Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
85s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 19:25
Static task
static1
Behavioral task
behavioral1
Sample
6db87102d00ab090b552675b0a6a46d51f83d214d1a52ab27db392bb6208edf0N.dll
Resource
win7-20240903-en
General
-
Target
6db87102d00ab090b552675b0a6a46d51f83d214d1a52ab27db392bb6208edf0N.dll
-
Size
439KB
-
MD5
afca455fdde4658e22c9bbbb75c124f0
-
SHA1
3bb347d1f42ba804c920ef5e43f226eddb8796a6
-
SHA256
6db87102d00ab090b552675b0a6a46d51f83d214d1a52ab27db392bb6208edf0
-
SHA512
48c67bfaf755b4fcd36ff89ef55bbdc61e289e0da8a0f5330e825e1ef0dbb12ef5c5d03c65f62c79992b90cbf1427114cd7a72126326e6622fca00f04150acac
-
SSDEEP
6144:yOp8HpzdQOStK+XsAWxnuTNo3+wO90oi8T:yOp8Hpz7+XsBJ+SXO9g8T
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 6 IoCs
pid Process 1728 rundll32mgr.exe 3060 rundll32mgrmgr.exe 2788 WaterMark.exe 2940 WaterMark.exe 2716 WaterMarkmgr.exe 3000 WaterMark.exe -
Loads dropped DLL 12 IoCs
pid Process 1448 rundll32.exe 1448 rundll32.exe 1728 rundll32mgr.exe 1728 rundll32mgr.exe 1728 rundll32mgr.exe 1728 rundll32mgr.exe 3060 rundll32mgrmgr.exe 3060 rundll32mgrmgr.exe 2788 WaterMark.exe 2788 WaterMark.exe 2716 WaterMarkmgr.exe 2716 WaterMarkmgr.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe -
resource yara_rule behavioral1/memory/1728-36-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3060-41-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3000-160-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2788-151-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2940-77-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2788-67-0x0000000000120000-0x0000000000159000-memory.dmp upx behavioral1/memory/2788-99-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3000-95-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2716-89-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3060-51-0x00000000001A0000-0x0000000000204000-memory.dmp upx behavioral1/memory/1728-34-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1728-33-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3060-26-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3060-25-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3060-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3060-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2940-898-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2788-901-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3000-904-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Client.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\instrument.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Windows Journal\JNTFiltr.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnsc_plugin.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsFormsIntegration.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.DataSetExtensions.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libvoc_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_dummy_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libglinterop_dxva2_plugin.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationBuildTasks.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll svchost.exe File opened for modification C:\Program Files\DVD Maker\PipeTran.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\msdbg2.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libcc_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d9\libdirect3d9_filters_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libextract_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll svchost.exe File opened for modification C:\Program Files\DVD Maker\OmdProject.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.Design.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Engine.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libstereo_widen_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libvhs_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll svchost.exe File opened for modification C:\Program Files\DVD Maker\Pipeline.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\libprojectm_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jfxmedia.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libx26410b_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libnormvol_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libvdr_plugin.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgrmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
