Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 19:09
Static task
static1
Behavioral task
behavioral1
Sample
836b6139cfaf0666b37612e1cbf8578a882b01b6f4041e0d68d03dd63ab4f7fbN.dll
Resource
win7-20240903-en
General
-
Target
836b6139cfaf0666b37612e1cbf8578a882b01b6f4041e0d68d03dd63ab4f7fbN.dll
-
Size
224KB
-
MD5
f4452ffa750b695b3d921c95d4f94eb0
-
SHA1
bfb105f0c59478d15bfca22fe93ab1962000c894
-
SHA256
836b6139cfaf0666b37612e1cbf8578a882b01b6f4041e0d68d03dd63ab4f7fb
-
SHA512
5cd43273ecc00f27db4e4fc3da225c181130f7ed9c4c6937ed2578a2fa28c21fd42682d639555f5af69ded931985bb89347c130ac7251a74b2935abc06ec7c6f
-
SSDEEP
3072:ZGd5SXa28vl8juKJcXV9lCgGNlx91xaafMWtXZDPEs3K0G:0d5h7+juU8V9rGrr1xaaflpDPEs3HG
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 6 IoCs
pid Process 2484 rundll32mgr.exe 2480 rundll32mgrmgr.exe 2292 WaterMark.exe 2244 WaterMarkmgr.exe 2308 WaterMark.exe 2684 WaterMark.exe -
Loads dropped DLL 12 IoCs
pid Process 1268 rundll32.exe 1268 rundll32.exe 2484 rundll32mgr.exe 2484 rundll32mgr.exe 2484 rundll32mgr.exe 2484 rundll32mgr.exe 2292 WaterMark.exe 2292 WaterMark.exe 2244 WaterMarkmgr.exe 2244 WaterMarkmgr.exe 2480 rundll32mgrmgr.exe 2480 rundll32mgrmgr.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/2484-31-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2484-29-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2484-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2308-129-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2292-122-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2480-87-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2292-74-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2244-68-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2484-41-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2484-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2484-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2484-20-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2684-158-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2684-922-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2308-921-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2292-925-0x0000000000370000-0x0000000000391000-memory.dmp upx behavioral1/memory/2244-3324-0x00000000001B0000-0x00000000001EE000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.ServiceModel.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libcdg_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libx265_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\librss_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\ReachFramework.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\fxplugins.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\axvlc.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_shout_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\WindowsAccessBridge-64.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgRes.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libmpg123_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\java.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudiobargraph_a_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsdt.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\net.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\w2k_lsa_auth.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\Welcome.html svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\freebl3.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadds.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libsmf_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\MSPVWCTL.DLL svchost.exe File opened for modification C:\Program Files\Internet Explorer\pdmproxy100.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_copy_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Mail\MSOERES.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatialaudio_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationProvider.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libfaad_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\NBMapTIP.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdav1d_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libg711_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Printing.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationTypes.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libposterize_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmprph.exe svchost.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2280 1268 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgrmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
