ramnit | 2c196b72f1f0b3f446b007ef9c85306410ddefbeae0f852eda89224ea77f8f5c

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c196b72f1f0b3f446b007ef9c85306410ddefbeae0f852eda89224ea77f8f5c.dll
Size

748KB
MD5

a7b8dc12d382753fe875c0ce48fcfa3d
SHA1

1701a73317e8e8f2786b983d9832467d65d29d5e
SHA256

2c196b72f1f0b3f446b007ef9c85306410ddefbeae0f852eda89224ea77f8f5c
SHA512

a3d8b1c264e9fa3fb8cdbdb6d0f1d0deb0e402c341a647f12ea3f5dd2738a75dda2dd638e62e12389931913cffe27446a71bacfde00ab912e1719369ed7e7e25
SSDEEP

12288:0hpUrEIZJqr1AkBWwNa5R0EYl795/amaX3QXaPKUjwxhUWsjXGJgmetJxo6:0/jG01NHXaPQIIFeX/

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 6 IoCs

pid	Process
2668	rundll32mgr.exe
2684	rundll32mgrmgr.exe
2548	WaterMark.exe
2584	WaterMark.exe
3056	WaterMarkmgr.exe
1100	WaterMark.exe

Loads dropped DLL 12 IoCs

pid	Process
2316	rundll32.exe
2316	rundll32.exe
2668	rundll32mgr.exe
2668	rundll32mgr.exe
2668	rundll32mgr.exe
2668	rundll32mgr.exe
2684	rundll32mgrmgr.exe
2684	rundll32mgrmgr.exe
2548	WaterMark.exe
2548	WaterMark.exe
3056	WaterMarkmgr.exe
3056	WaterMarkmgr.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2668-34-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2684-43-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1100-150-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2584-80-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2548-71-0x00000000000B0000-0x00000000000DF000-memory.dmp	upx
behavioral1/memory/1100-106-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2548-104-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3056-91-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2668-32-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2668-31-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2668-25-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2668-24-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2668-23-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2668-22-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2584-503-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2548-648-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1100-653-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2584-906-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1100-911-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\libEGL.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsoundds.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libcc_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationProvider.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Net.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CoolType.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libball_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libinvert_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libposterize_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Printing.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatializer_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\pdfshell.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEES.DLL	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Windows.Presentation.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dirac_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libclone_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Xml.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Conversion.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libaom_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javafx-font.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClient.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatialaudio_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeLinguistic.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_srt_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODTXT.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfr.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jawt.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubstx3g_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libps_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\npdeployJava1.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\nio.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\F12.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\settings.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4FF4.tmp	WaterMarkmgr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2848	2316	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgrmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMarkmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2548	WaterMark.exe
2548	WaterMark.exe
2584	WaterMark.exe
2584	WaterMark.exe
1100	WaterMark.exe
1100	WaterMark.exe
2584	WaterMark.exe
2584	WaterMark.exe
2584	WaterMark.exe
2584	WaterMark.exe
2584	WaterMark.exe
2584	WaterMark.exe
2548	WaterMark.exe
2548	WaterMark.exe
2548	WaterMark.exe
2548	WaterMark.exe
2548	WaterMark.exe
2548	WaterMark.exe
1100	WaterMark.exe
1100	WaterMark.exe
1100	WaterMark.exe
1100	WaterMark.exe
1100	WaterMark.exe
1100	WaterMark.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	WaterMark.exe
Token: SeDebugPrivilege	2584	WaterMark.exe
Token: SeDebugPrivilege	1100	WaterMark.exe
Token: SeDebugPrivilege	1408	svchost.exe
Token: SeDebugPrivilege	1276	svchost.exe
Token: SeDebugPrivilege	1436	svchost.exe
Token: SeDebugPrivilege	2316	rundll32.exe
Token: SeDebugPrivilege	2848	WerFault.exe
Token: SeDebugPrivilege	2584	WaterMark.exe
Token: SeDebugPrivilege	2548	WaterMark.exe
Token: SeDebugPrivilege	1100	WaterMark.exe
Token: SeDebugPrivilege	1824	svchost.exe
Token: SeDebugPrivilege	2728	svchost.exe

