ramnit | abe499255bfe229639a85cc1dec863251c3489994f9445b9b3c3efea9e9c1016

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abe499255bfe229639a85cc1dec863251c3489994f9445b9b3c3efea9e9c1016.dll
Size

691KB
MD5

b7e4578474a53fe33508f392c29fbc7b
SHA1

3daa3c9b1d4a83b87de2f77e8a26760e35fde0ee
SHA256

abe499255bfe229639a85cc1dec863251c3489994f9445b9b3c3efea9e9c1016
SHA512

52aa6ac9c29533a37d75d7092f1ca9487159d2e4a29a9a92418b74946cf9867432105dd957286308774a1a17cab02cfe1cdb25bf5d60f910851c9775f5beb77b
SSDEEP

12288:gh8fZLyb9PzVMBC/HVMOp4PkxHLCYwZckMQMN70Q6sihM0PNWjD:g8F+Pzr/Hfp4MIYwZckMQm70Q7WWf

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 6 IoCs

pid	Process
2692	rundll32mgr.exe
2712	rundll32mgrmgr.exe
2700	WaterMark.exe
2608	WaterMark.exe
1948	WaterMarkmgr.exe
2496	WaterMark.exe

Loads dropped DLL 12 IoCs

pid	Process
2460	rundll32.exe
2460	rundll32.exe
2692	rundll32mgr.exe
2692	rundll32mgr.exe
2692	rundll32mgr.exe
2692	rundll32mgr.exe
2712	rundll32mgrmgr.exe
2712	rundll32mgrmgr.exe
2608	WaterMark.exe
2608	WaterMark.exe
1948	WaterMarkmgr.exe
1948	WaterMarkmgr.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2692-36-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2712-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2692-34-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2692-33-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2712-27-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2712-26-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2712-25-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2712-24-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2496-129-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2496-132-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1948-114-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2700-755-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2608-756-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libvod_rtsp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libdvdread_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatialaudio_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Net.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mraut.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\imjplm.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdaps.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwinhibit_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\Microsoft.Ink.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\npt.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.ServiceModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_wav_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_read_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwgl_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_livehttp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.DataSetExtensions.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libadaptive_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_file_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libparam_eq_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\pdm.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\j2pcsc.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.Design.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\OARPMANR.DLL	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\t2k.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Selectors.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libscte18_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeLinguistic.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\libmemory_keystore_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhds_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSPTLS.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Client.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\settings.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\wlsrvc.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMarkmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgrmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2608	WaterMark.exe
2608	WaterMark.exe
2700	WaterMark.exe
2700	WaterMark.exe
2608	WaterMark.exe
2700	WaterMark.exe
2608	WaterMark.exe
2700	WaterMark.exe
2608	WaterMark.exe
2700	WaterMark.exe
2608	WaterMark.exe
2700	WaterMark.exe
2700	WaterMark.exe
2608	WaterMark.exe
2700	WaterMark.exe
2608	WaterMark.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe
1280	svchost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	WaterMark.exe
Token: SeDebugPrivilege	2700	WaterMark.exe
Token: SeDebugPrivilege	1280	svchost.exe
Token: SeDebugPrivilege	1320	svchost.exe
Token: SeDebugPrivilege	2700	WaterMark.exe
Token: SeDebugPrivilege	2608	WaterMark.exe
Token: SeDebugPrivilege	2440	svchost.exe

