ramnit | 92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10N.exe
Size

343KB
MD5

b4e14698daf4161afb94778351302650
SHA1

ee718a7b3e3f63a775b93d89eb2e45424178d6c5
SHA256

92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10
SHA512

2f934961171dcfac34aa31cac938c68b572fbbbc3e3dc0d3dca1504d90a25b97e946d120d2f99bd5f9d0ed578426400d84c6644b1ede283afec5c24d25d8cadf
SSDEEP

6144:v1yUN7pmPUk9VMwXHOCgs+ej/4+zBNnmjf5TwZ1TsCGmee1LKu4WLLY/va:vQ8pQ96w+ns+GwoNnmOZJaKK6Y/S

Score

10^/10

ramnit banker discovery evasion persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	isass.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	isass.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 3 IoCs

pid	Process
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2284	isass.exe
1676	isassmgr.exe

Loads dropped DLL 10 IoCs

pid	Process
2396	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10N.exe
2396	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10N.exe
2396	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10N.exe
2396	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10N.exe
2284	isass.exe
2284	isass.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
1676	isassmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
1676	isassmgr.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	isass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10N.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\ISASS.EXE	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10N.exe
File opened for modification	C:\Windows\SysWOW64\isass.exe	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10N.exe
File created	C:\Windows\SysWOW64\isassmgr.exe	isass.exe
File opened for modification	C:\Windows\SysWOW64\isass	isass.exe
File opened for modification	C:\WINDOWS\SYSWOW64\ISASS.EXE	isass.exe
File opened for modification	C:\WINDOWS\SysWOW64\ISASS.EXE	isass.exe
File created	C:\Windows\SysWOW64\isass.exe	isass.exe
File created	C:\Windows\SysWOW64\isass.exe	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10N.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2372-16-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/1676-65-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2372-60-0x0000000000400000-0x0000000000430000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isassmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe

Modifies registry class 2 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	isass.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
1676	isassmgr.exe

Suspicious behavior: MapViewOfSection 51 IoCs

pid	Process
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe
1676	isassmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
Token: SeDebugPrivilege	1676	isassmgr.exe
Token: SeDebugPrivilege	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
Token: SeDebugPrivilege	1676	isassmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2372	2396	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10N.exe	30
PID 2396 wrote to memory of 2372	2396	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10N.exe	30
PID 2396 wrote to memory of 2372	2396	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10N.exe	30
PID 2396 wrote to memory of 2372	2396	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10N.exe	30
PID 2372 wrote to memory of 384	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	3
PID 2372 wrote to memory of 384	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	3
PID 2372 wrote to memory of 384	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	3
PID 2372 wrote to memory of 392	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	4
PID 2372 wrote to memory of 392	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	4
PID 2372 wrote to memory of 392	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	4
PID 2372 wrote to memory of 432	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	5
PID 2372 wrote to memory of 432	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	5
PID 2372 wrote to memory of 432	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	5
PID 2372 wrote to memory of 476	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	6
PID 2372 wrote to memory of 476	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	6
PID 2372 wrote to memory of 476	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	6
PID 2372 wrote to memory of 492	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	7
PID 2372 wrote to memory of 492	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	7
PID 2372 wrote to memory of 492	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	7
PID 2372 wrote to memory of 500	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	8
PID 2372 wrote to memory of 500	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	8
PID 2372 wrote to memory of 500	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	8
PID 2372 wrote to memory of 608	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	9
PID 2372 wrote to memory of 608	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	9
PID 2372 wrote to memory of 608	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	9
PID 2372 wrote to memory of 688	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	10
PID 2372 wrote to memory of 688	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	10
PID 2372 wrote to memory of 688	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	10
PID 2372 wrote to memory of 776	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	11
PID 2372 wrote to memory of 776	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	11
PID 2372 wrote to memory of 776	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	11
PID 2372 wrote to memory of 832	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	12
PID 2372 wrote to memory of 832	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	12
PID 2372 wrote to memory of 832	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	12
PID 2372 wrote to memory of 876	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	13
PID 2372 wrote to memory of 876	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	13
PID 2372 wrote to memory of 876	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	13
PID 2372 wrote to memory of 984	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	15
PID 2372 wrote to memory of 984	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	15
PID 2372 wrote to memory of 984	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	15
PID 2372 wrote to memory of 272	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	16
PID 2372 wrote to memory of 272	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	16
PID 2372 wrote to memory of 272	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	16
PID 2372 wrote to memory of 308	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	17
PID 2372 wrote to memory of 308	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	17
PID 2372 wrote to memory of 308	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	17
PID 2372 wrote to memory of 1076	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	18
PID 2372 wrote to memory of 1076	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	18
PID 2372 wrote to memory of 1076	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	18
PID 2372 wrote to memory of 1116	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	19
PID 2372 wrote to memory of 1116	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	19
PID 2372 wrote to memory of 1116	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	19
PID 2372 wrote to memory of 1168	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	20
PID 2372 wrote to memory of 1168	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	20
PID 2372 wrote to memory of 1168	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	20
PID 2372 wrote to memory of 1208	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	21
PID 2372 wrote to memory of 1208	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	21
PID 2372 wrote to memory of 1208	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	21
PID 2372 wrote to memory of 1528	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	23
PID 2372 wrote to memory of 1528	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	23
PID 2372 wrote to memory of 1528	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	23
PID 2372 wrote to memory of 1692	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	24
PID 2372 wrote to memory of 1692	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	24
PID 2372 wrote to memory of 1692	2372	92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe	24

