ramnit | 7ed2b49fd78f1e8299bc660333182ab97da2cffe0a53d7c1c4f9ea96cb743c21

Analysis

max time kernel
120s
max time network
117s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ed2b49fd78f1e8299bc660333182ab97da2cffe0a53d7c1c4f9ea96cb743c21N.dll
Size

847KB
MD5

d43c791d583c4a7175ab01c5734565f0
SHA1

3d9124c80d48352127f8f9998939378fa802095f
SHA256

7ed2b49fd78f1e8299bc660333182ab97da2cffe0a53d7c1c4f9ea96cb743c21
SHA512

bd34e5aca0155644b340b01486f4051c9faf7860429e866dd8b338c4a65b330e5c7aa8978c08a1075b82ed1004109b82f99f9c1cb634c4bab281e47074e40cd6
SSDEEP

24576:Uzb1MlCKUQyUmjtczu6Prs9pgWoopooK9kwPKxyCFrKTE:UzbKsUmjtcdPGgIwPKjFr0E

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 6 IoCs

pid	Process
2236	rundll32mgr.exe
2976	rundll32mgrmgr.exe
308	WaterMark.exe
2776	WaterMark.exe
2812	WaterMarkmgr.exe
2080	WaterMark.exe

Loads dropped DLL 12 IoCs

pid	Process
2216	rundll32.exe
2216	rundll32.exe
2236	rundll32mgr.exe
2236	rundll32mgr.exe
2236	rundll32mgr.exe
2976	rundll32mgrmgr.exe
2236	rundll32mgr.exe
2976	rundll32mgrmgr.exe
2776	WaterMark.exe
2776	WaterMark.exe
2812	WaterMarkmgr.exe
2812	WaterMarkmgr.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-25-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2236-31-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2976-41-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2236-29-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2236-28-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2236-24-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2236-23-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2236-22-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/308-65-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2080-125-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2080-111-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2776-85-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2812-84-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2812-92-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2776-471-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2080-638-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2080-894-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2776-893-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\msdbg2.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.ServiceModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Design.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libaraw_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1665.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libcdda_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Client.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libt140_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\ReachFramework.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClientsideProviders.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IO.Log.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Speech.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msaddsr.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaremr.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\libgoom_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgRes.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.ServiceModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Windows.Presentation.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\decora-sse.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libsubsdelay_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\MSPVWCTL.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsBase.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\Shvl.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsFormsIntegration.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsdec_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\NBMapTIP.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\ShvlRes.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsdl_image_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_delay_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msader15.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IO.Log.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Design.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_setid_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\JavaAccessBridge-64.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_hevc_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libinflate_plugin.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgrmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMarkmgr.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
308	WaterMark.exe
308	WaterMark.exe
2776	WaterMark.exe
2776	WaterMark.exe
2080	WaterMark.exe
2080	WaterMark.exe
2776	WaterMark.exe
2776	WaterMark.exe
2776	WaterMark.exe
2776	WaterMark.exe
2080	WaterMark.exe
2080	WaterMark.exe
2080	WaterMark.exe
2080	WaterMark.exe
2776	WaterMark.exe
2776	WaterMark.exe
2080	WaterMark.exe
2080	WaterMark.exe
396	svchost.exe
308	WaterMark.exe
308	WaterMark.exe
308	WaterMark.exe
308	WaterMark.exe
308	WaterMark.exe
308	WaterMark.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	308	WaterMark.exe
Token: SeDebugPrivilege	2776	WaterMark.exe
Token: SeDebugPrivilege	2080	WaterMark.exe
Token: SeDebugPrivilege	396	svchost.exe
Token: SeDebugPrivilege	2456	svchost.exe
Token: SeDebugPrivilege	2216	rundll32.exe
Token: SeDebugPrivilege	308	WaterMark.exe
Token: SeDebugPrivilege	2776	WaterMark.exe
Token: SeDebugPrivilege	2080	WaterMark.exe
Token: SeDebugPrivilege	2020	svchost.exe
Token: SeDebugPrivilege	2348	svchost.exe
Token: SeDebugPrivilege	2684	svchost.exe

