Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 05:28
Static task
static1
Behavioral task
behavioral1
Sample
55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72b.exe
Resource
win7-20241010-en
General
-
Target
55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72b.exe
-
Size
193KB
-
MD5
8feaaa568f5738b665b1e0fb9a7e6f6e
-
SHA1
f9e794ba8bfdd5bc282483447574e63b1fb96361
-
SHA256
55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72b
-
SHA512
267d8f3ef61d4dd409db4c4d34bfc1ed2b31eb459637880b33dbb4c3ceaa9a872f871f51ee27144b4f3accb198b62d89dc2786811aebad66dc4957bf2cca673d
-
SSDEEP
3072:cR2xn3k0CdM1vabyzJYWqSBS9lc+pe0McUDwTgnJKc/qk:cR2J0LS6VDlVLMcebnd/qk
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 5 IoCs
pid Process 2388 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72bmgr.exe 2840 WaterMark.exe 2872 WaterMark.exe 2844 WaterMarkmgr.exe 2264 WaterMark.exe -
Loads dropped DLL 10 IoCs
pid Process 840 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72b.exe 840 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72b.exe 840 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72b.exe 840 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72b.exe 2840 WaterMark.exe 2388 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72bmgr.exe 2388 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72bmgr.exe 2840 WaterMark.exe 2844 WaterMarkmgr.exe 2844 WaterMarkmgr.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/840-18-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/840-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/840-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/840-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/840-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/840-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/840-9-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2264-90-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2844-83-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2872-74-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2840-72-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2872-64-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2388-54-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2840-576-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2872-578-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2872-831-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java_crw_demo.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.RunTime.Serialization.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_bridge_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libanaglyph_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libps_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcroppadd_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\vcruntime140.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.RunTime.Serialization.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mpjpeg_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\IEShims.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\verify.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_realrtsp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_rist_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libmpg123_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows NT\Accessories\WordpadFilter.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\view.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_transcode_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msader15.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Net.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdvdread_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jsdt.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_livehttp_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libcrystalhd_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpEvMsg.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libyuv_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\dt_shmem.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libnfs_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libaribsub_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhds_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\nio.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\WMPSideShowGadget.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Net.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\gui\libqt_plugin.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\mozavutil.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libwave_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_rtp_plugin.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72bmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
pid Process 2840 WaterMark.exe 2840 WaterMark.exe 2872 WaterMark.exe 2872 WaterMark.exe 2264 WaterMark.exe 2264 WaterMark.exe 2840 WaterMark.exe 2840 WaterMark.exe 2872 WaterMark.exe 2840 WaterMark.exe 2872 WaterMark.exe 2840 WaterMark.exe 2872 WaterMark.exe 2872 WaterMark.exe 2872 WaterMark.exe 2872 WaterMark.exe 2840 WaterMark.exe 2840 WaterMark.exe 2264 WaterMark.exe 2264 WaterMark.exe 2264 WaterMark.exe 2264 WaterMark.exe 1996 svchost.exe 2264 WaterMark.exe 2264 WaterMark.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2840 WaterMark.exe Token: SeDebugPrivilege 2872 WaterMark.exe Token: SeDebugPrivilege 2264 WaterMark.exe Token: SeDebugPrivilege 1996 svchost.exe Token: SeDebugPrivilege 1812 svchost.exe Token: SeDebugPrivilege 2088 svchost.exe Token: SeDebugPrivilege 2840 WaterMark.exe Token: SeDebugPrivilege 2872 WaterMark.exe Token: SeDebugPrivilege 2264 WaterMark.exe Token: SeDebugPrivilege 1064 svchost.exe Token: SeDebugPrivilege 1168 svchost.exe -
Suspicious use of UnmapMainImage 6 IoCs