Suspicious use of UnmapMainImage 6 IoCs

pid	Process
2668	rundll32mgr.exe
2684	rundll32mgrmgr.exe
2548	WaterMark.exe
2584	WaterMark.exe
3056	WaterMarkmgr.exe
1100	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2316	1868	rundll32.exe	30
PID 1868 wrote to memory of 2316	1868	rundll32.exe	30
PID 1868 wrote to memory of 2316	1868	rundll32.exe	30
PID 1868 wrote to memory of 2316	1868	rundll32.exe	30
PID 1868 wrote to memory of 2316	1868	rundll32.exe	30
PID 1868 wrote to memory of 2316	1868	rundll32.exe	30
PID 1868 wrote to memory of 2316	1868	rundll32.exe	30
PID 2316 wrote to memory of 2668	2316	rundll32.exe	31
PID 2316 wrote to memory of 2668	2316	rundll32.exe	31
PID 2316 wrote to memory of 2668	2316	rundll32.exe	31
PID 2316 wrote to memory of 2668	2316	rundll32.exe	31
PID 2316 wrote to memory of 2848	2316	rundll32.exe	32
PID 2316 wrote to memory of 2848	2316	rundll32.exe	32
PID 2316 wrote to memory of 2848	2316	rundll32.exe	32
PID 2316 wrote to memory of 2848	2316	rundll32.exe	32
PID 2668 wrote to memory of 2684	2668	rundll32mgr.exe	33
PID 2668 wrote to memory of 2684	2668	rundll32mgr.exe	33
PID 2668 wrote to memory of 2684	2668	rundll32mgr.exe	33
PID 2668 wrote to memory of 2684	2668	rundll32mgr.exe	33
PID 2668 wrote to memory of 2584	2668	rundll32mgr.exe	34
PID 2668 wrote to memory of 2584	2668	rundll32mgr.exe	34
PID 2668 wrote to memory of 2584	2668	rundll32mgr.exe	34
PID 2668 wrote to memory of 2584	2668	rundll32mgr.exe	34
PID 2684 wrote to memory of 2548	2684	rundll32mgrmgr.exe	35
PID 2684 wrote to memory of 2548	2684	rundll32mgrmgr.exe	35
PID 2684 wrote to memory of 2548	2684	rundll32mgrmgr.exe	35
PID 2684 wrote to memory of 2548	2684	rundll32mgrmgr.exe	35
PID 2548 wrote to memory of 3056	2548	WaterMark.exe	36
PID 2548 wrote to memory of 3056	2548	WaterMark.exe	36
PID 2548 wrote to memory of 3056	2548	WaterMark.exe	36
PID 2548 wrote to memory of 3056	2548	WaterMark.exe	36
PID 3056 wrote to memory of 1100	3056	WaterMarkmgr.exe	37
PID 3056 wrote to memory of 1100	3056	WaterMarkmgr.exe	37
PID 3056 wrote to memory of 1100	3056	WaterMarkmgr.exe	37
PID 3056 wrote to memory of 1100	3056	WaterMarkmgr.exe	37
PID 2584 wrote to memory of 1824	2584	WaterMark.exe	38
PID 2584 wrote to memory of 1824	2584	WaterMark.exe	38
PID 2584 wrote to memory of 1824	2584	WaterMark.exe	38
PID 2584 wrote to memory of 1824	2584	WaterMark.exe	38
PID 2584 wrote to memory of 1824	2584	WaterMark.exe	38
PID 2584 wrote to memory of 1824	2584	WaterMark.exe	38
PID 2584 wrote to memory of 1824	2584	WaterMark.exe	38
PID 2584 wrote to memory of 1824	2584	WaterMark.exe	38
PID 2584 wrote to memory of 1824	2584	WaterMark.exe	38
PID 2584 wrote to memory of 1824	2584	WaterMark.exe	38
PID 2548 wrote to memory of 2896	2548	WaterMark.exe	39
PID 2548 wrote to memory of 2896	2548	WaterMark.exe	39
PID 2548 wrote to memory of 2896	2548	WaterMark.exe	39
PID 2548 wrote to memory of 2896	2548	WaterMark.exe	39
PID 2548 wrote to memory of 2896	2548	WaterMark.exe	39
PID 2548 wrote to memory of 2896	2548	WaterMark.exe	39
PID 2548 wrote to memory of 2896	2548	WaterMark.exe	39
PID 2548 wrote to memory of 2896	2548	WaterMark.exe	39
PID 2548 wrote to memory of 2896	2548	WaterMark.exe	39
PID 2548 wrote to memory of 2896	2548	WaterMark.exe	39
PID 1100 wrote to memory of 2728	1100	WaterMark.exe	40
PID 1100 wrote to memory of 2728	1100	WaterMark.exe	40
PID 1100 wrote to memory of 2728	1100	WaterMark.exe	40
PID 1100 wrote to memory of 2728	1100	WaterMark.exe	40
PID 1100 wrote to memory of 2728	1100	WaterMark.exe	40
PID 1100 wrote to memory of 2728	1100	WaterMark.exe	40
PID 1100 wrote to memory of 2728	1100	WaterMark.exe	40
PID 1100 wrote to memory of 2728	1100	WaterMark.exe	40
PID 1100 wrote to memory of 2728	1100	WaterMark.exe	40

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:472
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:596
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1228
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1376
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:672
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:744
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:812
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1108
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:856
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:976
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:296
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1028
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1052
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1132
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:2016
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1616
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:268
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:388

