Analysis
-
max time kernel
120s -
max time network
86s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 07:14
Static task
static1
Behavioral task
behavioral1
Sample
8342585e9eee1b1911992068dfa8f5dd1b9e1548f1f81d726ddb5f1442b5009dN.dll
Resource
win7-20240903-en
General
-
Target
8342585e9eee1b1911992068dfa8f5dd1b9e1548f1f81d726ddb5f1442b5009dN.dll
-
Size
947KB
-
MD5
b8cf1b97212eab07ad9d97f6771bf6e0
-
SHA1
3da088e4ca06a1e54ca4dc36a2c47810169af877
-
SHA256
8342585e9eee1b1911992068dfa8f5dd1b9e1548f1f81d726ddb5f1442b5009d
-
SHA512
4ca204cba05f596b83c897cd4499b50c1bfb8c290d5d3e15edde972d77e0acd8ebca89c3468791e9892c5c0979b2d71754798628fd3dc6a4616d50d39bafab3b
-
SSDEEP
24576:pzb1MlCKUQyUmjtczu6Prs9pgWoopooK9kwP+PmS4+xXGeBD+VF3D:pzbKsUmjtcdPGgIwP+PmSdF+P
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 6 IoCs
pid Process 2300 rundll32mgr.exe 2808 rundll32mgrmgr.exe 2580 WaterMark.exe 2824 WaterMark.exe 2700 WaterMarkmgr.exe 2220 WaterMark.exe -
Loads dropped DLL 12 IoCs
pid Process 2064 rundll32.exe 2064 rundll32.exe 2300 rundll32mgr.exe 2300 rundll32mgr.exe 2300 rundll32mgr.exe 2300 rundll32mgr.exe 2808 rundll32mgrmgr.exe 2808 rundll32mgrmgr.exe 2580 WaterMark.exe 2580 WaterMark.exe 2700 WaterMarkmgr.exe 2700 WaterMarkmgr.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
resource yara_rule behavioral1/memory/2300-26-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2220-157-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2580-148-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2824-75-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2580-97-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2580-60-0x00000000001C0000-0x00000000001EF000-memory.dmp upx behavioral1/memory/2220-93-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral1/memory/2700-87-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2808-51-0x0000000000700000-0x0000000000754000-memory.dmp upx behavioral1/memory/2808-41-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2300-35-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2300-33-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2300-32-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2300-25-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2300-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2300-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2580-879-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2824-882-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre7\bin\libxml2.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdemuxdump_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.DataSetExtensions.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libmosaic_plugin.dll svchost.exe File opened for modification C:\Program Files\DVD Maker\Pipeline.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\management.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\msvcr100.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\sawindbg.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationProvider.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_block_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadds.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.ServiceModel.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libcaca_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libaudiobargraph_v_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\liboldmovie_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\verify.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatialaudio_plugin.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_shmem.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libwinhibit_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\wab32res.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\msvcr100.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.RunTime.Serialization.Resources.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libgnutls_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libvdummy_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\sunec.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_wav_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\librv32_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libwgl_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libty_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgrmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
