-mapping.dmp

Download
memory/1968-123-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1968-296-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2016-118-0x0000000000000000-mapping.dmp

Download