Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
89s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/12/2024, 16:08
Static task
static1
Behavioral task
behavioral1
Sample
7b97b9673170dce184556a790a8bf4d0ae847fa757f3564edd0540a187c31621.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7b97b9673170dce184556a790a8bf4d0ae847fa757f3564edd0540a187c31621.dll
Resource
win10v2004-20241007-en
General
-
Target
7b97b9673170dce184556a790a8bf4d0ae847fa757f3564edd0540a187c31621.dll
-
Size
380KB
-
MD5
2e105a3d4ac1f34442ac38c4aed63aa5
-
SHA1
5b6d9102642d2971e74850c79f1aece482d112e0
-
SHA256
7b97b9673170dce184556a790a8bf4d0ae847fa757f3564edd0540a187c31621
-
SHA512
966af334e95e70e610ffca72d4b651fc2da78716aa502f793482b3ab75fd47a37918fdfd1ef64b73213fae00daf1112f96e4ec8e74a1e87ad812b8a443816685
-
SSDEEP
6144:/4y8gOl2lWXFYTVNtfU3bnKWWJZfEJ8xln5+H:gy8gyQNe2J6Js58
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 6 IoCs
pid Process 1964 rundll32mgr.exe 2372 rundll32mgrmgr.exe 2308 WaterMark.exe 3016 WaterMark.exe 2980 WaterMarkmgr.exe 2720 WaterMark.exe -
Loads dropped DLL 12 IoCs
pid Process 2336 rundll32.exe 2336 rundll32.exe 1964 rundll32mgr.exe 1964 rundll32mgr.exe 1964 rundll32mgr.exe 1964 rundll32mgr.exe 2372 rundll32mgrmgr.exe 2372 rundll32mgrmgr.exe 2308 WaterMark.exe 2308 WaterMark.exe 2980 WaterMarkmgr.exe 2980 WaterMarkmgr.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
resource yara_rule behavioral1/memory/2372-26-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2720-159-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2308-146-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3016-76-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2308-97-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2980-86-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2372-41-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1964-36-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1964-34-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1964-33-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2372-25-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2372-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2372-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3016-868-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2720-867-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\VISSHE.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationCore.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdvdread_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libexport_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Speech.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libupnp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libadf_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_sse2_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsharpen_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libreal_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\osclientcerts.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\glass.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libinvert_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\npt.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msxactps.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\w2k_lsa_auth.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.RunTime.Serialization.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libstats_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libnormvol_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d11\libdirect3d11_filters_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_sse2_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe svchost.exe File opened for modification C:\Program Files\DVD Maker\OmdProject.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\mozavutil.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Net.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsdp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_h264_plugin.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libadaptive_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmicrodns_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\libmemory_keystore_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmprph.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\optimization_guide_internal.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dirac_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libkaraoke_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\WMPSideShowGadget.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Engine.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Design.resources.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgrmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
