Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 20:28
Static task
static1
Behavioral task
behavioral1
Sample
2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bN.exe
Resource
win7-20241010-en
General
-
Target
2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bN.exe
-
Size
193KB
-
MD5
bc5f0977acec702961e4d2fe9e2682b0
-
SHA1
3da68a6f8cf57381d87b3fec2e1c5daefffd77c3
-
SHA256
2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41b
-
SHA512
cc06762af3c6ad0820d9aca6fbd55e507397f74bfeebdbfe0ca2e2083ed8a023a50b9023ca48584109856991b108dc486a0e562ed23ee45667ffb0c8c83ad9d8
-
SSDEEP
3072:cR2xn3k0CdM1vabyzJYWqSBS9lc+pe0McUDwTgnJKc/qk:cR2J0LS6VDlVLMcebnd/qk
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 4 IoCs
pid Process 2148 2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bNmgr.exe 2260 WaterMark.exe 2448 WaterMarkmgr.exe 2824 WaterMark.exe -
Loads dropped DLL 8 IoCs
pid Process 2524 2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bN.exe 2524 2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bN.exe 2524 2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bN.exe 2524 2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bN.exe 2260 WaterMark.exe 2260 WaterMark.exe 2448 WaterMarkmgr.exe 2448 WaterMarkmgr.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/2524-18-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2524-19-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2524-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2824-71-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2260-69-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2824-62-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2448-52-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2148-118-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2524-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2524-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2524-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2524-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2260-483-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2824-485-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2260-738-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2824-741-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClient.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationTypes.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Net.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libupnp_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jli.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.ServiceModel.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\librss_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsharpen_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\wab32.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsvcdsub_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmpgv_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libswscale_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libskiptags_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_mosaic_bridge_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Mail\wab.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2native.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Design.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libfps_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscene_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msador15.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\iedvtool.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\Timeline_is.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ogg_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ps_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kcms.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\mlib_image.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libhttps_plugin.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\Chkr.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_http_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_shout_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtospdif_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsusf_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dts_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\mozwer.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libx264_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\java_crw_demo.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\mozavcodec.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Speech.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libmpg123_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libps_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\NBMapTIP.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\libEGL.dll svchost.exe File opened for modification C:\Program Files\Windows Mail\msoe.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bNmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 2260 WaterMark.exe 2260 WaterMark.exe 2824 WaterMark.exe 2824 WaterMark.exe 2260 WaterMark.exe 2824 WaterMark.exe 2260 WaterMark.exe 2824 WaterMark.exe 2824 WaterMark.exe 2260 WaterMark.exe 2824 WaterMark.exe 2260 WaterMark.exe 2260 WaterMark.exe 2260 WaterMark.exe 2824 WaterMark.exe 2824 WaterMark.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2260 WaterMark.exe Token: SeDebugPrivilege 2824 WaterMark.exe Token: SeDebugPrivilege 1604 svchost.exe Token: SeDebugPrivilege 2548 svchost.exe Token: SeDebugPrivilege 2260 WaterMark.exe Token: SeDebugPrivilege 2824 WaterMark.exe Token: SeDebugPrivilege 2044 svchost.exe -
Suspicious use of UnmapMainImage 5 IoCs