pid Process 2580 WaterMark.exe 2580 WaterMark.exe 2824 WaterMark.exe 2824 WaterMark.exe 2220 WaterMark.exe 2220 WaterMark.exe 2824 WaterMark.exe 2220 WaterMark.exe 2824 WaterMark.exe 2220 WaterMark.exe 2824 WaterMark.exe 2220 WaterMark.exe 2824 WaterMark.exe 2220 WaterMark.exe 2580 WaterMark.exe 2580 WaterMark.exe 2580 WaterMark.exe 2580 WaterMark.exe 2220 WaterMark.exe 2220 WaterMark.exe 2580 WaterMark.exe 2580 WaterMark.exe 2824 WaterMark.exe 2824 WaterMark.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2580 WaterMark.exe Token: SeDebugPrivilege 2824 WaterMark.exe Token: SeDebugPrivilege 2220 WaterMark.exe Token: SeDebugPrivilege 2244 svchost.exe Token: SeDebugPrivilege 2180 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 2064 rundll32.exe Token: SeDebugPrivilege 2824 WaterMark.exe Token: SeDebugPrivilege 2580 WaterMark.exe Token: SeDebugPrivilege 2220 WaterMark.exe Token: SeDebugPrivilege 484 svchost.exe Token: SeDebugPrivilege 2848 svchost.exe -
Suspicious use of UnmapMainImage 6 IoCs
pid Process 2300 rundll32mgr.exe 2808 rundll32mgrmgr.exe 2580 WaterMark.exe 2824 WaterMark.exe 2700 WaterMarkmgr.exe 2220 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2064 2128 rundll32.exe 30 PID 2128 wrote to memory of 2064 2128 rundll32.exe 30 PID 2128 wrote to memory of 2064 2128 rundll32.exe 30 PID 2128 wrote to memory of 2064 2128 rundll32.exe 30 PID 2128 wrote to memory of 2064 2128 rundll32.exe 30 PID 2128 wrote to memory of 2064 2128 rundll32.exe 30 PID 2128 wrote to memory of 2064 2128 rundll32.exe 30 PID 2064 wrote to memory of 2300 2064 rundll32.exe 31 PID 2064 wrote to memory of 2300 2064 rundll32.exe 31 PID 2064 wrote to memory of 2300 2064 rundll32.exe 31 PID 2064 wrote to memory of 2300 2064 rundll32.exe 31 PID 2300 wrote to memory of 2808 2300 rundll32mgr.exe 32 PID 2300 wrote to memory of 2808 2300 rundll32mgr.exe 32 PID 2300 wrote to memory of 2808 2300 rundll32mgr.exe 32 PID 2300 wrote to memory of 2808 2300 rundll32mgr.exe 32 PID 2300 wrote to memory of 2824 2300 rundll32mgr.exe 33 PID 2300 wrote to memory of 2824 2300 rundll32mgr.exe 33 PID 2300 wrote to memory of 2824 2300 rundll32mgr.exe 33 PID 2300 wrote to memory of 2824 2300 rundll32mgr.exe 33 PID 2808 wrote to memory of 2580 2808 rundll32mgrmgr.exe 34 PID 2808 wrote to memory of 2580 2808 rundll32mgrmgr.exe 34 PID 2808 wrote to memory of 2580 2808 rundll32mgrmgr.exe 34 PID 2808 wrote to memory of 2580 2808 rundll32mgrmgr.exe 34 PID 2580 wrote to memory of 2700 2580 WaterMark.exe 35 PID 2580 wrote to memory of 2700 2580 WaterMark.exe 35 PID 2580 wrote to memory of 2700 2580 WaterMark.exe 35 PID 2580 wrote to memory of 2700 2580 WaterMark.exe 35 PID 2700 wrote to memory of 2220 2700 WaterMarkmgr.exe 36 PID 2700 wrote to memory of 2220 2700 WaterMarkmgr.exe 36 PID 2700 wrote to memory of 2220 2700 WaterMarkmgr.exe 36 PID 2700 wrote to memory of 2220 2700 WaterMarkmgr.exe 36 PID 2824 wrote to memory of 484 2824 WaterMark.exe 37 PID 2824 wrote to memory of 484 2824 WaterMark.exe 37 PID 2824 wrote to memory of 484 2824 WaterMark.exe 37 PID 2824 wrote to memory of 484 2824 WaterMark.exe 37 PID 2824 wrote to memory of 484 2824 WaterMark.exe 37 PID 2824 wrote to memory of 484 2824 WaterMark.exe 37 PID 2824 wrote to memory of 484 2824 WaterMark.exe 37 PID 2824 wrote to memory of 484 2824 WaterMark.exe 37 PID 2824 wrote to memory of 484 2824 WaterMark.exe 37 PID 2824 wrote to memory of 484 2824 WaterMark.exe 37 PID 2220 wrote to memory of 2848 2220 WaterMark.exe 39 PID 2220 wrote to memory of 2848 2220 WaterMark.exe 39 PID 2220 wrote to memory of 2848 2220 WaterMark.exe 39 PID 2220 