pid Process 840 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72b.exe 2388 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72bmgr.exe 2840 WaterMark.exe 2872 WaterMark.exe 2844 WaterMarkmgr.exe 2264 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 840 wrote to memory of 2388 840 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72b.exe 29 PID 840 wrote to memory of 2388 840 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72b.exe 29 PID 840 wrote to memory of 2388 840 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72b.exe 29 PID 840 wrote to memory of 2388 840 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72b.exe 29 PID 840 wrote to memory of 2840 840 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72b.exe 30 PID 840 wrote to memory of 2840 840 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72b.exe 30 PID 840 wrote to memory of 2840 840 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72b.exe 30 PID 840 wrote to memory of 2840 840 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72b.exe 30 PID 2388 wrote to memory of 2872 2388 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72bmgr.exe 32 PID 2388 wrote to memory of 2872 2388 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72bmgr.exe 32 PID 2388 wrote to memory of 2872 2388 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72bmgr.exe 32 PID 2388 wrote to memory of 2872 2388 55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72bmgr.exe 32 PID 2840 wrote to memory of 2844 2840 WaterMark.exe 31 PID 2840 wrote to memory of 2844 2840 WaterMark.exe 31 PID 2840 wrote to memory of 2844 2840 WaterMark.exe 31 PID 2840 wrote to memory of 2844 2840 WaterMark.exe 31 PID 2844 wrote to memory of 2264 2844 WaterMarkmgr.exe 33 PID 2844 wrote to memory of 2264 2844 WaterMarkmgr.exe 33 PID 2844 wrote to memory of 2264 2844 WaterMarkmgr.exe 33 PID 2844 wrote to memory of 2264 2844 WaterMarkmgr.exe 33 PID 2840 wrote to memory of 1660 2840 WaterMark.exe 34 PID 2840 wrote to memory of 1660 2840 WaterMark.exe 34 PID 2840 wrote to memory of 1660 2840 WaterMark.exe 34 PID 2840 wrote to memory of 1660 2840 WaterMark.exe 34 PID 2840 wrote to memory of 1660 2840 WaterMark.exe 34 PID 2840 wrote to memory of 1660 2840 WaterMark.exe 34 PID 2840 wrote to memory of 1660 2840 WaterMark.exe 34 PID 2840 wrote to memory of 1660 2840 WaterMark.exe 34 PID 2840 wrote to memory of 1660 2840 WaterMark.exe 34 PID 2840 wrote to memory of 1660 2840 WaterMark.exe 34 PID 2872 wrote to memory of 1064 2872 WaterMark.exe 35 PID 2872 wrote to memory of 1064 2872 WaterMark.exe 35 PID 2872 wrote to memory of 1064 2872 WaterMark.exe 35 PID 2872 wrote to memory of 1064 2872 WaterMark.exe 35 PID 2872 wrote to memory of 1064 2872 WaterMark.exe 35 PID 2872 wrote to memory of 1064 2872 WaterMark.exe 35 PID 2872 wrote to memory of 1064 2872 WaterMark.exe 35 PID 2872 wrote to memory of 1064 2872 WaterMark.exe 35 PID 2872 wrote to memory of 1064 2872 WaterMark.exe 35 PID 2872 wrote to memory of 1064 2872 WaterMark.exe 35 PID 2264 wrote to memory of 1168 2264 WaterMark.exe 36 PID 2264 wrote to memory of 1168 2264 WaterMark.exe 36 PID 2264 wrote to memory of 1168 2264 WaterMark.exe 36 PID 2264 wrote to memory of 1168 2264 WaterMark.exe 36 PID 2264 wrote to memory of 1168 2264 WaterMark.exe 36 PID 2264 wrote to memory of 1168 2264 WaterMark.exe 36 PID 2264 wrote to memory of 1168 2264 WaterMark.exe 36 PID 2264 wrote to memory of 1168 2264 WaterMark.exe 36 PID 2264 wrote to memory of 1168 2264 WaterMark.exe 36 PID 2264 wrote to memory of 1168 2264 WaterMark.exe 36 PID 2872 wrote to memory of 1812 2872 WaterMark.exe 38 PID 2872 wrote to memory of 1812 2872 WaterMark.exe 38 PID 2872 wrote to memory of 1812 2872 WaterMark.exe 38 PID 2872 wrote to memory of 1812 2872 WaterMark.exe 38 PID 2872 wrote to memory of 1812 2872 WaterMark.exe 38 PID 2872 wrote to memory of 1812 2872 WaterMark.exe 38 PID 2872 wrote to memory of 1812 2872 WaterMark.exe 38 PID 2872 wrote to memory of 1812 2872 WaterMark.exe 38 PID 2872 wrote to memory of 1812 2872 WaterMark.exe 38 PID 2872 wrote to memory of 1812 2872 WaterMark.exe 38 PID 2840 wrote to memory of 1996 2840 WaterMark.exe 37 PID 2840 wrote to memory of 1996 2840 WaterMark.exe 37 PID 2840 wrote to memory of 1996 2840 WaterMark.exe 37 PID 2840 wrote to memory of 1996 2840 WaterMark.exe 37
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:372
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:604
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:928
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1852
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:684
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:744
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:816
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1320
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:856
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:992
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:300
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:272
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1032
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1232
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1120
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:1928
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:1924
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:480
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:488
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:384
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72b.exe"C:\Users\Admin\AppData\Local\Temp\55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72b.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72bmgr.exeC:\Users\Admin\AppData\Local\Temp\55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72bmgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1660
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize401KB
MD5e7e006edd2b18d7ae22282e49ba47546
SHA17a2e2b65cf23a6d5f5b8900bcb3c4bc4739933d9
SHA2566eec26d64cad8dc9662eb9a57628a7a91ff943e2fb03226fb98b5dc05d424d85
SHA51296fbf84e660a470b4db062408e91e09c699229864889c17c3b0c403ef3ad992669cdd307fe5a69492ce582f8ed783c2536b7344b642459575239d31a895d09b3
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize397KB
MD5ed7f261608d51a43f554205357a75c25
SHA134748ee5fbf280b801c27fa110f5ac33c280ca51
SHA25605faf1d3738747a26744d81094ee5cf6fa8945bb6e37a19d63aba2c45bd7cfde
SHA512bcdc5b447745d7d7dc1d98c5a5c3ef5add7b3259e6efdbb060a4c1a242fa8333cac240add8d513ca68b432b2d8ef661a6fcf4323ee98f5067a066156f9057b53
-
Filesize
193KB
MD58feaaa568f5738b665b1e0fb9a7e6f6e
SHA1f9e794ba8bfdd5bc282483447574e63b1fb96361
SHA25655e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72b
SHA512267d8f3ef61d4dd409db4c4d34bfc1ed2b31eb459637880b33dbb4c3ceaa9a872f871f51ee27144b4f3accb198b62d89dc2786811aebad66dc4957bf2cca673d
-
\Users\Admin\AppData\Local\Temp\55e88cd765e0cb497c639c7aee4f8e7df4fc0dccb00b65374c1021db84cfd72bmgr.exe
Filesize95KB
MD5a4713ab560c0b6fe888ca2c5d6180d16
SHA13da4c22c194c479bf18f6c41160bf01b82ce7884
SHA25625886cf014a17a73ec4b4501686246a082c9caebc87d6dcd789ac73789a1abdf
SHA512580a4210dcefce49cd333b73e4bc52e7a8a67af839c50382185d133b905b3c759b78ddd1df3825306067de7851b861aa0a9c89d6d3e9b5908ac69d0ef6d2ae9d