Suspicious use of UnmapMainImage 6 IoCs

pid	Process
2712	rundll32mgrmgr.exe
2692	rundll32mgr.exe
2700	WaterMark.exe
2608	WaterMark.exe
1948	WaterMarkmgr.exe
2496	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2460	2228	rundll32.exe	30
PID 2228 wrote to memory of 2460	2228	rundll32.exe	30
PID 2228 wrote to memory of 2460	2228	rundll32.exe	30
PID 2228 wrote to memory of 2460	2228	rundll32.exe	30
PID 2228 wrote to memory of 2460	2228	rundll32.exe	30
PID 2228 wrote to memory of 2460	2228	rundll32.exe	30
PID 2228 wrote to memory of 2460	2228	rundll32.exe	30
PID 2460 wrote to memory of 2692	2460	rundll32.exe	31
PID 2460 wrote to memory of 2692	2460	rundll32.exe	31
PID 2460 wrote to memory of 2692	2460	rundll32.exe	31
PID 2460 wrote to memory of 2692	2460	rundll32.exe	31
PID 2692 wrote to memory of 2712	2692	rundll32mgr.exe	32
PID 2692 wrote to memory of 2712	2692	rundll32mgr.exe	32
PID 2692 wrote to memory of 2712	2692	rundll32mgr.exe	32
PID 2692 wrote to memory of 2712	2692	rundll32mgr.exe	32
PID 2692 wrote to memory of 2700	2692	rundll32mgr.exe	33
PID 2692 wrote to memory of 2700	2692	rundll32mgr.exe	33
PID 2692 wrote to memory of 2700	2692	rundll32mgr.exe	33
PID 2692 wrote to memory of 2700	2692	rundll32mgr.exe	33
PID 2712 wrote to memory of 2608	2712	rundll32mgrmgr.exe	34
PID 2712 wrote to memory of 2608	2712	rundll32mgrmgr.exe	34
PID 2712 wrote to memory of 2608	2712	rundll32mgrmgr.exe	34
PID 2712 wrote to memory of 2608	2712	rundll32mgrmgr.exe	34
PID 2608 wrote to memory of 1948	2608	WaterMark.exe	35
PID 2608 wrote to memory of 1948	2608	WaterMark.exe	35
PID 2608 wrote to memory of 1948	2608	WaterMark.exe	35
PID 2608 wrote to memory of 1948	2608	WaterMark.exe	35
PID 2608 wrote to memory of 2628	2608	WaterMark.exe	36
PID 2608 wrote to memory of 2628	2608	WaterMark.exe	36
PID 2608 wrote to memory of 2628	2608	WaterMark.exe	36
PID 2608 wrote to memory of 2628	2608	WaterMark.exe	36
PID 2608 wrote to memory of 2628	2608	WaterMark.exe	36
PID 2608 wrote to memory of 2628	2608	WaterMark.exe	36
PID 2608 wrote to memory of 2628	2608	WaterMark.exe	36
PID 2608 wrote to memory of 2628	2608	WaterMark.exe	36
PID 2608 wrote to memory of 2628	2608	WaterMark.exe	36
PID 2608 wrote to memory of 2628	2608	WaterMark.exe	36
PID 2700 wrote to memory of 2440	2700	WaterMark.exe	37
PID 2700 wrote to memory of 2440	2700	WaterMark.exe	37
PID 2700 wrote to memory of 2440	2700	WaterMark.exe	37
PID 2700 wrote to memory of 2440	2700	WaterMark.exe	37
PID 2700 wrote to memory of 2440	2700	WaterMark.exe	37
PID 2700 wrote to memory of 2440	2700	WaterMark.exe	37
PID 2700 wrote to memory of 2440	2700	WaterMark.exe	37
PID 2700 wrote to memory of 2440	2700	WaterMark.exe	37
PID 2700 wrote to memory of 2440	2700	WaterMark.exe	37
PID 2700 wrote to memory of 2440	2700	WaterMark.exe	37
PID 1948 wrote to memory of 2496	1948	WaterMarkmgr.exe	38
PID 1948 wrote to memory of 2496	1948	WaterMarkmgr.exe	38
PID 1948 wrote to memory of 2496	1948	WaterMarkmgr.exe	38
PID 1948 wrote to memory of 2496	1948	WaterMarkmgr.exe	38
PID 2608 wrote to memory of 1320	2608	WaterMark.exe	39
PID 2608 wrote to memory of 1320	2608	WaterMark.exe	39
PID 2608 wrote to memory of 1320	2608	WaterMark.exe	39
PID 2608 wrote to memory of 1320	2608	WaterMark.exe	39
PID 2700 wrote to memory of 1280	2700	WaterMark.exe	40
PID 2700 wrote to memory of 1280	2700	WaterMark.exe	40
PID 2700 wrote to memory of 1280	2700	WaterMark.exe	40
PID 2700 wrote to memory of 1280	2700	WaterMark.exe	40
PID 2608 wrote to memory of 1320	2608	WaterMark.exe	39
PID 2700 wrote to memory of 1280	2700	WaterMark.exe	40
PID 2700 wrote to memory of 1280	2700	WaterMark.exe	40
PID 2608 wrote to memory of 1320	2608	WaterMark.exe	39
PID 2700 wrote to memory of 1280	2700	WaterMark.exe	40