wrote to memory of 2848 2220 WaterMark.exe 39 PID 2220 wrote to memory of 2848 2220 WaterMark.exe 39 PID 2220 wrote to memory of 2848 2220 WaterMark.exe 39 PID 2220 wrote to memory of 2848 2220 WaterMark.exe 39 PID 2220 wrote to memory of 2848 2220 WaterMark.exe 39 PID 2220 wrote to memory of 2848 2220 WaterMark.exe 39 PID 2220 wrote to memory of 2848 2220 WaterMark.exe 39 PID 2580 wrote to memory of 1336 2580 WaterMark.exe 38 PID 2580 wrote to memory of 1336 2580 WaterMark.exe 38 PID 2580 wrote to memory of 1336 2580 WaterMark.exe 38 PID 2580 wrote to memory of 1336 2580 WaterMark.exe 38 PID 2580 wrote to memory of 1336 2580 WaterMark.exe 38 PID 2580 wrote to memory of 1336 2580 WaterMark.exe 38 PID 2580 wrote to memory of 1336 2580 WaterMark.exe 38 PID 2580 wrote to memory of 1336 2580 WaterMark.exe 38 PID 2580 wrote to memory of 1336 2580 WaterMark.exe 38 PID 2580 wrote to memory of 1336 2580 WaterMark.exe 38 PID 2220 wrote to memory of 2244 2220 WaterMark.exe 41 PID 2220 wrote to memory of 2244 2220 WaterMark.exe 41 PID 2220 wrote to memory of 2244 2220 WaterMark.exe 41
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:588
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1348
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:304
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:668
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:752
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:800
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1168
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:848
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2900
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:956
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:108
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:980
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1060
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1104
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1616
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2424
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2480
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:488
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:496
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:396
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1252
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8342585e9eee1b1911992068dfa8f5dd1b9e1548f1f81d726ddb5f1442b5009dN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8342585e9eee1b1911992068dfa8f5dd1b9e1548f1f81d726ddb5f1442b5009dN.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe9⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1336
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:484
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize591KB
MD51ae43d66c0564bc7a4d3901731ff7ea8
SHA1c233df9b90598a3b4fea55e9fc640a802c43b6c4
SHA256a61cb98e5b3d65fdd77570772952f5472bc19bfd82e49ee3d8c233f42fa97c48
SHA5123bc559e39313d3ed42926a2a6eac09e21948bd48d281d354ca41ec834e2cb37b4b76616f25c8038f2f795fa2c29b80d583694a480a45d72b3909091c0cb1b031
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize587KB
MD57ddb4820e3114ed71c0947da7cb8ddf8
SHA18f7e0f16f908b3dbe0fe16c213fea632e3b58041
SHA256294eb2defd8d2965fe38b7139f99f0b3a86b75ca20d220267ebfeea127d35d3e
SHA512e918b8759f157f918e0455edb136b2b8142ec4ac37e1f7880310da0aa730ad38038b6f665357b55173b10536121a62ada98e15f49843bfcbe7b6979dfd7a602a
-
Filesize
143KB
MD5963056968f712dce49fed780756eafa3
SHA11f833526e877d34bda4b7aad52be1b52f25c9bf2
SHA256be71c16ee9e9ea295cf6f266ddf343c4589843e4288a09f60f9e15923d8f8313
SHA5128ff2bd3c17e6a8730940dcc45faa600c5429a1e5e812821350d8c6448ddcc1526f5246608b5a56592276b15a821a78440adf05652c7dfb2b0016707dce9c958e
-
Filesize
288KB
MD57ad8b248824fb32c2994128f02025872
SHA1e909d655af544419bfb1f9057f3f4aae5ab3f6ad
SHA25664d9e990eb96059ac2ea6d0853bf07b0c3499214e09854ac24f6b1f2688a1d66
SHA512f18a946f015ecd3e1f5694a72efbef3111c6c259ef9206f84d3c01ee6804fdc51fb052914143bc24e39583753d6bf15bc0dd9c1b4d5cc607f452cd0a79ced085