Malware Analysis Report

2025-08-06 01:41

Sample ID 241004-29h51swelh
Target 6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196
SHA256 6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196
Tags
ramnit banker discovery persistence spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196

Threat Level: Known bad

The file 6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196 was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery persistence spyware stealer trojan upx worm

Ramnit

Modifies WinLogon for persistence

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-04 23:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-04 23:16

Reported

2024-10-04 23:19

Platform

win7-20240903-en

Max time kernel

150s

Max time network

142s

Command Line

\SystemRoot\System32\smss.exe

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" C:\Windows\SysWOW64\svchost.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_srt_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\PhotoBase.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\msdaps.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\picturePuzzle.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\xul.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsFormsIntegration.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libmft_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_mosaic_bridge_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\gstreamer-lite.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\Shvl.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsFormsIntegration.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEXBE.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\mpvis.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Client.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\server\jvm.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\wsdetect.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationProvider.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationCore.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudiobargraph_a_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\calendar.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Internet Explorer\MemoryAnalyzer.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\installer.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClient.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Esl\AiodLite.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationTypes.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Client.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.DataSetExtensions.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libtimecode_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsdec_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\settings.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\picturePuzzle.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsBase.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.RunTime.Serialization.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\skchui.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Selectors.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.RunTime.Serialization.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\extensibility.dll C:\Windows\SysWOW64\svchost.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1544 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe
PID 1544 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe
PID 1544 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe
PID 1544 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe
PID 2120 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2120 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2120 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2120 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2664 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 1364 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 1364 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 1364 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 1364 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 1364 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 1364 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 1364 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 1364 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 1364 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 1364 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1364 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 1364 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 1364 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 1364 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 1364 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 1364 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1364 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1364 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1364 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1364 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1364 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 1364 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 1364 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 1364 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 1364 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 1364 wrote to memory of 388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1364 wrote to memory of 388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1364 wrote to memory of 388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1364 wrote to memory of 388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1364 wrote to memory of 388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1364 wrote to memory of 428 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 1364 wrote to memory of 428 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 1364 wrote to memory of 428 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 1364 wrote to memory of 428 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 1364 wrote to memory of 428 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 1364 wrote to memory of 472 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 1364 wrote to memory of 472 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 1364 wrote to memory of 472 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 1364 wrote to memory of 472 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 1364 wrote to memory of 472 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 1364 wrote to memory of 488 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 1364 wrote to memory of 488 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 1364 wrote to memory of 488 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 1364 wrote to memory of 488 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 1364 wrote to memory of 488 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 1364 wrote to memory of 496 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsm.exe

Processes

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe

"C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe"

C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe

C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 poopthree.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
RU 82.112.184.197:443 poopthree.com tcp
RU 82.112.184.197:443 poopthree.com tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp

Files

memory/1544-1-0x0000000000400000-0x0000000000448000-memory.dmp

\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe

MD5 ba4610e9ca3ebf61ec5800955a797c13
SHA1 66fd641b894b56c212275eb62a45b667e6f0f78b
SHA256 6eb6cb7e312086b243a1606c4df19a98e1711f3de8fe96866abbd95ba0b51ff8
SHA512 cf832767a0dbf8468623b840baa578448174eff472653080d2f2123f2e514ab454e9ddabc98c827a4469760f4f22ed2ffcba71368fb11779aea2d72545776c26

memory/1544-4-0x00000000002F0000-0x0000000000333000-memory.dmp

memory/2120-14-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2120-13-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2664-24-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2664-27-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1544-26-0x00000000002F0000-0x0000000000333000-memory.dmp

memory/2664-25-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2120-10-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1304-31-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/1304-29-0x0000000020010000-0x0000000020022000-memory.dmp

memory/1304-44-0x0000000020010000-0x0000000020022000-memory.dmp

memory/1304-42-0x0000000020010000-0x0000000020022000-memory.dmp

memory/1304-41-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/1304-37-0x0000000020010000-0x0000000020022000-memory.dmp

memory/1304-36-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/1304-35-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/1304-49-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2664-53-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2664-54-0x0000000077CBF000-0x0000000077CC0000-memory.dmp

memory/1364-56-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2664-67-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1364-66-0x0000000020010000-0x000000002001B000-memory.dmp

memory/1364-62-0x0000000020010000-0x000000002001B000-memory.dmp

memory/1364-74-0x0000000077CC0000-0x0000000077CC1000-memory.dmp

memory/2664-73-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1364-72-0x0000000020010000-0x000000002001B000-memory.dmp

memory/1364-71-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1364-70-0x0000000020010000-0x000000002001B000-memory.dmp

memory/1364-69-0x0000000020010000-0x000000002001B000-memory.dmp

memory/1364-68-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/1304-333-0x0000000020010000-0x0000000020022000-memory.dmp

memory/1544-335-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2664-577-0x0000000077CBF000-0x0000000077CC0000-memory.dmp

memory/2664-580-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 6f4527567d51a76653c53bb6b7ddb825
SHA1 d63a4c65d0594d450130946f8620cc1621c8a689
SHA256 ae34e0e853f03abe57973833725b39c91e4c6d9a899325fcb375b4a474b49b5e
SHA512 19b9e677c3ca8582e046481a1f85524454b873d3e598949d31007e8413ad127dd8c72c3b8af379f54a736fd220acd3acaead6f0ef327a8326746ea69658fdcce

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 4e0ed4bde124b256e3a9155e3eee1044
SHA1 1f2ef73fac0571966a3e3ec550082c850a05ad6a
SHA256 6900dbb3954f4715aa6e63084bbe8e9ca709b09f6138eca4d044b6587f9e29b8
SHA512 4704bad4ae859a2b593f52fe1385e336fb57ba40dbeab597c8c68dcf05d4040501e2808b5eb550816a7f80e715c68be4d2d24b5d1fb585549b611df2249008cb

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-04 23:16

Reported

2024-10-04 23:19

Platform

win10v2004-20240802-en

Max time kernel

95s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe

"C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196.exe"

C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe

C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 512 -ip 512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 264

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4480-0-0x0000000000400000-0x0000000000448000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6e20f9687cd7e6e2e7cc956a4f834e079b9cfb53d7db3776f99b0fd4b3fcb196mgr.exe

MD5 ba4610e9ca3ebf61ec5800955a797c13
SHA1 66fd641b894b56c212275eb62a45b667e6f0f78b
SHA256 6eb6cb7e312086b243a1606c4df19a98e1711f3de8fe96866abbd95ba0b51ff8
SHA512 cf832767a0dbf8468623b840baa578448174eff472653080d2f2123f2e514ab454e9ddabc98c827a4469760f4f22ed2ffcba71368fb11779aea2d72545776c26

memory/512-6-0x00000000004D0000-0x00000000004D1000-memory.dmp

memory/512-5-0x0000000000400000-0x0000000000443000-memory.dmp

memory/512-8-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4480-9-0x0000000000400000-0x0000000000448000-memory.dmp