Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/10/2024, 23:16
Static task
static1
Behavioral task
behavioral1
Sample
6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe
Resource
win7-20240903-en
General
-
Target
6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe
-
Size
272KB
-
MD5
0dafdcef4ed05d008c7fde7bc21daf75
-
SHA1
18ae591bd31256514b073a22be27c91d0532547b
-
SHA256
6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196
-
SHA512
01cf7cedd294e605bc687947f9aea1335addf5593c055d1ee82a7f754fce7280848d5de0862fdde226f6fa83e605571d12686d47bd7fa89c68bcb753f5f6f60a
-
SSDEEP
3072:YNZEITsAQlhWCcC6uYnF9uAzX/0faAbPy8psrs1BN2JZBS7BtRJQZfwM+ZgAqrPW:0bsAKDSruAj0fasyM34BSvG+Zgfb2CE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2120 6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe 2664 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 1544 6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe 1544 6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe 2120 6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe 2120 6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/files/0x0007000000012117-2.dat upx behavioral1/memory/2120-14-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2664-24-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2664-27-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2120-10-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2664-67-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2664-73-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2664-580-0x0000000000400000-0x0000000000443000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_srt_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Photo Viewer\PhotoBase.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdaps.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\picturePuzzle.html svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\xul.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsFormsIntegration.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libmft_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_mosaic_bridge_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\gstreamer-lite.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\Shvl.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsFormsIntegration.resources.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEXBE.DLL svchost.exe File opened for modification C:\Program Files\Windows Media Player\mpvis.DLL svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Client.resources.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\server\jvm.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\wsdetect.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationProvider.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationCore.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudiobargraph_a_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\calendar.html svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe svchost.exe File opened for modification C:\Program Files\Internet Explorer\MemoryAnalyzer.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\installer.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClient.resources.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Esl\AiodLite.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationTypes.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Client.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.DataSetExtensions.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libtimecode_plugin.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsdec_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\settings.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\picturePuzzle.html svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsBase.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.RunTime.Serialization.Resources.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\skchui.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Selectors.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.RunTime.Serialization.Resources.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\extensibility.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2664 WaterMark.exe 2664 WaterMark.exe 2664 WaterMark.exe 2664 WaterMark.exe 2664 WaterMark.exe 2664 WaterMark.exe 2664 WaterMark.exe 2664 WaterMark.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe 1364 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2664 WaterMark.exe Token: SeDebugPrivilege 1364 svchost.exe Token: SeDebugPrivilege 1544 6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe Token: SeDebugPrivilege 2664 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1544 wrote to memory of 2120 1544 6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe 29 PID 1544 wrote to memory of 2120 1544 6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe 29 PID 1544 wrote to memory of 2120 1544 6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe 29 PID 1544 wrote to memory of 2120 1544 6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe 29 PID 2120 wrote to memory of 2664 2120 6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe 30 PID 2120 wrote to memory of 2664 2120 6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe 30 PID 2120 wrote to memory of 2664 2120 6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe 30 PID 2120 wrote to memory of 2664 2120 6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe 30 PID 2664 wrote to memory of 1304 2664 WaterMark.exe 31 PID 2664 wrote to memory of 1304 2664 WaterMark.exe 31 PID 2664 wrote to memory of 1304 2664 WaterMark.exe 31 PID 2664 wrote to memory of 1304 2664 WaterMark.exe 31 PID 2664 wrote to memory of 1304 2664 WaterMark.exe 31 PID 2664 wrote to memory of 1304 2664 WaterMark.exe 31 PID 2664 wrote to memory of 1304 2664 WaterMark.exe 31 PID 2664 wrote to memory of 1304 2664 WaterMark.exe 31 PID 2664 wrote to memory of 1304 2664 WaterMark.exe 31 PID 2664 wrote to memory of 1304 2664 WaterMark.exe 31 PID 2664 wrote to memory of 1364 2664 WaterMark.exe 32 PID 2664 wrote to memory of 1364 2664 WaterMark.exe 32 PID 2664 wrote to memory of 1364 2664 WaterMark.exe 32 PID 2664 wrote to memory of 1364 2664 WaterMark.exe 32 PID 2664 wrote to memory of 1364 2664 WaterMark.exe 32 PID 2664 wrote to memory of 1364 2664 WaterMark.exe 32 PID 2664 wrote to memory of 1364 2664 WaterMark.exe 32 PID 2664 wrote to memory of 1364 2664 WaterMark.exe 32 PID 2664 wrote to memory of 1364 2664 WaterMark.exe 32 PID 2664 wrote to memory of 1364 2664 WaterMark.exe 32 PID 1364 wrote to memory of 256 1364 svchost.exe 1 PID 1364 wrote to memory of 256 1364 svchost.exe 1 PID 1364 wrote to memory of 256 1364 svchost.exe 1 PID 1364 wrote to memory of 256 1364 svchost.exe 1 PID 1364 wrote to memory of 256 1364 svchost.exe 1 PID 1364 wrote to memory of 332 1364 svchost.exe 2 PID 1364 wrote to memory of 332 1364 svchost.exe 2 PID 1364 wrote to memory of 332 1364 svchost.exe 2 PID 1364 wrote to memory of 332 1364 svchost.exe 2 PID 1364 wrote to memory of 332 1364 svchost.exe 2 PID 1364 wrote to memory of 380 1364 svchost.exe 3 PID 1364 wrote to memory of 380 1364 svchost.exe 3 PID 1364 wrote to memory of 380 1364 svchost.exe 3 PID 1364 wrote to memory of 380 1364 svchost.exe 3 PID 1364 wrote to memory of 380 1364 svchost.exe 3 PID 1364 wrote to memory of 388 1364 svchost.exe 4 PID 1364 wrote to memory of 388 1364 svchost.exe 4 PID 1364 wrote to memory of 388 1364 svchost.exe 4 PID 1364 wrote to memory of 388 1364 svchost.exe 4 PID 1364 wrote to memory of 388 1364 svchost.exe 4 PID 1364 wrote to memory of 428 1364 svchost.exe 5 PID 1364 wrote to memory of 428 1364 svchost.exe 5 PID 1364 wrote to memory of 428 1364 svchost.exe 5 PID 1364 wrote to memory of 428 1364 svchost.exe 5 PID 1364 wrote to memory of 428 1364 svchost.exe 5 PID 1364 wrote to memory of 472 1364 svchost.exe 6 PID 1364 wrote to memory of 472 1364 svchost.exe 6 PID 1364 wrote to memory of 472 1364 svchost.exe 6 PID 1364 wrote to memory of 472 1364 svchost.exe 6 PID 1364 wrote to memory of 472 1364 svchost.exe 6 PID 1364 wrote to memory of 488 1364 svchost.exe 7 PID 1364 wrote to memory of 488 1364 svchost.exe 7 PID 1364 wrote to memory of 488 1364 svchost.exe 7 PID 1364 wrote to memory of 488 1364 svchost.exe 7 PID 1364 wrote to memory of 488 1364 svchost.exe 7 PID 1364 wrote to memory of 496 1364 svchost.exe 8
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:604
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:2032
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:2236
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:680
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:752
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:824
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1168
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:868
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:972
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:280
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:548
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1076
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1116
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2752
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2064
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:488
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:496
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:388
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:428
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe"C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exeC:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1304
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize148KB
MD56f4527567d51a76653c53bb6b7ddb825
SHA1d63a4c65d0594d450130946f8620cc1621c8a689
SHA256ae34e0e853f03abe57973833725b39c91e4c6d9a899325fcb375b4a474b49b5e
SHA51219b9e677c3ca8582e046481a1f85524454b873d3e598949d31007e8413ad127dd8c72c3b8af379f54a736fd220acd3acaead6f0ef327a8326746ea69658fdcce
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize144KB
MD54e0ed4bde124b256e3a9155e3eee1044
SHA11f2ef73fac0571966a3e3ec550082c850a05ad6a
SHA2566900dbb3954f4715aa6e63084bbe8e9ca709b09f6138eca4d044b6587f9e29b8
SHA5124704bad4ae859a2b593f52fe1385e336fb57ba40dbeab597c8c68dcf05d4040501e2808b5eb550816a7f80e715c68be4d2d24b5d1fb585549b611df2249008cb
-
\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe
Filesize67KB
MD5ba4610e9ca3ebf61ec5800955a797c13
SHA166fd641b894b56c212275eb62a45b667e6f0f78b
SHA2566eb6cb7e312086b243a1606c4df19a98e1711f3de8fe96866abbd95ba0b51ff8
SHA512cf832767a0dbf8468623b840baa578448174eff472653080d2f2123f2e514ab454e9ddabc98c827a4469760f4f22ed2ffcba71368fb11779aea2d72545776c26