Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 01:42
Static task
static1
Behavioral task
behavioral1
Sample
904bf74c214e2d3f97418b03a5ff4a8df07bcc618cc22841f9e6eb97aa0dd669.dll
Resource
win7-20240903-en
General
-
Target
904bf74c214e2d3f97418b03a5ff4a8df07bcc618cc22841f9e6eb97aa0dd669.dll
-
Size
847KB
-
MD5
e39ce0a9490d34de9dcf5707efedbbae
-
SHA1
3dafc8544447630375959d8387510f33b0867dac
-
SHA256
904bf74c214e2d3f97418b03a5ff4a8df07bcc618cc22841f9e6eb97aa0dd669
-
SHA512
5a9f30c9c39b3a0d141d8ab7b03d203c54d4b3062551443831f317f393b4524ef5ac1dc8aca8b687b866150ad0e170b5369c10b987cde592606137ad9159aea6
-
SSDEEP
24576:2zb1MlCKUQyUmjtczu6Prs9pgWoopooK9kwPEs++iv:2zbKsUmjtcdPGgIwPEsriv
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 5 IoCs
pid Process 1780 rundll32mgr.exe 2260 rundll32mgrmgr.exe 2760 WaterMark.exe 2816 WaterMark.exe 3016 WaterMarkmgr.exe -
Loads dropped DLL 10 IoCs
pid Process 768 rundll32.exe 768 rundll32.exe 1780 rundll32mgr.exe 1780 rundll32mgr.exe 1780 rundll32mgr.exe 2260 rundll32mgrmgr.exe 1780 rundll32mgr.exe 2260 rundll32mgrmgr.exe 2760 WaterMark.exe 2760 WaterMark.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/2260-39-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1780-38-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1780-33-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1780-32-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1780-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1780-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1780-21-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1780-20-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2760-70-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3016-106-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2760-440-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2760-696-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Design.resources.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pe.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libskiptags_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEREP.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Net.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libsapi_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\management.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\hxdsui.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextService.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\imjplm.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\zip.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpRTP.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libadjust_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html svchost.exe File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\BCSLaunch.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\settings.html svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\nss3.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liboggspots_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdemuxdump_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\cpu.html svchost.exe File opened for modification C:\Program Files\Internet Explorer\ieproxy.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\JavaAccessBridge-64.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libgnutls_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libntservice_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmagnify_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\liboldmovie_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libwgl_plugin.dll svchost.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.ServiceModel.Resources.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\settings.html svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CoolType.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpOAV.dll svchost.exe File opened for modification C:\Program Files\Windows Mail\wabimp.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\hxdsui.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libfreeze_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libx265_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MsMpCom.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgrmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2760 WaterMark.exe 2760 WaterMark.exe 2760 WaterMark.exe 2760 WaterMark.exe 2760 WaterMark.exe 2760 WaterMark.exe 2760 WaterMark.exe 2760 WaterMark.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe 1472 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2760 WaterMark.exe Token: SeDebugPrivilege 1472 svchost.exe Token: SeDebugPrivilege 2760 WaterMark.exe Token: SeDebugPrivilege 768 rundll32.exe -
Suspicious use of UnmapMainImage 5 IoCs
pid Process 1780 rundll32mgr.exe 2260 rundll32mgrmgr.exe 2760 WaterMark.exe 3016 WaterMarkmgr.exe 2816 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2544 wrote to memory of 768 2544 rundll32.exe 30 PID 2544 wrote to memory of 768 2544 rundll32.exe 30 PID 2544 wrote to memory of 768 2544 rundll32.exe 30 PID 2544 wrote to memory of 768 2544 rundll32.exe 30 PID 2544 wrote to memory of 768 2544 rundll32.exe 30 PID 2544 wrote to memory of 768 2544 rundll32.exe 30 PID 2544 wrote to memory of 768 2544 rundll32.exe 30 PID 768 wrote to memory of 1780 768 rundll32.exe 31 PID 768 wrote to memory of 1780 768 rundll32.exe 31 PID 768 wrote to memory of 1780 768 rundll32.exe 31 PID 768 wrote to memory of 1780 768 rundll32.exe 31 PID 1780 wrote to memory of 2260 1780 rundll32mgr.exe 32 PID 1780 wrote to memory of 2260 1780 rundll32mgr.exe 32 PID 1780 wrote to memory of 2260 