pid Process 2788 WaterMark.exe 2788 WaterMark.exe 2940 WaterMark.exe 2940 WaterMark.exe 3000 WaterMark.exe 3000 WaterMark.exe 2940 WaterMark.exe 3000 WaterMark.exe 2788 WaterMark.exe 2940 WaterMark.exe 2788 WaterMark.exe 2940 WaterMark.exe 2788 WaterMark.exe 2940 WaterMark.exe 2788 WaterMark.exe 3000 WaterMark.exe 3000 WaterMark.exe 3000 WaterMark.exe 2940 WaterMark.exe 2940 WaterMark.exe 2788 WaterMark.exe 2788 WaterMark.exe 2116 svchost.exe 3000 WaterMark.exe 3000 WaterMark.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2788 WaterMark.exe Token: SeDebugPrivilege 2940 WaterMark.exe Token: SeDebugPrivilege 3000 WaterMark.exe Token: SeDebugPrivilege 2116 svchost.exe Token: SeDebugPrivilege 2392 svchost.exe Token: SeDebugPrivilege 1908 svchost.exe Token: SeDebugPrivilege 2940 WaterMark.exe Token: SeDebugPrivilege 2788 WaterMark.exe Token: SeDebugPrivilege 1448 rundll32.exe Token: SeDebugPrivilege 3000 WaterMark.exe Token: SeDebugPrivilege 860 svchost.exe Token: SeDebugPrivilege 824 svchost.exe -
Suspicious use of UnmapMainImage 6 IoCs
pid Process 3060 rundll32mgrmgr.exe 1728 rundll32mgr.exe 2788 WaterMark.exe 2940 WaterMark.exe 2716 WaterMarkmgr.exe 3000 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2028 wrote to memory of 1448 2028 rundll32.exe 31 PID 2028 wrote to memory of 1448 2028 rundll32.exe 31 PID 2028 wrote to memory of 1448 2028 rundll32.exe 31 PID 2028 wrote to memory of 1448 2028 rundll32.exe 31 PID 2028 wrote to memory of 1448 2028 rundll32.exe 31 PID 2028 wrote to memory of 1448 2028 rundll32.exe 31 PID 2028 wrote to memory of 1448 2028 rundll32.exe 31 PID 1448 wrote to memory of 1728 1448 rundll32.exe 32 PID 1448 wrote to memory of 1728 1448 rundll32.exe 32 PID 1448 wrote to memory of 1728 1448 rundll32.exe 32 PID 1448 wrote to memory of 1728 1448 rundll32.exe 32 PID 1728 wrote to memory of 3060 1728 rundll32mgr.exe 33 PID 1728 wrote to memory of 3060 1728 rundll32mgr.exe 33 PID 1728 wrote to memory of 3060 1728 rundll32mgr.exe 33 PID 1728 wrote to memory of 3060 1728 rundll32mgr.exe 33 PID 1728 wrote to memory of 2940 1728 rundll32mgr.exe 34 PID 1728 wrote to memory of 2940 1728 rundll32mgr.exe 34 PID 1728 wrote to memory of 2940 1728 rundll32mgr.exe 34 PID 1728 wrote to memory of 2940 1728 rundll32mgr.exe 34 PID 3060 wrote to memory of 2788 3060 rundll32mgrmgr.exe 35 PID 3060 wrote to memory of 2788 3060 rundll32mgrmgr.exe 35 PID 3060 wrote to memory of 2788 3060 rundll32mgrmgr.exe 35 PID 3060 wrote to memory of 2788 3060 rundll32mgrmgr.exe 35 PID 2788 wrote to memory of 2716 2788 WaterMark.exe 36 PID 2788 wrote to memory of 2716 2788 WaterMark.exe 36 PID 2788 wrote to memory of 2716 2788 WaterMark.exe 36 PID 2788 wrote to memory of 2716 2788 WaterMark.exe 36 PID 2716 wrote to memory of 3000 2716 WaterMarkmgr.exe 37 PID 2716 wrote to memory of 3000 2716 WaterMarkmgr.exe 37 PID 2716 wrote to memory of 3000 2716 WaterMarkmgr.exe 37 PID 2716 wrote to memory of 3000 2716 WaterMarkmgr.exe 37 PID 2940 wrote to memory of 860 2940 WaterMark.exe 38 PID 2940 wrote to memory of 860 2940 WaterMark.exe 38 PID 2940 wrote to memory of 860 2940 WaterMark.exe 38 PID 2940 wrote to memory of 860 2940 WaterMark.exe 38 PID 2940 wrote to memory of 860 2940 WaterMark.exe 38 PID 2940 wrote to memory of 860 2940 WaterMark.exe 38 PID 2940 wrote to memory of 860 2940 WaterMark.exe 38 PID 2940 wrote to memory of 860 2940 WaterMark.exe 38 PID 2940 wrote to memory of 860 2940 WaterMark.exe 38 PID 2940 wrote to memory of 860 2940 WaterMark.exe 38 PID 3000 wrote to memory of 824 3000 WaterMark.exe 