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:608
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1692
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:300
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:688
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:776
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:832
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1168
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:876
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:984
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:272
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:308
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1076
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1116
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1528
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2452
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:788
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10N.exe
  "C:\Users\Admin\AppData\Local\Temp\92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10N.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
    C:\Users\Admin\AppData\Local\Temp\92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2268
- - C:\Windows\SysWOW64\isass.exe
    C:\Windows\system32\isass.exe C:\Users\Admin\AppData\Local\Temp\92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10N.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2284
  - - C:\Windows\SysWOW64\isassmgr.exe
      C:\Windows\SysWOW64\isassmgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1676
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3020

C:\Users\Admin\AppData\Local\Temp\1942462077\zmstage.exe
C:\Users\Admin\AppData\Local\Temp\1942462077\zmstage.exe
1⤵
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\isass.exe

Filesize
343KB

MD5
b4e14698daf4161afb94778351302650

SHA1
ee718a7b3e3f63a775b93d89eb2e45424178d6c5

SHA256
92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10

SHA512
2f934961171dcfac34aa31cac938c68b572fbbbc3e3dc0d3dca1504d90a25b97e946d120d2f99bd5f9d0ed578426400d84c6644b1ede283afec5c24d25d8cadf

Download Submit
\Users\Admin\AppData\Local\Temp\92f89011a53d043bffb75f25e504da86740a76c7ba363ac809f53b93305e6c10Nmgr.exe

Filesize
112KB

MD5
aa4e120fb5687e6c5140848c8ac47018

SHA1
3a702f46c83c44e5453c04cb976582dfddabd30b

SHA256
4b44f10e25428c06e0941231642f203e9e597a0191b11e41d167987900d1ffeb

SHA512
abdff41d4091d1464019f0c76a2465ee5083012e097ce087ec319b4103eeb911617a1d0470bf7d1785c4be1ac98dd7793b1202fe8a7357610834e495fe13bd6d

Download Submit
\Users\Admin\AppData\Local\Temp\~TMC33F.tmp

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\~TMC350.tmp

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
memory/1676-63-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1676-65-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2284-44-0x00000000001B0000-0x00000000001E0000-memory.dmp

Filesize
192KB

Download
memory/2284-67-0x00000000001B0000-0x00000000001E0000-memory.dmp

Filesize
192KB

Download
memory/2284-43-0x00000000001B0000-0x00000000001E0000-memory.dmp

Filesize
192KB

Download
memory/2284-34-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2284-47-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2284-49-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2284-66-0x00000000001B0000-0x00000000001E0000-memory.dmp

Filesize
192KB

Download
memory/2284-68-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2372-14-0x0000000077D20000-0x0000000077D21000-memory.dmp

Filesize
4KB

Download
memory/2372-58-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2372-55-0x0000000077D1F000-0x0000000077D20000-memory.dmp

Filesize
4KB

Download
memory/2372-15-0x0000000077D1F000-0x0000000077D20000-memory.dmp

Filesize
4KB

Download
memory/2372-60-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2372-54-0x0000000077D20000-0x0000000077D21000-memory.dmp

Filesize
4KB

Download
memory/2372-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2372-10-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2396-7-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2396-11-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2396-8-0x00000000002A0000-0x00000000002D0000-memory.dmp

Filesize
192KB

Download
memory/2396-31-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download