ramnit | bd55437b3a39fd70efebcfd279a159cb2791fb9f65ee028c896518d51cae5e1c

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd55437b3a39fd70efebcfd279a159cb2791fb9f65ee028c896518d51cae5e1c.dll
Size

947KB
MD5

c503bb48123a473d47529556d509ad84
SHA1

86262b700eacec34f8a284a3fad5ba3e85e09dec
SHA256

bd55437b3a39fd70efebcfd279a159cb2791fb9f65ee028c896518d51cae5e1c
SHA512

88c011aaf85ec9761fe4ab4344d2948baef80a558ef4889dfcc41e5774ac515a4b82984e70a01dcd717075f76de79e36d654af76d2de9782bc27302cb864ca5b
SSDEEP

24576:Qzb1MlCKUQyUmjtczu6Prs9pgWoopooK9kwPtm6104l:QzbKsUmjtcdPGgIwPtmizl

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 6 IoCs

pid	Process
2528	rundll32mgr.exe
880	rundll32mgrmgr.exe
2860	WaterMark.exe
1916	WaterMark.exe
2740	WaterMarkmgr.exe
2776	WaterMark.exe

Loads dropped DLL 12 IoCs

pid	Process
1704	rundll32.exe
1704	rundll32.exe
2528	rundll32mgr.exe
2528	rundll32mgr.exe
880	rundll32mgrmgr.exe
880	rundll32mgrmgr.exe
2528	rundll32mgr.exe
2528	rundll32mgr.exe
2860	WaterMark.exe
2860	WaterMark.exe
2740	WaterMarkmgr.exe
2740	WaterMarkmgr.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/880-36-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2528-26-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2528-25-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2528-23-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2528-22-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2528-21-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2528-20-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2528-41-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/880-40-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2740-84-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2860-134-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2860-142-0x0000000000120000-0x000000000014F000-memory.dmp	upx
behavioral1/memory/2776-143-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1916-141-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2776-137-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2860-131-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2860-64-0x0000000000120000-0x000000000014F000-memory.dmp	upx
behavioral1/memory/2860-789-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2776-791-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2776-796-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2528-4228-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\JAWTAccessBridge-64.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libtimecode_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Mail\wabimp.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Xml.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\sqmapi.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.exe	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\calendar.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_duplicate_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_i420_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradfun_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Design.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ogg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libtransform_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\libgoom_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Mail\MSOERES.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libprefetch_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Engine.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Design.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\index.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libftp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msxactps.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jfxmedia.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\MSPVWCTL.DLL	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\pdmproxy100.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClientsideProviders.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\wmprph.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudio_format_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libaom_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgrmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMarkmgr.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2860	WaterMark.exe
2860	WaterMark.exe
2776	WaterMark.exe
2776	WaterMark.exe
2776	WaterMark.exe
2860	WaterMark.exe
2860	WaterMark.exe
2776	WaterMark.exe
2860	WaterMark.exe
2776	WaterMark.exe
2860	WaterMark.exe
2776	WaterMark.exe
2860	WaterMark.exe
2860	WaterMark.exe
2776	WaterMark.exe
2776	WaterMark.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe
1028	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	WaterMark.exe
Token: SeDebugPrivilege	2776	WaterMark.exe
Token: SeDebugPrivilege	1028	svchost.exe
Token: SeDebugPrivilege	2524	svchost.exe
Token: SeDebugPrivilege	1704	rundll32.exe
Token: SeDebugPrivilege	2860	WaterMark.exe
Token: SeDebugPrivilege	2776	WaterMark.exe
Token: SeDebugPrivilege	2916	svchost.exe

