ramnit | abe499255bfe229639a85cc1dec863251c3489994f9445b9b3c3efea9e9c1016

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abe499255bfe229639a85cc1dec863251c3489994f9445b9b3c3efea9e9c1016.dll
Size

691KB
MD5

b7e4578474a53fe33508f392c29fbc7b
SHA1

3daa3c9b1d4a83b87de2f77e8a26760e35fde0ee
SHA256

abe499255bfe229639a85cc1dec863251c3489994f9445b9b3c3efea9e9c1016
SHA512

52aa6ac9c29533a37d75d7092f1ca9487159d2e4a29a9a92418b74946cf9867432105dd957286308774a1a17cab02cfe1cdb25bf5d60f910851c9775f5beb77b
SSDEEP

12288:gh8fZLyb9PzVMBC/HVMOp4PkxHLCYwZckMQMN70Q6sihM0PNWjD:g8F+Pzr/Hfp4MIYwZckMQm70Q7WWf

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 6 IoCs

pid	Process
2160	rundll32mgr.exe
2188	rundll32mgrmgr.exe
3016	WaterMark.exe
2800	WaterMark.exe
2908	WaterMarkmgr.exe
2516	WaterMark.exe

Loads dropped DLL 12 IoCs

pid	Process
2344	rundll32.exe
2344	rundll32.exe
2160	rundll32mgr.exe
2160	rundll32mgr.exe
2160	rundll32mgr.exe
2188	rundll32mgrmgr.exe
2160	rundll32mgr.exe
2188	rundll32mgrmgr.exe
3016	WaterMark.exe
3016	WaterMark.exe
2908	WaterMarkmgr.exe
2908	WaterMarkmgr.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2188-42-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3016-92-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2516-88-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2908-82-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2160-37-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2160-35-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2160-33-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2188-27-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2188-26-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2188-25-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2188-24-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3016-830-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3016-833-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2800-836-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationProvider.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmotiondetect_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdarem.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2iexp.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationFramework.resources.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\authplay.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dcpr.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libnfs_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jdwp.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Client.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmagnify_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\OmdProject.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckg.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\slideShow.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_stats_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsoundds.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libg711_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsdec_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\F12Tools.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\logger\libfile_logger_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\mpvis.DLL	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\settings.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-font.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxml2.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IO.Log.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libdmo_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\liboggspots_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libaribcam_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationCore.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationProvider.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libequalizer_plugin.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgrmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMarkmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
3016	WaterMark.exe
3016	WaterMark.exe
2800	WaterMark.exe
2800	WaterMark.exe
2516	WaterMark.exe
2516	WaterMark.exe
2800	WaterMark.exe
2800	WaterMark.exe
2800	WaterMark.exe
2800	WaterMark.exe
2516	WaterMark.exe
3016	WaterMark.exe
3016	WaterMark.exe
3016	WaterMark.exe
3016	WaterMark.exe
2516	WaterMark.exe
2516	WaterMark.exe
3016	WaterMark.exe
3016	WaterMark.exe
2516	WaterMark.exe
2800	WaterMark.exe
2800	WaterMark.exe
2516	WaterMark.exe
2516	WaterMark.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe
1380	svchost.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	WaterMark.exe
Token: SeDebugPrivilege	2800	WaterMark.exe
Token: SeDebugPrivilege	2516	WaterMark.exe
Token: SeDebugPrivilege	1380	svchost.exe
Token: SeDebugPrivilege	1588	svchost.exe
Token: SeDebugPrivilege	3028	svchost.exe
Token: SeDebugPrivilege	3016	WaterMark.exe
Token: SeDebugPrivilege	2800	WaterMark.exe
Token: SeDebugPrivilege	2516	WaterMark.exe
Token: SeDebugPrivilege	1892	svchost.exe
Token: SeDebugPrivilege	2748	svchost.exe