Suspicious use of UnmapMainImage 6 IoCs

pid	Process
2236	rundll32mgr.exe
2976	rundll32mgrmgr.exe
308	WaterMark.exe
2776	WaterMark.exe
2812	WaterMarkmgr.exe
2080	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2216	2596	rundll32.exe	29
PID 2596 wrote to memory of 2216	2596	rundll32.exe	29
PID 2596 wrote to memory of 2216	2596	rundll32.exe	29
PID 2596 wrote to memory of 2216	2596	rundll32.exe	29
PID 2596 wrote to memory of 2216	2596	rundll32.exe	29
PID 2596 wrote to memory of 2216	2596	rundll32.exe	29
PID 2596 wrote to memory of 2216	2596	rundll32.exe	29
PID 2216 wrote to memory of 2236	2216	rundll32.exe	30
PID 2216 wrote to memory of 2236	2216	rundll32.exe	30
PID 2216 wrote to memory of 2236	2216	rundll32.exe	30
PID 2216 wrote to memory of 2236	2216	rundll32.exe	30
PID 2236 wrote to memory of 2976	2236	rundll32mgr.exe	31
PID 2236 wrote to memory of 2976	2236	rundll32mgr.exe	31
PID 2236 wrote to memory of 2976	2236	rundll32mgr.exe	31
PID 2236 wrote to memory of 2976	2236	rundll32mgr.exe	31
PID 2236 wrote to memory of 308	2236	rundll32mgr.exe	32
PID 2236 wrote to memory of 308	2236	rundll32mgr.exe	32
PID 2236 wrote to memory of 308	2236	rundll32mgr.exe	32
PID 2236 wrote to memory of 308	2236	rundll32mgr.exe	32
PID 2976 wrote to memory of 2776	2976	rundll32mgrmgr.exe	33
PID 2976 wrote to memory of 2776	2976	rundll32mgrmgr.exe	33
PID 2976 wrote to memory of 2776	2976	rundll32mgrmgr.exe	33
PID 2976 wrote to memory of 2776	2976	rundll32mgrmgr.exe	33
PID 2776 wrote to memory of 2812	2776	WaterMark.exe	34
PID 2776 wrote to memory of 2812	2776	WaterMark.exe	34
PID 2776 wrote to memory of 2812	2776	WaterMark.exe	34
PID 2776 wrote to memory of 2812	2776	WaterMark.exe	34
PID 2812 wrote to memory of 2080	2812	WaterMarkmgr.exe	35
PID 2812 wrote to memory of 2080	2812	WaterMarkmgr.exe	35
PID 2812 wrote to memory of 2080	2812	WaterMarkmgr.exe	35
PID 2812 wrote to memory of 2080	2812	WaterMarkmgr.exe	35
PID 2776 wrote to memory of 2348	2776	WaterMark.exe	37
PID 2776 wrote to memory of 2348	2776	WaterMark.exe	37
PID 2776 wrote to memory of 2348	2776	WaterMark.exe	37
PID 2776 wrote to memory of 2348	2776	WaterMark.exe	37
PID 2776 wrote to memory of 2348	2776	WaterMark.exe	37
PID 2776 wrote to memory of 2348	2776	WaterMark.exe	37
PID 2776 wrote to memory of 2348	2776	WaterMark.exe	37
PID 2776 wrote to memory of 2348	2776	WaterMark.exe	37
PID 2776 wrote to memory of 2348	2776	WaterMark.exe	37
PID 2776 wrote to memory of 2348	2776	WaterMark.exe	37
PID 2080 wrote to memory of 3052	2080	WaterMark.exe	38
PID 2080 wrote to memory of 3052	2080	WaterMark.exe	38
PID 2080 wrote to memory of 3052	2080	WaterMark.exe	38
PID 2080 wrote to memory of 3052	2080	WaterMark.exe	38
PID 2080 wrote to memory of 3052	2080	WaterMark.exe	38
PID 2080 wrote to memory of 3052	2080	WaterMark.exe	38
PID 2080 wrote to memory of 3052	2080	WaterMark.exe	38
PID 2080 wrote to memory of 3052	2080	WaterMark.exe	38
PID 2080 wrote to memory of 3052	2080	WaterMark.exe	38
PID 2080 wrote to memory of 3052	2080	WaterMark.exe	38
PID 308 wrote to memory of 2020	308	WaterMark.exe	36
PID 308 wrote to memory of 2020	308	WaterMark.exe	36
PID 308 wrote to memory of 2020	308	WaterMark.exe	36
PID 308 wrote to memory of 2020	308	WaterMark.exe	36
PID 308 wrote to memory of 2020	308	WaterMark.exe	36
PID 308 wrote to memory of 2020	308	WaterMark.exe	36
PID 308 wrote to memory of 2020	308	WaterMark.exe	36
PID 308 wrote to memory of 2020	308	WaterMark.exe	36
PID 308 wrote to memory of 2020	308	WaterMark.exe	36
PID 308 wrote to memory of 2020	308	WaterMark.exe	36
PID 2776 wrote to memory of 2456	2776	WaterMark.exe	39
PID 2776 wrote to memory of 2456	2776	WaterMark.exe	39
PID 2776 wrote to memory of 2456	2776	WaterMark.exe	39