pid Process 2524 2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bN.exe 2260 WaterMark.exe 2448 WaterMarkmgr.exe 2824 WaterMark.exe 2148 2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bNmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2148 2524 2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bN.exe 30 PID 2524 wrote to memory of 2148 2524 2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bN.exe 30 PID 2524 wrote to memory of 2148 2524 2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bN.exe 30 PID 2524 wrote to memory of 2148 2524 2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bN.exe 30 PID 2524 wrote to memory of 2260 2524 2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bN.exe 31 PID 2524 wrote to memory of 2260 2524 2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bN.exe 31 PID 2524 wrote to memory of 2260 2524 2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bN.exe 31 PID 2524 wrote to memory of 2260 2524 2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bN.exe 31 PID 2260 wrote to memory of 2448 2260 WaterMark.exe 32 PID 2260 wrote to memory of 2448 2260 WaterMark.exe 32 PID 2260 wrote to memory of 2448 2260 WaterMark.exe 32 PID 2260 wrote to memory of 2448 2260 WaterMark.exe 32 PID 2448 wrote to memory of 2824 2448 WaterMarkmgr.exe 33 PID 2448 wrote to memory of 2824 2448 WaterMarkmgr.exe 33 PID 2448 wrote to memory of 2824 2448 WaterMarkmgr.exe 33 PID 2448 wrote to memory of 2824 2448 WaterMarkmgr.exe 33 PID 2260 wrote to memory of 2044 2260 WaterMark.exe 34 PID 2260 wrote to memory of 2044 2260 WaterMark.exe 34 PID 2260 wrote to memory of 2044 2260 WaterMark.exe 34 PID 2260 wrote to memory of 2044 2260 WaterMark.exe 34 PID 2260 wrote to memory of 2044 2260 WaterMark.exe 34 PID 2260 wrote to memory of 2044 2260 WaterMark.exe 34 PID 2260 wrote to memory of 2044 2260 WaterMark.exe 34 PID 2260 wrote to memory of 2044 2260 WaterMark.exe 34 PID 2260 wrote to memory of 2044 2260 WaterMark.exe 34 PID 2260 wrote to memory of 2044 2260 WaterMark.exe 34 PID 2824 wrote to memory of 2836 2824 WaterMark.exe 35 PID 2824 wrote to memory of 2836 2824 WaterMark.exe 35 PID 2824 wrote to memory of 2836 2824 WaterMark.exe 35 PID 2824 wrote to memory of 2836 2824 WaterMark.exe 35 PID 2824 wrote to memory of 2836 2824 WaterMark.exe 35 PID 2824 wrote to memory of 2836 2824 WaterMark.exe 35 PID 2824 wrote to memory of 2836 2824 WaterMark.exe 35 PID 2824 wrote to memory of 2836 2824 WaterMark.exe 35 PID 2824 wrote to memory of 2836 2824 WaterMark.exe 35 PID 2824 wrote to memory of 2836 2824 WaterMark.exe 35 PID 2824 wrote to memory of 2548 2824 WaterMark.exe 36 PID 2824 wrote to memory of 2548 2824 WaterMark.exe 36 PID 2824 wrote to memory of 2548 2824 WaterMark.exe 36 PID 2260 wrote to memory of 1604 2260 WaterMark.exe 37 PID 2260 wrote to memory of 1604 2260 WaterMark.exe 37 PID 2260 wrote to memory of 1604 2260 WaterMark.exe 37 PID 2260 wrote to memory of 1604 2260 WaterMark.exe 37 PID 2260 wrote to memory of 1604 2260 WaterMark.exe 37 PID 2260 wrote to memory of 1604 2260 WaterMark.exe 37 PID 2260 wrote to memory of 1604 2260 WaterMark.exe 37 PID 2260 wrote to memory of 1604 2260 WaterMark.exe 37 PID 2260 wrote to memory of 1604 2260 WaterMark.exe 37 PID 2260 wrote to memory of 1604 2260 WaterMark.exe 37 PID 2824 wrote to memory of 2548 2824 WaterMark.exe 36 PID 2824 wrote to memory of 2548 2824 WaterMark.exe 36 PID 2824 wrote to memory of 2548 2824 WaterMark.exe 36 PID 2824 wrote to memory of 2548 2824 WaterMark.exe 36 PID 2824 wrote to memory of 2548 2824 WaterMark.exe 36 PID 2824 wrote to memory of 2548 2824 WaterMark.exe 36 PID 2824 wrote to memory of 2548 2824 WaterMark.exe 36 PID 1604 wrote to memory of 256 1604 svchost.exe 1 PID 1604 wrote to memory of 256 1604 svchost.exe 1 PID 1604 wrote to memory of 256 1604 svchost.exe 1 PID 1604 wrote to memory of 256 1604 svchost.exe 1 PID 1604 wrote to memory of 256 1604 svchost.exe 1 PID 1604 wrote to memory of 332 1604 svchost.exe 2 PID 1604 wrote to memory of 332 1604 svchost.exe 2 PID 1604 wrote to memory of 332 1604 svchost.exe 2
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:604
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1236
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1596
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:680
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:760
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:812
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1160
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:840
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:868
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:964
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:236
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:344
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1064
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1108
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1244
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:292
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2296
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bN.exe"C:\Users\Admin\AppData\Local\Temp\2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bN.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bNmgr.exeC:\Users\Admin\AppData\Local\Temp\2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bNmgr.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2148
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2836
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
193KB
MD5bc5f0977acec702961e4d2fe9e2682b0
SHA13da68a6f8cf57381d87b3fec2e1c5daefffd77c3
SHA2562e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41b
SHA512cc06762af3c6ad0820d9aca6fbd55e507397f74bfeebdbfe0ca2e2083ed8a023a50b9023ca48584109856991b108dc486a0e562ed23ee45667ffb0c8c83ad9d8
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize401KB
MD53fb838024d7005aff9e57489fa1e811c
SHA1f814ac245d6e9af548f1d5a0a2f66d5a277977c8
SHA2563fda154a36ee073b9446b8c53cad4dceba146e99ead7c2db73c529ce8bf12ec0
SHA512b895e6c46ad4537d72903658372acfe9e1775ce36aa2afee8a11ef5639299435b390b8e44b2a64ad00773b62f0368d2db4ceb39d0c2736f95b0d731a23e16218
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize397KB
MD575e93429e91f525a866623a94b75c1aa
SHA1fea9389ac5ae5645d35a832023d8175fdaaa5d0e
SHA25626b555f5259993a3ab2552e11a623ef7be24f21b3dd1845ca84e91e7dd8cf4a2
SHA512aec39e29706832213164e60624e5a3bbb4beb81815390cdafee26f14b3ad7f016c93f12a9fe04fc888d942f6bc732d4208c2d6ba0dbf34ad521d9b38b5ade93a
-
\Users\Admin\AppData\Local\Temp\2e4cd2d222434cca5c7dd3e685a4c4355a0f0d962b6b3cca3bdc74d4db41c41bNmgr.exe
Filesize95KB
MD5a4713ab560c0b6fe888ca2c5d6180d16
SHA13da4c22c194c479bf18f6c41160bf01b82ce7884
SHA25625886cf014a17a73ec4b4501686246a082c9caebc87d6dcd789ac73789a1abdf
SHA512580a4210dcefce49cd333b73e4bc52e7a8a67af839c50382185d133b905b3c759b78ddd1df3825306067de7851b861aa0a9c89d6d3e9b5908ac69d0ef6d2ae9d