40 PID 3000 wrote to memory of 824 3000 WaterMark.exe 40 PID 3000 wrote to memory of 824 3000 WaterMark.exe 40 PID 3000 wrote to memory of 824 3000 WaterMark.exe 40 PID 3000 wrote to memory of 824 3000 WaterMark.exe 40 PID 3000 wrote to memory of 824 3000 WaterMark.exe 40 PID 3000 wrote to memory of 824 3000 WaterMark.exe 40 PID 3000 wrote to memory of 824 3000 WaterMark.exe 40 PID 3000 wrote to memory of 824 3000 WaterMark.exe 40 PID 3000 wrote to memory of 824 3000 WaterMark.exe 40 PID 2788 wrote to memory of 1312 2788 WaterMark.exe 39 PID 2788 wrote to memory of 1312 2788 WaterMark.exe 39 PID 2788 wrote to memory of 1312 2788 WaterMark.exe 39 PID 2788 wrote to memory of 1312 2788 WaterMark.exe 39 PID 2788 wrote to memory of 1312 2788 WaterMark.exe 39 PID 2788 wrote to memory of 1312 2788 WaterMark.exe 39 PID 2788 wrote to memory of 1312 2788 WaterMark.exe 39 PID 2788 wrote to memory of 1312 2788 WaterMark.exe 39 PID 2788 wrote to memory of 1312 2788 WaterMark.exe 39 PID 2788 wrote to memory of 1312 2788 WaterMark.exe 39 PID 2940 wrote to memory of 2116 2940 WaterMark.exe 41 PID 2940 wrote to memory of 2116 2940 WaterMark.exe 41 PID 2940 wrote to memory of 2116 2940 WaterMark.exe 41
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:592
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1712
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:400
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:948
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:672
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:760
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:808
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1176
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:852
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2164
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:968
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:284
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:348
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1072
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1108
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1500
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2960
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2396
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:396
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6db87102d00ab090b552675b0a6a46d51f83d214d1a52ab27db392bb6208edf0N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6db87102d00ab090b552675b0a6a46d51f83d214d1a52ab27db392bb6208edf0N.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:824
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1312
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:860
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize692KB
MD568f5a696dc1835441a18f1b2325e12b4
SHA10f4a88221f9b1f2ad67361de27af3bd674ce49b2
SHA2562a99904be6c0a33bf4be120ef18f8696cacad9e784e7fdd6c84bc61c0e981bf5
SHA512086d7e946d5ccc5ad8768d1ded5344540d82446b18c64ce979a483b7552c48b20f9cface9cfa715ee6073b837b8ee3e36fae262910b5dc4c2f7ea0ef4df05e61
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize689KB
MD5618f639800fe5d9ffe05d0d467df54f3
SHA1db323fde4f2115eed4b0fb6738478bdab152d73d
SHA256881041f450a405de0a48b84e9f42051213092b4701cb73028f958ca5a844a5aa
SHA51230ea34672cf44a71999a7790f8581c1baf6d6f678210a5e4bb8f7292b4b4bf75ffdfed6772f209418f36f4484bf756edb57dd19791451bef9f30a1fc621776af
-
Filesize
339KB
MD57385f723cdfd6a19523b29e19fe63e39
SHA16eb6694a76aab6587eb45575f380cc7a80c66bc5
SHA256a50f5786e2dd07cfbc89f72484e3af5dcccc31d476713bd7b433c6f74ebc4e37
SHA512858c17a06aec78976775cd9df4f2652cfb97e35c14aa863e88f27cd332c6b6ecdb0c062d0cfdb53436981b50ba4681ebe04d00128df8be67398d021aa6d83632
-
Filesize
168KB
MD50943b815c588255874985439061ba474
SHA131ad4cdb76003b35f553cb96c78d887e7c960eba
SHA2567b1559c2f8d511f7be152a22809b358088048fc3e00d9963b92ad0ecb384bf51
SHA512fce7596624b5c224cbaaae55c4b224ff995eea33ed0ca9d40c33cfb5ffaa98f387f267175788f5431ca7209c2c69ef1024b9541f7b53a1a3c6412b09a19bd601