Suspicious use of UnmapMainImage 6 IoCs

pid	Process
2528	rundll32mgr.exe
880	rundll32mgrmgr.exe
2860	WaterMark.exe
2740	WaterMarkmgr.exe
1916	WaterMark.exe
2776	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1704	2440	rundll32.exe	30
PID 2440 wrote to memory of 1704	2440	rundll32.exe	30
PID 2440 wrote to memory of 1704	2440	rundll32.exe	30
PID 2440 wrote to memory of 1704	2440	rundll32.exe	30
PID 2440 wrote to memory of 1704	2440	rundll32.exe	30
PID 2440 wrote to memory of 1704	2440	rundll32.exe	30
PID 2440 wrote to memory of 1704	2440	rundll32.exe	30
PID 1704 wrote to memory of 2528	1704	rundll32.exe	31
PID 1704 wrote to memory of 2528	1704	rundll32.exe	31
PID 1704 wrote to memory of 2528	1704	rundll32.exe	31
PID 1704 wrote to memory of 2528	1704	rundll32.exe	31
PID 2528 wrote to memory of 880	2528	rundll32mgr.exe	32
PID 2528 wrote to memory of 880	2528	rundll32mgr.exe	32
PID 2528 wrote to memory of 880	2528	rundll32mgr.exe	32
PID 2528 wrote to memory of 880	2528	rundll32mgr.exe	32
PID 880 wrote to memory of 2860	880	rundll32mgrmgr.exe	33
PID 880 wrote to memory of 2860	880	rundll32mgrmgr.exe	33
PID 880 wrote to memory of 2860	880	rundll32mgrmgr.exe	33
PID 880 wrote to memory of 2860	880	rundll32mgrmgr.exe	33
PID 2528 wrote to memory of 1916	2528	rundll32mgr.exe	34
PID 2528 wrote to memory of 1916	2528	rundll32mgr.exe	34
PID 2528 wrote to memory of 1916	2528	rundll32mgr.exe	34
PID 2528 wrote to memory of 1916	2528	rundll32mgr.exe	34
PID 2860 wrote to memory of 2740	2860	WaterMark.exe	35
PID 2860 wrote to memory of 2740	2860	WaterMark.exe	35
PID 2860 wrote to memory of 2740	2860	WaterMark.exe	35
PID 2860 wrote to memory of 2740	2860	WaterMark.exe	35
PID 2740 wrote to memory of 2776	2740	WaterMarkmgr.exe	36
PID 2740 wrote to memory of 2776	2740	WaterMarkmgr.exe	36
PID 2740 wrote to memory of 2776	2740	WaterMarkmgr.exe	36
PID 2740 wrote to memory of 2776	2740	WaterMarkmgr.exe	36
PID 2776 wrote to memory of 2916	2776	WaterMark.exe	37
PID 2776 wrote to memory of 2916	2776	WaterMark.exe	37
PID 2776 wrote to memory of 2916	2776	WaterMark.exe	37
PID 2776 wrote to memory of 2916	2776	WaterMark.exe	37
PID 2776 wrote to memory of 2916	2776	WaterMark.exe	37
PID 2776 wrote to memory of 2916	2776	WaterMark.exe	37
PID 2776 wrote to memory of 2916	2776	WaterMark.exe	37
PID 2776 wrote to memory of 2916	2776	WaterMark.exe	37
PID 2776 wrote to memory of 2916	2776	WaterMark.exe	37
PID 2776 wrote to memory of 2916	2776	WaterMark.exe	37
PID 2860 wrote to memory of 3004	2860	WaterMark.exe	38
PID 2860 wrote to memory of 3004	2860	WaterMark.exe	38
PID 2860 wrote to memory of 3004	2860	WaterMark.exe	38
PID 2860 wrote to memory of 3004	2860	WaterMark.exe	38
PID 2860 wrote to memory of 3004	2860	WaterMark.exe	38
PID 2860 wrote to memory of 3004	2860	WaterMark.exe	38
PID 2860 wrote to memory of 3004	2860	WaterMark.exe	38
PID 2860 wrote to memory of 3004	2860	WaterMark.exe	38
PID 2860 wrote to memory of 3004	2860	WaterMark.exe	38
PID 2860 wrote to memory of 3004	2860	WaterMark.exe	38
PID 2860 wrote to memory of 1028	2860	WaterMark.exe	39
PID 2860 wrote to memory of 1028	2860	WaterMark.exe	39
PID 2860 wrote to memory of 1028	2860	WaterMark.exe	39
PID 2860 wrote to memory of 1028	2860	WaterMark.exe	39
PID 2860 wrote to memory of 1028	2860	WaterMark.exe	39
PID 2860 wrote to memory of 1028	2860	WaterMark.exe	39
PID 2860 wrote to memory of 1028	2860	WaterMark.exe	39
PID 2860 wrote to memory of 1028	2860	WaterMark.exe	39
PID 2860 wrote to memory of 1028	2860	WaterMark.exe	39
PID 2860 wrote to memory of 1028	2860	WaterMark.exe	39
PID 2776 wrote to memory of 2524	2776	WaterMark.exe	40
PID 2776 wrote to memory of 2524	2776	WaterMark.exe	40
PID 2776 wrote to memory of 2524	2776	WaterMark.exe	40