1780 rundll32mgr.exe 32 PID 1780 wrote to memory of 2260 1780 rundll32mgr.exe 32 PID 1780 wrote to memory of 2760 1780 rundll32mgr.exe 33 PID 1780 wrote to memory of 2760 1780 rundll32mgr.exe 33 PID 1780 wrote to memory of 2760 1780 rundll32mgr.exe 33 PID 1780 wrote to memory of 2760 1780 rundll32mgr.exe 33 PID 2260 wrote to memory of 2816 2260 rundll32mgrmgr.exe 34 PID 2260 wrote to memory of 2816 2260 rundll32mgrmgr.exe 34 PID 2260 wrote to memory of 2816 2260 rundll32mgrmgr.exe 34 PID 2260 wrote to memory of 2816 2260 rundll32mgrmgr.exe 34 PID 2760 wrote to memory of 3016 2760 WaterMark.exe 35 PID 2760 wrote to memory of 3016 2760 WaterMark.exe 35 PID 2760 wrote to memory of 3016 2760 WaterMark.exe 35 PID 2760 wrote to memory of 3016 2760 WaterMark.exe 35 PID 2760 wrote to memory of 2972 2760 WaterMark.exe 36 PID 2760 wrote to memory of 2972 2760 WaterMark.exe 36 PID 2760 wrote to memory of 2972 2760 WaterMark.exe 36 PID 2760 wrote to memory of 2972 2760 WaterMark.exe 36 PID 2760 wrote to memory of 2972 2760 WaterMark.exe 36 PID 2760 wrote to memory of 2972 2760 WaterMark.exe 36 PID 2760 wrote to memory of 2972 2760 WaterMark.exe 36 PID 2760 wrote to memory of 2972 2760 WaterMark.exe 36 PID 2760 wrote to memory of 2972 2760 WaterMark.exe 36 PID 2760 wrote to memory of 2972 2760 WaterMark.exe 36 PID 2760 wrote to memory of 1472 2760 WaterMark.exe 37 PID 2760 wrote to memory of 1472 2760 WaterMark.exe 37 PID 2760 wrote to memory of 1472 2760 WaterMark.exe 37 PID 2760 wrote to memory of 1472 2760 WaterMark.exe 37 PID 2760 wrote to memory of 1472 2760 WaterMark.exe 37 PID 2760 wrote to memory of 1472 2760 WaterMark.exe 37 PID 2760 wrote to memory of 1472 2760 WaterMark.exe 37 PID 2760 wrote to memory of 1472 2760 WaterMark.exe 37 PID 2760 wrote to memory of 1472 2760 WaterMark.exe 37 PID 2760 wrote to memory of 1472 2760 WaterMark.exe 37 PID 1472 wrote to memory of 256 1472 svchost.exe 1 PID 1472 wrote to memory of 256 1472 svchost.exe 1 PID 1472 wrote to memory of 256 1472 svchost.exe 1 PID 1472 wrote to memory of 256 1472 svchost.exe 1 PID 1472 wrote to memory of 256 1472 svchost.exe 1 PID 1472 wrote to memory of 336 1472 svchost.exe 2 PID 1472 wrote to memory of 336 1472 svchost.exe 2 PID 1472 wrote to memory of 336 1472 svchost.exe 2 PID 1472 wrote to memory of 336 1472 svchost.exe 2 PID 1472 wrote to memory of 336 1472 svchost.exe 2 PID 1472 wrote to memory of 384 1472 svchost.exe 3 PID 1472 wrote to memory of 384 1472 svchost.exe 3 PID 1472 wrote to memory of 384 1472 svchost.exe 3 PID 1472 wrote to memory of 384 1472 svchost.exe 3 PID 1472 wrote to memory of 384 1472 svchost.exe 3 PID 1472 wrote to memory of 396 1472 svchost.exe 4 PID 1472 wrote to memory of 396 1472 svchost.exe 4
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:600
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1524
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1672
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:680
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:756
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:816
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1164
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:856
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:3064
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:964
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:112
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:296
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1068
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1104
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:872
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:1952
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2452
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:488
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:496
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:396
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\904bf74c214e2d3f97418b03a5ff4a8df07bcc618cc22841f9e6eb97aa0dd669.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\904bf74c214e2d3f97418b03a5ff4a8df07bcc618cc22841f9e6eb97aa0dd669.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2816
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:3016
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2972
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize391KB
MD52b7ba6617bd33477e905c4cf175d26c8
SHA1cd1722a68120b11bd5826b37459f47652b5ad2b7
SHA256b25c6598acfdde94cb484df195cfdf9cdfb47295187e48bc852f7de9424d5c25
SHA51250ab2be5715900c19c00ac40ba154cf3d094ecca59a0b9c627c9a3fcdefe5f923ef611b2632b66fe216396c9b49b909201b94f394d94bb8e3e9b258e2fa4d733
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize387KB
MD5c5a3464c4dab11dbb2fb114599db6aed
SHA18b067f0933c75a31c9e79bc35f6215717f102fb0
SHA25675bd4fd583bf11b12f904b614b648da4c7a8ab224539a56b2cd0c30011a5a864
SHA512e3389145a81728df46e624027fee2a5c12e3dd4d61ed1595f0eabc05c2e6f1a8e82908d20f9c462b3addeb49a7a2b736431398b5e45dca5cb383c83a547f455f
-
Filesize
189KB
MD5099e4698fcd0d07e187674a28d6f0753
SHA12d8f6796eb9481e50527192c28d4bb0b35ccf9fd
SHA256250f98faf04cfac9aecdc1aac8014c8586b0f08564ad0ca782b17c7703fb6469
SHA51294ce6c87edea0678d459d10bd1d5e19e1eba0a9fc54e2e8884c64fe5c67921b80b054b430dcb6b9102385587c48c93a6ac44c4dd77ba1cbdf378171ff8d0ea69
-
Filesize
93KB
MD535c2f27961e27275564493d459b6213e
SHA1d8a65a578457493161262c77d6c76ed7876b6a8d
SHA2561a1b741ef968cb4cb2e5a5404366a66cd69b025a5b38814792e2f51d43b2d60d
SHA512b15bb1a4a5158bb4103d6f62cd64a8ac2df398f2990995a99898bf207fc653a0b877d5904689c106634d2bdb4efb38e55adafd4b07bb199c1875d4a1028ab557