ramnit | c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1

Analysis

max time kernel
120s
max time network
106s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe
Size

216KB
MD5

66b373d577a470e59415405cf2e87997
SHA1

cdf93674df1a4f27df7c89cebb0aeba1e8df9168
SHA256

c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1
SHA512

a72384e956bf0e9664b6347e21662c0f641058759652f332d470e622701b1d0f9e63d97c6b90131861bff511ecd98ee4fbad5e0708471415ae99d2d01f85fb4e
SSDEEP

3072:Ol6EgmJBkSju7dMIplpdWnWf1WYCPTkG8M8kkRqX66poLD8x8VnvupmYmcNovxG:O3BPju7B3zjNWlIG88k666qfVUFOpG

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NTDETECT.COM	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NTDETECT.COM	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe

Executes dropped EXE 2 IoCs

pid	Process
2276	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1mgr.exe
3040	WaterMark.exe

Loads dropped DLL 4 IoCs

pid	Process
2284	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe
2284	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe
2276	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1mgr.exe
2276	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1mgr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Screen Saver Pro 3.1 = "C:\\Users\\Admin\\AppData\\Roaming\\ScreenSaverPro.scr"	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rkihiy = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Rkihiy.exe"	mspaint.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\D:	mspaint.exe
File opened (read-only)	\??\F:	mspaint.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2284 set thread context of 2192	2284	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe	32
PID 2192 set thread context of 2624	2192	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe	34

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2276-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2276-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2276-10-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2276-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2276-8-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2276-22-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3040-31-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\clock.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdaps.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPDMC.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\libxslt.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IO.Log.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Management.Instrumentation.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_copy_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_h264_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libvmem_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\ShvlRes.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationBuildTasks.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_bridge_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libinvert_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\F12.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationTypes.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\VISSHE.DLL	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libextract_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\splashscreen.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\jvm.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.ServiceModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msader15.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jfxwebkit.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHEV.DLL	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Design.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libvhs_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPNSSUI.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dt_shmem.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\liboldmovie_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\jnwmon.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JAWTAccessBridge-64.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxwebkit.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\softokn3.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Design.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Engine.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_standard_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	svchost.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\PhotoViewer.dll	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
3040	WaterMark.exe
3040	WaterMark.exe
3040	WaterMark.exe
3040	WaterMark.exe
3040	WaterMark.exe
3040	WaterMark.exe
3040	WaterMark.exe
3040	WaterMark.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2624	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe
2624	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe
2520	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2192	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	WaterMark.exe
Token: SeDebugPrivilege	2520	svchost.exe
Token: SeDebugPrivilege	2284	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe
Token: SeDebugPrivilege	3040	WaterMark.exe
Token: SeDebugPrivilege	2192	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe
Token: SeDebugPrivilege	2624	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe
Token: SeDebugPrivilege	2792	svchost.exe
Token: SeDebugPrivilege	1492	mspaint.exe
Token: SeDebugPrivilege	2624	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe
Token: SeDebugPrivilege	2656	svchost.exe
Token: SeDebugPrivilege	2520	svchost.exe
Token: SeDebugPrivilege	1492	mspaint.exe
Token: SeDebugPrivilege	2192	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe
Token: SeDebugPrivilege	2792	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1492	mspaint.exe
1492	mspaint.exe
1492	mspaint.exe
1492	mspaint.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2276	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1mgr.exe
3040	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2276	2284	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe	28
PID 2284 wrote to memory of 2276	2284	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe	28
PID 2284 wrote to memory of 2276	2284	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe	28
PID 2284 wrote to memory of 2276	2284	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe	28
PID 2276 wrote to memory of 3040	2276	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1mgr.exe	29
PID 2276 wrote to memory of 3040	2276	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1mgr.exe	29
PID 2276 wrote to memory of 3040	2276	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1mgr.exe	29
PID 2276 wrote to memory of 3040	2276	c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1mgr.exe	29
PID 3040 wrote to memory of 2656	3040	WaterMark.exe	30
PID 3040 wrote to memory of 2656	3040	WaterMark.exe	30
PID 3040 wrote to memory of 2656	3040	WaterMark.exe	30
PID 3040 wrote to memory of 2656	3040	WaterMark.exe	30
PID 3040 wrote to memory of 2656	3040	WaterMark.exe	30
PID 3040 wrote to memory of 2656	3040	WaterMark.exe	30
PID 3040 wrote to memory of 2656	3040	WaterMark.exe	30
PID 3040 wrote to memory of 2656	3040	WaterMark.exe	30
PID 3040 wrote to memory of 2656	3040	WaterMark.exe	30
PID 3040 wrote to memory of 2656	3040	WaterMark.exe	30
PID 3040 wrote to memory of 2520	3040	WaterMark.exe	31
PID 3040 wrote to memory of 2520	3040	WaterMark.exe	31
PID 3040 wrote to memory of 2520	3040	WaterMark.exe	31
PID 3040 wrote to memory of 2520	3040	WaterMark.exe	31
PID 3040 wrote to memory of 2520	3040	WaterMark.exe	31
PID 3040 wrote to memory of 2520	3040	WaterMark.exe	31
PID 3040 wrote to memory of 2520	3040	WaterMark.exe	31
PID 3040 wrote to memory of 2520	3040	WaterMark.exe	31
PID 3040 wrote to memory of 2520	3040	WaterMark.exe	31
PID 3040 wrote to memory of 2520	3040	WaterMark.exe	31
PID 2520 wrote to memory of 256	2520	svchost.exe	1
PID 2520 wrote to memory of 256	2520	svchost.exe	1
PID 2520 wrote to memory of 256	2520	svchost.exe	1
PID 2520 wrote to memory of 256	2520	svchost.exe	1
PID 2520 wrote to memory of 256	2520	svchost.exe	1
PID 2520 wrote to memory of 336	2520	svchost.exe	2
PID 2520 wrote to memory of 336	2520	svchost.exe	2
PID 2520 wrote to memory of 336	2520	svchost.exe	2
PID 2520 wrote to memory of 336	2520	svchost.exe	2
PID 2520 wrote to memory of 336	2520	svchost.exe	2
PID 2520 wrote to memory of 384	2520	svchost.exe	3
PID 2520 wrote to memory of 384	2520	svchost.exe	3
PID 2520 wrote to memory of 384	2520	svchost.exe	3
PID 2520 wrote to memory of 384	2520	svchost.exe	3
PID 2520 wrote to memory of 384	2520	svchost.exe	3
PID 2520 wrote to memory of 392	2520	svchost.exe	4
PID 2520 wrote to memory of 392	2520	svchost.exe	4
PID 2520 wrote to memory of 392	2520	svchost.exe	4
PID 2520 wrote to memory of 392	2520	svchost.exe	4
PID 2520 wrote to memory of 392	2520	svchost.exe	4
PID 2520 wrote to memory of 432	2520	svchost.exe	5
PID 2520 wrote to memory of 432	2520	svchost.exe	5
PID 2520 wrote to memory of 432	2520	svchost.exe	5
PID 2520 wrote to memory of 432	2520	svchost.exe	5
PID 2520 wrote to memory of 432	2520	svchost.exe	5
PID 2520 wrote to memory of 480	2520	svchost.exe	6
PID 2520 wrote to memory of 480	2520	svchost.exe	6
PID 2520 wrote to memory of 480	2520	svchost.exe	6
PID 2520 wrote to memory of 480	2520	svchost.exe	6
PID 2520 wrote to memory of 480	2520	svchost.exe	6
PID 2520 wrote to memory of 488	2520	svchost.exe	7
PID 2520 wrote to memory of 488	2520	svchost.exe	7
PID 2520 wrote to memory of 488	2520	svchost.exe	7
PID 2520 wrote to memory of 488	2520	svchost.exe	7
PID 2520 wrote to memory of 488	2520	svchost.exe	7
PID 2520 wrote to memory of 496	2520	svchost.exe	8