pid Process 2308 WaterMark.exe 2308 WaterMark.exe 3016 WaterMark.exe 3016 WaterMark.exe 2720 WaterMark.exe 2720 WaterMark.exe 3016 WaterMark.exe 2720 WaterMark.exe 3016 WaterMark.exe 2720 WaterMark.exe 3016 WaterMark.exe 2720 WaterMark.exe 2720 WaterMark.exe 3016 WaterMark.exe 3016 WaterMark.exe 2720 WaterMark.exe 3016 WaterMark.exe 2720 WaterMark.exe 2232 svchost.exe 2308 WaterMark.exe 2308 WaterMark.exe 2308 WaterMark.exe 2308 WaterMark.exe 2308 WaterMark.exe 2308 WaterMark.exe 2232 svchost.exe 2232 svchost.exe 2232 svchost.exe 2232 svchost.exe 2232 svchost.exe 2232 svchost.exe 2232 svchost.exe 2232 svchost.exe 2232 svchost.exe 2232 svchost.exe 2232 svchost.exe 2232 svchost.exe 2232 svchost.exe 2232 svchost.exe 2232 svchost.exe 2232 svchost.exe 2232 svchost.exe 2232 svchost.exe 2232 svchost.exe 2232 svchost.exe 2232 svchost.exe 2232 svchost.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2308 WaterMark.exe Token: SeDebugPrivilege 3016 WaterMark.exe Token: SeDebugPrivilege 2720 WaterMark.exe Token: SeDebugPrivilege 2232 svchost.exe Token: SeDebugPrivilege 2236 svchost.exe Token: SeDebugPrivilege 3016 WaterMark.exe Token: SeDebugPrivilege 2308 WaterMark.exe Token: SeDebugPrivilege 2720 WaterMark.exe Token: SeDebugPrivilege 1376 svchost.exe Token: SeDebugPrivilege 596 svchost.exe Token: SeDebugPrivilege 2640 svchost.exe -
Suspicious use of UnmapMainImage 6 IoCs
pid Process 2372 rundll32mgrmgr.exe 1964 rundll32mgr.exe 2308 WaterMark.exe 3016 WaterMark.exe 2980 WaterMarkmgr.exe 2720 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2336 2128 rundll32.exe 31 PID 2128 wrote to memory of 2336 2128 rundll32.exe 31 PID 2128 wrote to memory of 2336 2128 rundll32.exe 31 PID 2128 wrote to memory of 2336 2128 rundll32.exe 31 PID 2128 wrote to memory of 2336 2128 rundll32.exe 31 PID 2128 wrote to memory of 2336 2128 rundll32.exe 31 PID 2128 wrote to memory of 2336 2128 rundll32.exe 31 PID 2336 wrote to memory of 1964 2336 rundll32.exe 32 PID 2336 wrote to memory of 1964 2336 rundll32.exe 32 PID 2336 wrote to memory of 1964 2336 rundll32.exe 32 PID 2336 wrote to memory of 1964 2336 rundll32.exe 32 PID 1964 wrote to memory of 2372 1964 rundll32mgr.exe 33 PID 1964 wrote to memory of 2372 1964 rundll32mgr.exe 33 PID 1964 wrote to memory of 2372 1964 rundll32mgr.exe 33 PID 1964 wrote to memory of 2372 1964 rundll32mgr.exe 33 PID 1964 wrote to memory of 3016 1964 rundll32mgr.exe 34 PID 1964 wrote to memory of 3016 1964 rundll32mgr.exe 34 PID 1964 wrote to memory of 3016 1964 rundll32mgr.exe 34 PID 1964 wrote to memory of 3016 1964 rundll32mgr.exe 34 PID 2372 wrote to memory of 2308 2372 rundll32mgrmgr.exe 35 PID 2372 wrote to memory of 2308 2372 rundll32mgrmgr.exe 35 PID 2372 wrote to memory of 2308 2372 rundll32mgrmgr.exe 35 PID 2372 wrote to memory of 2308 2372 rundll32mgrmgr.exe 35 PID 2308 wrote to memory of 2980 2308 WaterMark.exe 36 PID 2308 wrote to memory of 2980 2308 WaterMark.exe 36 PID 2308 wrote to memory of 2980 2308 WaterMark.exe 36 PID 2308 wrote to memory of 2980 2308 WaterMark.exe 36 PID 2980 wrote to memory of 2720 2980 WaterMarkmgr.exe 37 PID 2980 wrote to memory of 2720 2980 WaterMarkmgr.exe 37 PID 2980 wrote to memory of 2720 2980 WaterMarkmgr.exe 37 PID 2980 wrote to memory of 2720 2980 WaterMarkmgr.exe 37 PID 3016 wrote to memory of 2068 3016 WaterMark.exe 38 PID 3016 wrote to memory of 2068 3016 WaterMark.exe 38 PID 3016 wrote to memory of 2068 3016 WaterMark.exe 38 PID 3016 wrote to memory of 2068 3016 WaterMark.exe 38 PID 3016 wrote to memory of 2068 3016 WaterMark.exe 38 PID 3016 wrote to memory of 2068 3016 WaterMark.exe 38 PID 3016 wrote to memory of 2068 3016 WaterMark.exe 38 PID 3016 wrote to memory of 2068 3016 WaterMark.exe 38 PID 3016 wrote to memory of 2068 3016 WaterMark.exe 38 PID 