ramnit | 40405a2957865a4a08f8a4aa99f75cae76e94892094cb459ed76969f75f1b6e2

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c2c40d5632e8c96c5c1c89ce25d509d.exe
Size

1.1MB
MD5

1c2c40d5632e8c96c5c1c89ce25d509d
SHA1

ebdd17061924f8d9f6e2d22b4e47ea701f747fe9
SHA256

40405a2957865a4a08f8a4aa99f75cae76e94892094cb459ed76969f75f1b6e2
SHA512

8a89ae7f8ed93acdb49b0bfb3b8ef69ec40c8fd08394bc8552f906c7649176ead84f6c6c40a99d9375a91b8af4210aa8fb45431a68d0b8ec8e7b9d50f5c40685
SSDEEP

12288:apqiC/2OjAt4CP4cejGSOCRK2CGYP/qts2V8f:apo/2xtxPJLfCRK2CGYPSe2Y

Score

10^/10

ramnit banker evasion persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe system3_.exe"	1c2c40d5632e8c96c5c1c89ce25d509d.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1c2c40d5632e8c96c5c1c89ce25d509d.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe

Loads dropped DLL 2 IoCs

pid	Process
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1728-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1728-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1728-18-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1728-26-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1728-23-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1728-21-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1728-19-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Users\\Admin\\Desktop\\system3_.exe"	1c2c40d5632e8c96c5c1c89ce25d509d.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2732-37-0x0000000000400000-0x0000000000538000-memory.dmp	autoit_exe
behavioral1/memory/2732-1-0x0000000000400000-0x0000000000538000-memory.dmp	autoit_exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px9F0.tmp	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main	1c2c40d5632e8c96c5c1c89ce25d509d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.advgoogle.blogdpot.com"	1c2c40d5632e8c96c5c1c89ce25d509d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://www.advgoogle.blogdpot.com"	1c2c40d5632e8c96c5c1c89ce25d509d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://www.advgoogle.blogdpot.com"	1c2c40d5632e8c96c5c1c89ce25d509d.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	1c2c40d5632e8c96c5c1c89ce25d509d.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.advgoogle.blogdpot.com"	1c2c40d5632e8c96c5c1c89ce25d509d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.advgoogle.blogdpot.com"	1c2c40d5632e8c96c5c1c89ce25d509d.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe

Suspicious behavior: MapViewOfSection 45 IoCs

pid	Process
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
Token: SeDebugPrivilege	1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
Token: SeTakeOwnershipPrivilege	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
Token: SeRestorePrivilege	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
Token: SeBackupPrivilege	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
Token: SeChangeNotifyPrivilege	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
Token: SeTakeOwnershipPrivilege	1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
Token: SeRestorePrivilege	1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
Token: SeBackupPrivilege	1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
Token: SeChangeNotifyPrivilege	1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
Token: SeTakeOwnershipPrivilege	1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
Token: SeRestorePrivilege	1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
Token: SeBackupPrivilege	1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
Token: SeChangeNotifyPrivilege	1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
Token: SeTakeOwnershipPrivilege	1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
Token: SeRestorePrivilege	1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
Token: SeBackupPrivilege	1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
Token: SeChangeNotifyPrivilege	1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
Token: SeTakeOwnershipPrivilege	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
Token: SeRestorePrivilege	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
Token: SeBackupPrivilege	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
Token: SeChangeNotifyPrivilege	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
Token: SeTakeOwnershipPrivilege	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
Token: SeRestorePrivilege	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
Token: SeBackupPrivilege	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe
Token: SeChangeNotifyPrivilege	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1728	1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 1728	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	16
PID 2732 wrote to memory of 1728	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	16
PID 2732 wrote to memory of 1728	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	16
PID 2732 wrote to memory of 1728	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	16
PID 2732 wrote to memory of 384	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	27
PID 2732 wrote to memory of 384	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	27
PID 2732 wrote to memory of 384	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	27
PID 2732 wrote to memory of 384	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	27
PID 2732 wrote to memory of 384	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	27
PID 2732 wrote to memory of 384	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	27
PID 2732 wrote to memory of 384	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	27
PID 2732 wrote to memory of 400	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	26
PID 2732 wrote to memory of 400	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	26
PID 2732 wrote to memory of 400	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	26
PID 2732 wrote to memory of 400	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	26
PID 2732 wrote to memory of 400	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	26
PID 2732 wrote to memory of 400	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	26
PID 2732 wrote to memory of 400	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	26
PID 2732 wrote to memory of 436	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	25
PID 2732 wrote to memory of 436	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	25
PID 2732 wrote to memory of 436	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	25
PID 2732 wrote to memory of 436	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	25
PID 2732 wrote to memory of 436	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	25
PID 2732 wrote to memory of 436	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	25
PID 2732 wrote to memory of 436	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	25
PID 2732 wrote to memory of 484	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	24
PID 2732 wrote to memory of 484	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	24
PID 2732 wrote to memory of 484	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	24
PID 2732 wrote to memory of 484	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	24
PID 2732 wrote to memory of 484	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	24
PID 2732 wrote to memory of 484	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	24
PID 2732 wrote to memory of 484	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	24
PID 2732 wrote to memory of 492	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	23
PID 2732 wrote to memory of 492	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	23
PID 2732 wrote to memory of 492	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	23
PID 2732 wrote to memory of 492	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	23
PID 2732 wrote to memory of 492	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	23
PID 2732 wrote to memory of 492	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	23
PID 2732 wrote to memory of 492	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	23
PID 2732 wrote to memory of 500	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	22
PID 2732 wrote to memory of 500	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	22
PID 2732 wrote to memory of 500	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	22
PID 2732 wrote to memory of 500	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	22
PID 2732 wrote to memory of 500	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	22
PID 2732 wrote to memory of 500	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	22
PID 2732 wrote to memory of 500	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	22
PID 2732 wrote to memory of 596	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	21
PID 2732 wrote to memory of 596	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	21
PID 2732 wrote to memory of 596	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	21
PID 2732 wrote to memory of 596	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	21
PID 2732 wrote to memory of 596	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	21
PID 2732 wrote to memory of 596	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	21
PID 2732 wrote to memory of 596	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	21
PID 2732 wrote to memory of 676	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	20
PID 2732 wrote to memory of 676	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	20
PID 2732 wrote to memory of 676	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	20
PID 2732 wrote to memory of 676	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	20
PID 2732 wrote to memory of 676	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	20
PID 2732 wrote to memory of 676	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	20
PID 2732 wrote to memory of 676	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	20
PID 2732 wrote to memory of 748	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	19
PID 2732 wrote to memory of 748	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	19
PID 2732 wrote to memory of 748	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	19
PID 2732 wrote to memory of 748	2732	1c2c40d5632e8c96c5c1c89ce25d509d.exe	19

C:\Users\Admin\AppData\Local\Temp\1c2c40d5632e8c96c5c1c89ce25d509d.exe
"C:\Users\Admin\AppData\Local\Temp\1c2c40d5632e8c96c5c1c89ce25d509d.exe"
1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
  C:\Users\Admin\AppData\Local\Temp\1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:1728

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:2156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:3024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:904

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1224

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:112

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:596

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:484

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:400

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1c2c40d5632e8c96c5c1c89ce25d509dmgr.exe

Filesize
159KB

MD5
b5dd6ddb9a082cf03530700ba4c62da1

SHA1
16a0094c75225491aa6a22f8484b108506e1d329

SHA256
4f6db8a4473e1f2033c98aa9f882bdc5152b805d7c8727ed3bd600ef8636ee10

SHA512
a0e31060b058e9d53e870b69e7ef3d00c9f4ff005e1176e17f482f504b2309ff2f9e9e6f04a7a68b012e2edc1a2aa5a6153aac9e624c4084e16c3335fcd6971e

Download Submit
memory/1728-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1728-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1728-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1728-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1728-10-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-15-0x000000007711F000-0x0000000077120000-memory.dmp

Filesize
4KB

Download
memory/1728-26-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1728-24-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1728-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1728-17-0x0000000077120000-0x0000000077121000-memory.dmp

Filesize
4KB

Download
memory/1728-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2732-22-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2732-12-0x000000007711F000-0x0000000077120000-memory.dmp

Filesize
4KB

Download
memory/2732-37-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2732-13-0x0000000077120000-0x0000000077121000-memory.dmp

Filesize
4KB

Download
memory/2732-11-0x0000000077120000-0x0000000077121000-memory.dmp

Filesize
4KB

Download
memory/2732-38-0x000000007FFF0000-0x000000007FFFA000-memory.dmp

Filesize
40KB

Download
memory/2732-9-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2732-20-0x000000007FFF0000-0x000000007FFFA000-memory.dmp

Filesize
40KB

Download
memory/2732-1-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download