pid Process 2308 WaterMark.exe 2308 WaterMark.exe 2684 WaterMark.exe 2684 WaterMark.exe 2292 WaterMark.exe 2292 WaterMark.exe 2684 WaterMark.exe 2308 WaterMark.exe 2684 WaterMark.exe 2308 WaterMark.exe 2684 WaterMark.exe 2308 WaterMark.exe 2684 WaterMark.exe 2308 WaterMark.exe 2684 WaterMark.exe 2308 WaterMark.exe 2684 WaterMark.exe 2308 WaterMark.exe 2220 svchost.exe 2292 WaterMark.exe 2292 WaterMark.exe 2292 WaterMark.exe 2292 WaterMark.exe 2292 WaterMark.exe 2292 WaterMark.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe 2220 svchost.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2308 WaterMark.exe Token: SeDebugPrivilege 2684 WaterMark.exe Token: SeDebugPrivilege 2292 WaterMark.exe Token: SeDebugPrivilege 2220 svchost.exe Token: SeDebugPrivilege 1600 svchost.exe Token: SeDebugPrivilege 1804 svchost.exe Token: SeDebugPrivilege 1268 rundll32.exe Token: SeDebugPrivilege 2280 WerFault.exe Token: SeDebugPrivilege 2292 WaterMark.exe Token: SeDebugPrivilege 2308 WaterMark.exe Token: SeDebugPrivilege 2684 WaterMark.exe Token: SeDebugPrivilege 3056 svchost.exe Token: SeDebugPrivilege 236 svchost.exe -
Suspicious use of UnmapMainImage 6 IoCs
pid Process 2484 rundll32mgr.exe 2292 WaterMark.exe 2244 WaterMarkmgr.exe 2480 rundll32mgrmgr.exe 2308 WaterMark.exe 2684 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 1268 2372 rundll32.exe 30 PID 2372 wrote to memory of 1268 2372 rundll32.exe 30 PID 2372 wrote to memory of 1268 2372 rundll32.exe 30 PID 2372 wrote to memory of 1268 2372 rundll32.exe 30 PID 2372 wrote to memory of 1268 2372 rundll32.exe 30 PID 2372 wrote to memory of 1268 2372 rundll32.exe 30 PID 2372 wrote to memory of 1268 2372 rundll32.exe 30 PID 1268 wrote to memory of 2484 1268 rundll32.exe 31 PID 1268 wrote to memory of 2484 1268 rundll32.exe 31 PID 1268 wrote to memory of 2484 1268 rundll32.exe 31 PID 1268 wrote to memory of 2484 1268 rundll32.exe 31 PID 1268 wrote to memory of 2280 1268 rundll32.exe 32 PID 1268 wrote to memory of 2280 1268 rundll32.exe 32 PID 1268 wrote to memory of 2280 1268 rundll32.exe 32 PID 1268 wrote to memory of 2280 1268 rundll32.exe 32 PID 2484 wrote to memory of 2480 2484 rundll32mgr.exe 33 PID 2484 wrote to memory of 2480 2484 rundll32mgr.exe 33 PID 2484 wrote to memory of 2480 2484 rundll32mgr.exe 33 PID 2484 wrote to memory of 2480 2484 rundll32mgr.exe 33 PID 2484 wrote to memory of 2292 2484 rundll32mgr.exe 34 PID 2484 wrote to memory of 2292 2484 rundll32mgr.exe 34 PID 2484 wrote to memory of 2292 2484 rundll32mgr.exe 34 PID 2484 wrote to memory of 2292 2484 rundll32mgr.exe 34 PID 2292 wrote to memory of 2244 2292 WaterMark.exe 35 PID 2292 wrote to memory of 2244 2292 WaterMark.exe 35 PID 2292 wrote to memory of 2244 2292 WaterMark.exe 35 PID 2292 wrote to memory of 2244 2292 WaterMark.exe 35 PID 2244 wrote to memory of 2308 2244 WaterMarkmgr.exe 36 PID 2244 wrote to memory of 2308 2244 WaterMarkmgr.exe 36 PID 2244 wrote to memory of 2308 2244 WaterMarkmgr.exe 36 PID 2244 wrote to memory of 2308 2244 WaterMarkmgr.exe 36 PID 2480 wrote to memory of 2684 2480 rundll32mgrmgr.exe 37 PID 2480 wrote to memory of 2684 2480 rundll32mgrmgr.exe 37 PID 2480 wrote to memory of 2684 2480 rundll32mgrmgr.exe 37 PID 2480 wrote to memory of 2684 2480 rundll32mgrmgr.exe 37 PID 2684 wrote to memory of 3056 2684 WaterMark.exe 38 PID 2684 wrote to memory of 3056 2684 WaterMark.exe 38 PID 2684 wrote to memory of 3056 2684 WaterMark.exe 38 PID 2684 wrote to memory of 3056 2684 WaterMark.exe 38 PID 2684 wrote to memory of 3056 2684 WaterMark.exe 38 PID 2684 wrote to memory of 3056 2684 WaterMark.exe 38 PID 2684 wrote