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:616
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1616
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1676
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:692
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:764
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:828
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1180
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:864
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2692
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:980
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:284
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:928
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1080
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1120
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:872
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2300
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2256
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bd55437b3a39fd70efebcfd279a159cb2791fb9f65ee028c896518d51cae5e1c.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bd55437b3a39fd70efebcfd279a159cb2791fb9f65ee028c896518d51cae5e1c.dll,#1
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\SysWOW64\rundll32mgr.exe
      C:\Windows\SysWOW64\rundll32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
        
        C:\Windows\SysWOW64\rundll32mgrmgr.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:880
      - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        
        PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
590KB

MD5
9dbd32d0527bc7abe5de8bd35bfaed62

SHA1
96309b6f4ee30e89d2460c4d5c6462c6c4b98ae7

SHA256
fc57487462dcdd2ac08370cd6e05b59a9284a1e23c13bee989addda0e17ddc75

SHA512
925fff90a1223beb4cb3699d9f6bd3601c90a5f5ed5f2687c1203df6f4273d8b8eb43712637c16b93ed1ef891134442360547556ce625cfc3f64b8c88d349072

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
587KB

MD5
37973e3785b8a83936eadcb0726d8658

SHA1
263fb7f33229a967d7235652c3f31c13a1049758

SHA256
92c56ba61dad435d9c42e86fe90c7c77d7496a12cefaeb173588bef6afa57cc3

SHA512
a15778eb4d6db66c269caf9e467dc6ad691b4132ab8b749d621fb3847a87a9d4dc81573d1c48f1ae4130c16cc5abcd033e714c6189a641d610c8d2d24edd12f3

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
288KB

MD5
4081b8f3eb2241948352d6b4d7be5909

SHA1
ce6d7ccbb8c1ff88799bfe215a66931f64841c2e

SHA256
91f0f15f84f0f28d49d5d2b2d43ee3687a4a3e2da7d601c7d4f4dcb50a7b69e2

SHA512
fa0f1322403d8f3c75cf5f511b2d525469dbddfbc0bbed7a348206437c39e41999baae951ec0305a7df49e96c9c9fe246f2e341c1b043cc7280a6eba0baead48

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
143KB

MD5
963056968f712dce49fed780756eafa3

SHA1
1f833526e877d34bda4b7aad52be1b52f25c9bf2

SHA256
be71c16ee9e9ea295cf6f266ddf343c4589843e4288a09f60f9e15923d8f8313

SHA512
8ff2bd3c17e6a8730940dcc45faa600c5429a1e5e812821350d8c6448ddcc1526f5246608b5a56592276b15a821a78440adf05652c7dfb2b0016707dce9c958e

Download Submit
memory/880-36-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/880-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1704-3-0x0000000005000000-0x00000000050F2000-memory.dmp

Filesize
968KB

Download
memory/1704-1-0x0000000005000000-0x00000000050F2000-memory.dmp

Filesize
968KB

Download
memory/1704-37-0x0000000000810000-0x0000000000864000-memory.dmp

Filesize
336KB

Download
memory/1704-12-0x0000000000810000-0x0000000000864000-memory.dmp

Filesize
336KB

Download
memory/1704-0-0x0000000005000000-0x00000000050F2000-memory.dmp

Filesize
968KB

Download
memory/1704-4-0x0000000005000000-0x00000000050F2000-memory.dmp

Filesize
968KB

Download
memory/1916-141-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2528-26-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2528-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2528-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2528-39-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2528-38-0x0000000000130000-0x000000000015F000-memory.dmp

Filesize
188KB

Download
memory/2528-4228-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2528-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2528-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2528-42-0x0000000000130000-0x000000000015F000-memory.dmp

Filesize
188KB

Download
memory/2528-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2528-25-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2740-84-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2740-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-86-0x0000000000401000-0x0000000000416000-memory.dmp

Filesize
84KB

Download
memory/2740-85-0x0000000000416000-0x0000000000420000-memory.dmp

Filesize
40KB

Download
memory/2776-137-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2776-94-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2776-796-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2776-791-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2776-143-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2860-136-0x0000000077B0F000-0x0000000077B10000-memory.dmp

Filesize
4KB

Download
memory/2860-790-0x0000000077B0F000-0x0000000077B10000-memory.dmp

Filesize
4KB

Download
memory/2860-131-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2860-77-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2860-789-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2860-64-0x0000000000120000-0x000000000014F000-memory.dmp

Filesize
188KB

Download
memory/2860-134-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2860-142-0x0000000000120000-0x000000000014F000-memory.dmp

Filesize
188KB

Download
memory/2916-96-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2916-98-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3004-138-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/3004-139-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3004-140-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/3004-115-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/3004-120-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download