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:472
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:592
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1044
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1636
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:668
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:744
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:808
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1168
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:848
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2924
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:956
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:280
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:344
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1072
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1116
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1732
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2204
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2544
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\abe499255bfe229639a85cc1dec863251c3489994f9445b9b3c3efea9e9c1016.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\abe499255bfe229639a85cc1dec863251c3489994f9445b9b3c3efea9e9c1016.dll,#1
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\SysWOW64\rundll32mgr.exe
      C:\Windows\SysWOW64\rundll32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
        
        C:\Windows\SysWOW64\rundll32mgrmgr.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        
        PID:2496
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
524KB

MD5
62e78828e47b951efa0313f9830b8ecf

SHA1
2004f707d317bf2f735ac5179a7546c39756a3cc

SHA256
286a2dc3e8e23adefcdab9ac867c022f8d077b3731205225b8c31dc56d5fb80e

SHA512
4188eaa882fed5d4e6b99bcaac8584b1f217ae482d456ae1439aaaa37e9647c7b8f79bf563ffda25c3f493a7799b2847ecb478a6c66ffab7c571a95efe27cbda

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
521KB

MD5
5e7197666ed74a787a3a0ce29458aa9b

SHA1
8565fbc6913dcf85b90f107e5dda18d357434342

SHA256
c15b11d1c192f3994832c50ffc1775e1eb44c0b258c5817603963334ec546b13

SHA512
d4092d5a4724200b3037881187015fac6ee3b9c4993993279d02167e1e5d8a22d944f75a763b8aa99f23c870df9fcfe0ea0d3f9f68ba2fd76854d4cc66b460ba

Download Submit
C:\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
126KB

MD5
036dca3575c999ae72229f418a5f0882

SHA1
cae8eae8bd130555eeed7d32fa93d074f134b0a6

SHA256
323c53cb996602a9a145e1e18fbe04320a465c96e3d5f2bea7ab70b3b00cad63

SHA512
3943d34e53ab2092927d08c91be2838ca59140c62d2b46a5cea960b14c080f2adc406150e8c9c0d7683b6b5f206e84eda6c219e25e9065080271caa7ecd417a6

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
255KB

MD5
6ea88d3eaa4dc3511a4bcc65fb8537a9

SHA1
79158ba5448805d6d1bef347b7c4838ae474e10e

SHA256
34d1d22466de36804d7e1a7313c0a6fd966675846eb59cc1f205d37d1db71093

SHA512
26dbb5b5caa158b70ae15090b0909938e658c6847ff207273d45eaa7b9f6196bbd40d73fabe76f5e26962f1784f1e39b0839b418b96c5f8d424148a12e8256ad

Download Submit
memory/1948-114-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2460-8-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/2460-10-0x0000000000130000-0x000000000017D000-memory.dmp

Filesize
308KB

Download
memory/2460-9-0x0000000000130000-0x000000000017D000-memory.dmp

Filesize
308KB

Download
memory/2460-7-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/2496-129-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2496-132-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2608-75-0x0000000000140000-0x000000000016C000-memory.dmp

Filesize
176KB

Download
memory/2608-74-0x0000000000140000-0x000000000016C000-memory.dmp

Filesize
176KB

Download
memory/2608-79-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2608-59-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2608-756-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2628-115-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2628-119-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2628-86-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2628-88-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2628-123-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2692-16-0x0000000000120000-0x000000000014C000-memory.dmp

Filesize
176KB

Download
memory/2692-33-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2692-12-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2692-21-0x0000000000120000-0x000000000014C000-memory.dmp

Filesize
176KB

Download
memory/2692-36-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2692-34-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2700-84-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2700-755-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2712-24-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2712-32-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2712-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2712-26-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2712-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2712-25-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2712-52-0x0000000000350000-0x000000000039D000-memory.dmp

Filesize
308KB

Download
memory/2712-23-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2712-56-0x0000000000350000-0x000000000039D000-memory.dmp

Filesize
308KB

Download
memory/2712-3908-0x0000000000350000-0x000000000039D000-memory.dmp

Filesize
308KB

Download