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:464
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:600
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1264
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:952
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:680
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:764
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:820
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1348
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:848
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:1000
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:300
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:456
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1040
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1252
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1712
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1916
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:1324
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:480
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1412
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ed2b49fd78f1e8299bc660333182ab97da2cffe0a53d7c1c4f9ea96cb743c21N.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ed2b49fd78f1e8299bc660333182ab97da2cffe0a53d7c1c4f9ea96cb743c21N.dll,#1
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\SysWOW64\rundll32mgr.exe
      C:\Windows\SysWOW64\rundll32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
        
        C:\Windows\SysWOW64\rundll32mgrmgr.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        9⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:308
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
391KB

MD5
f51bc025f1e442e492ed5229a2319e59

SHA1
ac5830b83f39a1dc316755b114ef7999af417e55

SHA256
ca3bfceabb908b9cedb9b1d17bb7c40b40b914c99d196fe671ebf399f8926181

SHA512
c4bc7042ed25230a646766e5c2a27c75504cfeb50a9a4eaeba260e59a1169042ba935f7f0db1922575fe1f8d0ae493795144c3905cd89c60d492d61f9c42d0cd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
387KB

MD5
bb79395b294630fab793a9922d224cb5

SHA1
dab101546131da3fff4586650580c9590bca4de3

SHA256
f4ba5a9f4730a3449385770d910a0906c731aece71732e0dfef94b3449286dbd

SHA512
47317f4595224345efa5f970ea0ec5fcfc9f97ac0cf71264808b6c7ff476c21376c690459fea4a273a40cd8a7326f178767620edfde60fb385abf624e678f774

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
188KB

MD5
f1cc4545ce3fbb3f67997f636075c308

SHA1
ec73914f3f5d69b55450dcae36f38c2723dc0b37

SHA256
7c268326f493ef41a068cfca87d25e6c60442faa9a24539eea5777013f797856

SHA512
749a50c6663be9d3e74602a916a0679a25acbcf3763c3c8882a6d663a33a70b8b37a1f4927aa39bd1da60bbad572b1eae22ba0736d6d97ef61e1027c609fe6b2

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
93KB

MD5
35c2f27961e27275564493d459b6213e

SHA1
d8a65a578457493161262c77d6c76ed7876b6a8d

SHA256
1a1b741ef968cb4cb2e5a5404366a66cd69b025a5b38814792e2f51d43b2d60d

SHA512
b15bb1a4a5158bb4103d6f62cd64a8ac2df398f2990995a99898bf207fc653a0b877d5904689c106634d2bdb4efb38e55adafd4b07bb199c1875d4a1028ab557

Download Submit
memory/308-57-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/308-66-0x00000000774EF000-0x00000000774F0000-memory.dmp

Filesize
4KB

Download
memory/308-65-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/308-64-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2080-111-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2080-125-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2080-638-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2080-894-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2216-0-0x0000000005000000-0x00000000050D9000-memory.dmp

Filesize
868KB

Download
memory/2216-1-0x0000000005000000-0x00000000050D9000-memory.dmp

Filesize
868KB

Download
memory/2216-8-0x00000000001F0000-0x000000000023B000-memory.dmp

Filesize
300KB

Download
memory/2216-10-0x00000000001F0000-0x000000000023B000-memory.dmp

Filesize
300KB

Download
memory/2236-20-0x0000000000340000-0x0000000000373000-memory.dmp

Filesize
204KB

Download
memory/2236-29-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2236-25-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2236-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2236-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2236-19-0x0000000000340000-0x0000000000373000-memory.dmp

Filesize
204KB

Download
memory/2236-24-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2236-27-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2236-31-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2236-28-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2776-893-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2776-85-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2776-471-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2776-83-0x0000000000120000-0x0000000000153000-memory.dmp

Filesize
204KB

Download
memory/2776-61-0x0000000000120000-0x0000000000153000-memory.dmp

Filesize
204KB

Download
memory/2776-636-0x00000000774EF000-0x00000000774F0000-memory.dmp

Filesize
4KB

Download
memory/2776-100-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2776-58-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2812-94-0x0000000000401000-0x0000000000416000-memory.dmp

Filesize
84KB

Download
memory/2812-92-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2812-93-0x0000000000416000-0x0000000000420000-memory.dmp

Filesize
40KB

Download
memory/2812-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3052-116-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/3052-118-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3052-126-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/3052-127-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3052-128-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/3052-141-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download