Suspicious use of UnmapMainImage 6 IoCs

pid	Process
2188	rundll32mgrmgr.exe
2160	rundll32mgr.exe
3016	WaterMark.exe
2800	WaterMark.exe
2908	WaterMarkmgr.exe
2516	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2344	2600	rundll32.exe	29
PID 2600 wrote to memory of 2344	2600	rundll32.exe	29
PID 2600 wrote to memory of 2344	2600	rundll32.exe	29
PID 2600 wrote to memory of 2344	2600	rundll32.exe	29
PID 2600 wrote to memory of 2344	2600	rundll32.exe	29
PID 2600 wrote to memory of 2344	2600	rundll32.exe	29
PID 2600 wrote to memory of 2344	2600	rundll32.exe	29
PID 2344 wrote to memory of 2160	2344	rundll32.exe	30
PID 2344 wrote to memory of 2160	2344	rundll32.exe	30
PID 2344 wrote to memory of 2160	2344	rundll32.exe	30
PID 2344 wrote to memory of 2160	2344	rundll32.exe	30
PID 2160 wrote to memory of 2188	2160	rundll32mgr.exe	31
PID 2160 wrote to memory of 2188	2160	rundll32mgr.exe	31
PID 2160 wrote to memory of 2188	2160	rundll32mgr.exe	31
PID 2160 wrote to memory of 2188	2160	rundll32mgr.exe	31
PID 2160 wrote to memory of 2800	2160	rundll32mgr.exe	32
PID 2160 wrote to memory of 2800	2160	rundll32mgr.exe	32
PID 2160 wrote to memory of 2800	2160	rundll32mgr.exe	32
PID 2160 wrote to memory of 2800	2160	rundll32mgr.exe	32
PID 2188 wrote to memory of 3016	2188	rundll32mgrmgr.exe	33
PID 2188 wrote to memory of 3016	2188	rundll32mgrmgr.exe	33
PID 2188 wrote to memory of 3016	2188	rundll32mgrmgr.exe	33
PID 2188 wrote to memory of 3016	2188	rundll32mgrmgr.exe	33
PID 3016 wrote to memory of 2908	3016	WaterMark.exe	34
PID 3016 wrote to memory of 2908	3016	WaterMark.exe	34
PID 3016 wrote to memory of 2908	3016	WaterMark.exe	34
PID 3016 wrote to memory of 2908	3016	WaterMark.exe	34
PID 2908 wrote to memory of 2516	2908	WaterMarkmgr.exe	35
PID 2908 wrote to memory of 2516	2908	WaterMarkmgr.exe	35
PID 2908 wrote to memory of 2516	2908	WaterMarkmgr.exe	35
PID 2908 wrote to memory of 2516	2908	WaterMarkmgr.exe	35
PID 2800 wrote to memory of 1892	2800	WaterMark.exe	36
PID 2800 wrote to memory of 1892	2800	WaterMark.exe	36
PID 2800 wrote to memory of 1892	2800	WaterMark.exe	36
PID 2800 wrote to memory of 1892	2800	WaterMark.exe	36
PID 2800 wrote to memory of 1892	2800	WaterMark.exe	36
PID 2800 wrote to memory of 1892	2800	WaterMark.exe	36
PID 2800 wrote to memory of 1892	2800	WaterMark.exe	36
PID 2800 wrote to memory of 1892	2800	WaterMark.exe	36
PID 2800 wrote to memory of 1892	2800	WaterMark.exe	36
PID 2800 wrote to memory of 1892	2800	WaterMark.exe	36
PID 2516 wrote to memory of 2748	2516	WaterMark.exe	38
PID 2516 wrote to memory of 2748	2516	WaterMark.exe	38
PID 2516 wrote to memory of 2748	2516	WaterMark.exe	38
PID 2516 wrote to memory of 2748	2516	WaterMark.exe	38
PID 2516 wrote to memory of 2748	2516	WaterMark.exe	38
PID 2516 wrote to memory of 2748	2516	WaterMark.exe	38
PID 2516 wrote to memory of 2748	2516	WaterMark.exe	38
PID 2516 wrote to memory of 2748	2516	WaterMark.exe	38
PID 2516 wrote to memory of 2748	2516	WaterMark.exe	38
PID 2516 wrote to memory of 2748	2516	WaterMark.exe	38
PID 3016 wrote to memory of 980	3016	WaterMark.exe	37
PID 3016 wrote to memory of 980	3016	WaterMark.exe	37
PID 3016 wrote to memory of 980	3016	WaterMark.exe	37
PID 3016 wrote to memory of 980	3016	WaterMark.exe	37
PID 3016 wrote to memory of 980	3016	WaterMark.exe	37
PID 3016 wrote to memory of 980	3016	WaterMark.exe	37
PID 3016 wrote to memory of 980	3016	WaterMark.exe	37
PID 3016 wrote to memory of 980	3016	WaterMark.exe	37
PID 3016 wrote to memory of 980	3016	WaterMark.exe	37
PID 3016 wrote to memory of 980	3016	WaterMark.exe	37
PID 2800 wrote to memory of 1588	2800	WaterMark.exe	39
PID 2800 wrote to memory of 1588	2800	WaterMark.exe	39
PID 2800 wrote to memory of 1588	2800	WaterMark.exe	39