to memory of 3056 2684 WaterMark.exe 38 PID 2684 wrote to memory of 3056 2684 WaterMark.exe 38 PID 2684 wrote to memory of 3056 2684 WaterMark.exe 38 PID 2684 wrote to memory of 3056 2684 WaterMark.exe 38 PID 2308 wrote to memory of 3060 2308 WaterMark.exe 39 PID 2308 wrote to memory of 3060 2308 WaterMark.exe 39 PID 2308 wrote to memory of 3060 2308 WaterMark.exe 39 PID 2308 wrote to memory of 3060 2308 WaterMark.exe 39 PID 2308 wrote to memory of 3060 2308 WaterMark.exe 39 PID 2308 wrote to memory of 3060 2308 WaterMark.exe 39 PID 2308 wrote to memory of 3060 2308 WaterMark.exe 39 PID 2308 wrote to memory of 3060 2308 WaterMark.exe 39 PID 2308 wrote to memory of 3060 2308 WaterMark.exe 39 PID 2308 wrote to memory of 3060 2308 WaterMark.exe 39 PID 2292 wrote to memory of 236 2292 WaterMark.exe 40 PID 2292 wrote to memory of 236 2292 WaterMark.exe 40 PID 2292 wrote to memory of 236 2292 WaterMark.exe 40 PID 2292 wrote to memory of 236 2292 WaterMark.exe 40 PID 2292 wrote to memory of 236 2292 WaterMark.exe 40 PID 2292 wrote to memory of 236 2292 WaterMark.exe 40 PID 2292 wrote to memory of 236 2292 WaterMark.exe 40 PID 2292 wrote to memory of 236 2292 WaterMark.exe 40 PID 2292 wrote to memory of 236 2292 WaterMark.exe 40
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1536
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1328
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:676
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:748
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:812
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1172
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:860
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2612
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:972
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:268
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:328
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1068
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1108
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1740
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2976
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:1936
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:488
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:496
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:428
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\836b6139cfaf0666b37612e1cbf8578a882b01b6f4041e0d68d03dd63ab4f7fbN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\836b6139cfaf0666b37612e1cbf8578a882b01b6f4041e0d68d03dd63ab4f7fbN.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe8⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3060
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:236
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 2244⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize384KB
MD5a0ec1e61ddab3d54a6c1472b19d8292b
SHA18446ab1477754e9bb5a28e78a934b7319afe2d0a
SHA256f6617eda9048a7771eed3c0fac74ef27f4290a37f8a1b804eb4fedaef15e58bd
SHA512c13b55dbd148936684a65d510d7cea8bcb91a4b5efcd1a9bbfa6f82cd07f69fd209f95816794c923a19533e397de0a6037cf4b0052111c922374ca8ba1ac2827
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize381KB
MD54928721584cb5a51f0c98a016051d56f
SHA17e998d83f74a664fd30e4ed8be1b95ac77887eeb
SHA2560ea0c18f48d6a35b521abf04b171eda86bbf5f4731f3765a4c80366ac5a9ab7c
SHA512cabace0de385d49b9eae622562f2692aac917216f30c01b456a37c000d7eb0a8dad6cb9dd07ee67b85b44e8fe21c25074f815018a735760f669f898e09e73cb2
-
Filesize
185KB
MD5a1ada298faa9819dca0eab0165d978d9
SHA150d7bd60790cc2370d4c3a2382e3e7248b95ef6e
SHA2563f2af8dff9eb0ee18e38ce952c51bf1b461094fd03e71e137a61219c595cc742
SHA512672a5f15f704932ae0dab2562238be9ca91743ce6885b79fe0bbf000ee1a8e9389278591221dcb6ee5d488faaf374d0603a985a62cb1b639ba27b0e774e25978
-
Filesize
91KB
MD5c56eab01a1504045b4e4b4376630e35d
SHA11586025ddf036c2ce35601e6021fad5df2814963
SHA256e41b8af9b477ee81e0c2fa21b6a3a5a598a43874128ba117f287ce99471d8631
SHA5121f1034f40beeb52e92524dc17984f45f12a911d5364d36ca43ef197b89348d7a3c373ca4ebee20b260693028151df1475d472d3432eed02cce6b2e3ac3d12d71