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1160
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c196b72f1f0b3f446b007ef9c85306410ddefbeae0f852eda89224ea77f8f5c.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c196b72f1f0b3f446b007ef9c85306410ddefbeae0f852eda89224ea77f8f5c.dll,#1
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\rundll32mgr.exe
      C:\Windows\SysWOW64\rundll32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
        
        C:\Windows\SysWOW64\rundll32mgrmgr.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 232
      4⤵
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
590KB

MD5
c5866a7c1d3d0493bde9ee9ef1952a2a

SHA1
f70a43eaddfede586b8e3707e456c7aef348391b

SHA256
810c0b99fbbcb5cd036720376e68b8bbfc71194199fe0f84ba93ed9fc2a753c5

SHA512
1d5f13abb9b1da5cfdc948cc68d22611cb0e8693fdc95fb2382e30d553561729cade3004f129f355f73694c34605995cc9ff6e06bf8b18647e9c705f6035601e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
587KB

MD5
575bdc3cdfe73f7c862a0dadd2745836

SHA1
dabc06e299ba37f6440ac7b99fcfc00ca3adf54c

SHA256
2e7890280f2301063290d8bfc159639f1e9eb931f1e8b1bea1153e643a37df34

SHA512
12d5d028418587fc5a87da35933e1b94314d0b1cc732642f7ecfe5d8891a441c63359eadb129838333893427b1294441f55f049dedb3deb91b1a228b36b7f402

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
288KB

MD5
4081b8f3eb2241948352d6b4d7be5909

SHA1
ce6d7ccbb8c1ff88799bfe215a66931f64841c2e

SHA256
91f0f15f84f0f28d49d5d2b2d43ee3687a4a3e2da7d601c7d4f4dcb50a7b69e2

SHA512
fa0f1322403d8f3c75cf5f511b2d525469dbddfbc0bbed7a348206437c39e41999baae951ec0305a7df49e96c9c9fe246f2e341c1b043cc7280a6eba0baead48

Download Submit
C:\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
143KB

MD5
963056968f712dce49fed780756eafa3

SHA1
1f833526e877d34bda4b7aad52be1b52f25c9bf2

SHA256
be71c16ee9e9ea295cf6f266ddf343c4589843e4288a09f60f9e15923d8f8313

SHA512
8ff2bd3c17e6a8730940dcc45faa600c5429a1e5e812821350d8c6448ddcc1526f5246608b5a56592276b15a821a78440adf05652c7dfb2b0016707dce9c958e

Download Submit
memory/1100-106-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1100-109-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1100-150-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1100-653-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1100-911-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1824-113-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1824-111-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2316-11-0x0000000000230000-0x0000000000284000-memory.dmp

Filesize
336KB

Download
memory/2316-0-0x0000000010000000-0x00000000100BC000-memory.dmp

Filesize
752KB

Download
memory/2316-2-0x0000000010000000-0x00000000100BC000-memory.dmp

Filesize
752KB

Download
memory/2316-12-0x0000000000230000-0x0000000000284000-memory.dmp

Filesize
336KB

Download
memory/2316-652-0x0000000010000000-0x00000000100BC000-memory.dmp

Filesize
752KB

Download
memory/2316-4-0x0000000010000000-0x00000000100BC000-memory.dmp

Filesize
752KB

Download
memory/2316-1-0x0000000010000000-0x00000000100BC000-memory.dmp

Filesize
752KB

Download
memory/2548-70-0x00000000000B0000-0x00000000000DF000-memory.dmp

Filesize
188KB

Download
memory/2548-71-0x00000000000B0000-0x00000000000DF000-memory.dmp

Filesize
188KB

Download
memory/2548-649-0x000000007769F000-0x00000000776A0000-memory.dmp

Filesize
4KB

Download
memory/2548-59-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2548-105-0x000000007769F000-0x00000000776A0000-memory.dmp

Filesize
4KB

Download
memory/2548-104-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2548-102-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2548-648-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2584-73-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2584-80-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2584-906-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2584-103-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2584-503-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2668-25-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2668-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2668-32-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2668-31-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2668-14-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2668-29-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2668-28-0x0000000000120000-0x000000000014F000-memory.dmp

Filesize
188KB

Download
memory/2668-27-0x0000000000120000-0x000000000014F000-memory.dmp

Filesize
188KB

Download
memory/2668-34-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2668-24-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2668-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2684-54-0x0000000000700000-0x0000000000754000-memory.dmp

Filesize
336KB

Download
memory/2684-43-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2684-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2896-130-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2896-151-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2896-152-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2896-153-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/3056-98-0x0000000000416000-0x0000000000420000-memory.dmp

Filesize
40KB

Download
memory/3056-99-0x0000000000401000-0x0000000000416000-memory.dmp

Filesize
84KB

Download
memory/3056-91-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download