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:464
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:600
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1440
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1032
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:676
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:752
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:812
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1160
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:848
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:992
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:296
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:108
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1088
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1108
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:796
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:588
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:364
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:480
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\abe499255bfe229639a85cc1dec863251c3489994f9445b9b3c3efea9e9c1016.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\abe499255bfe229639a85cc1dec863251c3489994f9445b9b3c3efea9e9c1016.dll,#1
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\SysWOW64\rundll32mgr.exe
      C:\Windows\SysWOW64\rundll32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2160
    - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
        
        C:\Windows\SysWOW64\rundll32mgrmgr.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
524KB

MD5
e1838e912649d848baba9f0d58784bdc

SHA1
3fc3c69fe1b7be577bcdf9cb324fd62dfe91ba1c

SHA256
c4a569858c7805d7552a5d297e7c460ddbabc052c0947f619c516b2b0637b74f

SHA512
ecf28dd369f89432affe367d77a40e383050ec88b22154e538b9a0db86dee7f32870e89f79d450693552c78dd5373d2c894ce63d57e90348a5a7be0d1588737f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
521KB

MD5
1bfc67e880708dc187b4b99256b48429

SHA1
c4b242354f90cf1980c4a541f11bfb1d79ae8bee

SHA256
bf28d6e2ad62e82d15bb52280c8f2305c9b415dea3ea9cd462be42fef0f947d2

SHA512
520a83b44633d4cb2da99fbeb74fc865e852c17b4ca9feac348663e589ee874d69e68e59b6ed4351ecd3563932fbb39ac8c312799919f264abd5fdb9e5bbcecc

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
255KB

MD5
6ea88d3eaa4dc3511a4bcc65fb8537a9

SHA1
79158ba5448805d6d1bef347b7c4838ae474e10e

SHA256
34d1d22466de36804d7e1a7313c0a6fd966675846eb59cc1f205d37d1db71093

SHA512
26dbb5b5caa158b70ae15090b0909938e658c6847ff207273d45eaa7b9f6196bbd40d73fabe76f5e26962f1784f1e39b0839b418b96c5f8d424148a12e8256ad

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
126KB

MD5
036dca3575c999ae72229f418a5f0882

SHA1
cae8eae8bd130555eeed7d32fa93d074f134b0a6

SHA256
323c53cb996602a9a145e1e18fbe04320a465c96e3d5f2bea7ab70b3b00cad63

SHA512
3943d34e53ab2092927d08c91be2838ca59140c62d2b46a5cea960b14c080f2adc406150e8c9c0d7683b6b5f206e84eda6c219e25e9065080271caa7ecd417a6

Download Submit
memory/1892-100-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1892-98-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2160-47-0x00000000001D0000-0x000000000021D000-memory.dmp

Filesize
308KB

Download
memory/2160-11-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2160-21-0x0000000000130000-0x000000000015C000-memory.dmp

Filesize
176KB

Download
memory/2160-20-0x0000000000130000-0x000000000015C000-memory.dmp

Filesize
176KB

Download
memory/2160-33-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2160-35-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2160-37-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2188-28-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2188-23-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2188-42-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2188-24-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2188-25-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2188-26-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2188-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2344-1-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/2344-9-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/2344-10-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/2344-12-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2516-88-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2516-96-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2800-836-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2800-94-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2908-82-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3016-92-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3016-54-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3016-65-0x00000000000B0000-0x00000000000DC000-memory.dmp

Filesize
176KB

Download
memory/3016-66-0x00000000000B0000-0x00000000000DC000-memory.dmp

Filesize
176KB

Download
memory/3016-830-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3016-833-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3016-93-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download