3016 wrote to memory of 2068 3016 WaterMark.exe 38 PID 2720 wrote to memory of 596 2720 WaterMark.exe 39 PID 2720 wrote to memory of 596 2720 WaterMark.exe 39 PID 2720 wrote to memory of 596 2720 WaterMark.exe 39 PID 2720 wrote to memory of 596 2720 WaterMark.exe 39 PID 2720 wrote to memory of 596 2720 WaterMark.exe 39 PID 2720 wrote to memory of 596 2720 WaterMark.exe 39 PID 2308 wrote to memory of 2640 2308 WaterMark.exe 40 PID 2308 wrote to memory of 2640 2308 WaterMark.exe 40 PID 2308 wrote to memory of 2640 2308 WaterMark.exe 40 PID 2308 wrote to memory of 2640 2308 WaterMark.exe 40 PID 2308 wrote to memory of 2640 2308 WaterMark.exe 40 PID 2308 wrote to memory of 2640 2308 WaterMark.exe 40 PID 2720 wrote to memory of 596 2720 WaterMark.exe 39 PID 2720 wrote to memory of 596 2720 WaterMark.exe 39 PID 2720 wrote to memory of 596 2720 WaterMark.exe 39 PID 2720 wrote to memory of 596 2720 WaterMark.exe 39 PID 2308 wrote to memory of 2640 2308 WaterMark.exe 40 PID 2308 wrote to memory of 2640 2308 WaterMark.exe 40 PID 2308 wrote to memory of 2640 2308 WaterMark.exe 40 PID 2308 wrote to memory of 2640 2308 WaterMark.exe 40 PID 3016 wrote to memory of 2232 3016 WaterMark.exe 41 PID 3016 wrote to memory of 2232 3016 WaterMark.exe 41 PID 3016 wrote to memory of 2232 3016 WaterMark.exe 41
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:612
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:2040
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:112
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:2716
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:688
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:768
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:816
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1072
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:860
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:1960
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:968
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:272
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1084
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1092
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1172
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1516
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2052
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2188
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:488
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:496
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:396
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1144
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7b97b9673170dce184556a790a8bf4d0ae847fa757f3564edd0540a187c31621.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7b97b9673170dce184556a790a8bf4d0ae847fa757f3564edd0540a187c31621.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:596
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2068
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD5cfe059b10b1bc8f06bb9c6138d483841
SHA1249c77b3fd7e8ccf8e28265d26b398afa2c35da8
SHA2568b8112544efbab0d457590a04fe11069073d29f7b912e7c163cb7ab4c215570f
SHA512f7fc030eb5650cee2ecdd23e4874b51ce76aebda0d639f7ac7d0c4554f51c81998b935b68a57802c154b6a7d76966ec0c6b59e40654e4ac237f7dc6da88d1d46
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize591KB
MD559f6c85ceddb03722f4c1f47513eff5d
SHA1e90316a092fbd7b0e1017e744ac445268e81c33b
SHA256a33bb6c5d07b9e7af3b7582c719da9815c9899cd0a7ccbf1c789b43b80cf11c9
SHA512cf0d1bfa5587ebee838b9385925d60a124bfc64460e6d0644fdc494dfef2a07e21e1eab7e44e57a8033789ebd04048f109365bab92593d93514c178e241784f4
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize587KB
MD5a8eeb1f96c47a99985c745959dc36951
SHA1752401a6dfb2b7cdeee7601766b1bfcf9b71ab6f
SHA256a07d4a741ee8dbaedd995ff7a367ee523c24ef18c5a5fd8205fc1bea4ec32c4b
SHA512640c1c074f9f4171bb0f35599ee4ea1f260235cb57ad6e0e7815d0d111305cad0216aa3d5d2f740a0788e3ca2c9e8b536605a8f4b53c6d36fc9209fd7b520309
-
Filesize
143KB
MD5963056968f712dce49fed780756eafa3
SHA11f833526e877d34bda4b7aad52be1b52f25c9bf2
SHA256be71c16ee9e9ea295cf6f266ddf343c4589843e4288a09f60f9e15923d8f8313
SHA5128ff2bd3c17e6a8730940dcc45faa600c5429a1e5e812821350d8c6448ddcc1526f5246608b5a56592276b15a821a78440adf05652c7dfb2b0016707dce9c958e