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:480
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:612
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1692
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:1508
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:3532
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:1988
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:692
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:776
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:832
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1180
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:872
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2864
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:980
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:268
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:344
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1060
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1120
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2116
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:544
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    3⤵
    PID:1836
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe
  "C:\Users\Admin\AppData\Local\Temp\c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1mgr.exe
    C:\Users\Admin\AppData\Local\Temp\c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
- - C:\Users\Admin\AppData\Local\Temp\c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe
    "C:\Users\Admin\AppData\Local\Temp\c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: RenamesItself
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2792
    - - C:\Windows\SysWOW64\mspaint.exe
        
        "C:\Windows\system32\mspaint.exe"
        5⤵
        Adds Run key to start application
        Enumerates connected drives
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe
      "C:\Users\Admin\AppData\Local\Temp\c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
133KB

MD5
971541e095e1ddd39cf3c614209b1b4d

SHA1
bee96dba0ec50b2385b85bf4b8e8bebf9dd6a9ea

SHA256
716a9f69b068fdd1aa9115b415de4571a5f4dbb4b0a2711b6afd6b91df2d1b92

SHA512
1fce8a8655b9513d8bbc298f2855329c8ce50ca1ae359caf630fc032989dfc0bac49d36483bfc6f65801fb330186c09d70310eab25c4399c90ef51bb9fc42d8c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
129KB

MD5
7f2a95cbb54bdf214a48b9fbf545160a

SHA1
152217c7ad63afb1ebf56076ebf6f8a5f87dec47

SHA256
b7527834b5f3f393eab07b1721d5fb707f87d6e100fec85994b312e76a09d614

SHA512
dd743843ab008dc78531415a19c1ea47da8bea48df3f5b80d08887120316e8cc4bffd3f022800907f46542e54eb269a4f89893f4d0f8d9c494c6193e1a4d44f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c72381ca276d8fb461b48bc0ef6e052e5ead112efc40d3998467042f4a7bd8e1mgr.exe

Filesize
59KB

MD5
a2140ffa40095f183b9391c0d3173462

SHA1
114f9b32c8c3b443bc6b6d136e5367160f04597d

SHA256
a816e9d9ac773fc178756269ac79c93f61c33b8f4c92fca08e89b1eb31fe2b53

SHA512
037ff28bb852c8ded8c8a980b65e32eaad8f6a3bd33fb122f097507bc4a756b4c34b8bc37ffa581ed21e29de21a84af279f5fc6cfecf87e5d4bd2bc955d4804b

Download Submit
memory/2276-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2276-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2276-8-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2276-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2276-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2276-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2520-72-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2520-73-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2520-75-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2520-58-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2520-76-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2520-74-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2520-71-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2520-68-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2656-51-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2656-43-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2656-47-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2656-33-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2656-35-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3040-56-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/3040-31-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3040-30-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download