ramnit | 04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalytics.exe
Size

384KB
MD5

996c62c43013653ccb15711c62875d90
SHA1

d91ae854d03c95b5d05d42892d1f3d19fc5ced34
SHA256

04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e
SHA512

f83b01bc275db8c88079eaf330282784aea939cdfa0d4dbb68aae86a6fd2d588858ddd23f5ca9933b930a94ea1ab4ab67fb300bebaeb67ce4235e6815ecc9c0f
SSDEEP

3072:ZRbn3k0CdM1vabyzJYWq5yuUt9zeQDJBPQismhLqP46Ov3oG3fmJGHaMrayh4MJO:ZRD0LS6VKDzNde5w6G4s3haDYd8oI

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 5 IoCs

Processes:

04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalyticsmgr.exeWaterMark.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exe

pid process

1348 04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalyticsmgr.exe
2716 WaterMark.exe
2704 WaterMark.exe
2756 WaterMarkmgr.exe
2512 WaterMark.exe

pid	process
1348	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalyticsmgr.exe
2716	WaterMark.exe
2704	WaterMark.exe
2756	WaterMarkmgr.exe
2512	WaterMark.exe

Loads dropped DLL 10 IoCs

Processes:

04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalytics.exe04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalyticsmgr.exeWaterMark.exeWaterMarkmgr.exe

pid	process
2248	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalytics.exe
2248	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalytics.exe
1348	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalyticsmgr.exe
2248	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalytics.exe
2248	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalytics.exe
1348	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalyticsmgr.exe
2704	WaterMark.exe
2704	WaterMark.exe
2756	WaterMarkmgr.exe
2756	WaterMarkmgr.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2248-19-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2248-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2248-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2248-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2248-10-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2248-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2248-8-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2512-85-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2704-78-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2756-76-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2716-67-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2756-66-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2704-64-0x0000000000130000-0x000000000016C000-memory.dmp	upx
behavioral1/memory/1348-29-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2512-772-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe
File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\settings.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\liblibmpeg2_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsFormsIntegration.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\RSSFeeds.html	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\D3DCompiler_47.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2iexp.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nssckbi.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcor.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcs.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Windows.Presentation.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnsc_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libttml_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libdummy_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libcaf_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_chromecast_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationCore.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationProvider.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libchorus_flanger_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d9_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\AiodLite.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\librawaud_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudio_format_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\libmemory_keystore_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscene_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Selectors.Resources.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libsid_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_copy_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\npdeployJava1.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\ReachFramework.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\index.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsound.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libglwin32_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libvc1_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libfolder_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\currency.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\jsdbgui.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Net.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll	svchost.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

WaterMark.exeWaterMark.exeWaterMark.exesvchost.exe

pid	process
2704	WaterMark.exe
2704	WaterMark.exe
2716	WaterMark.exe
2716	WaterMark.exe
2512	WaterMark.exe
2512	WaterMark.exe
2512	WaterMark.exe
2512	WaterMark.exe
2512	WaterMark.exe
2512	WaterMark.exe
2512	WaterMark.exe
2704	WaterMark.exe
2704	WaterMark.exe
2704	WaterMark.exe
2704	WaterMark.exe
2512	WaterMark.exe
2716	WaterMark.exe
2716	WaterMark.exe
2716	WaterMark.exe
2716	WaterMark.exe
2704	WaterMark.exe
2704	WaterMark.exe
2716	WaterMark.exe
2716	WaterMark.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

WaterMark.exeWaterMark.exeWaterMark.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2704	WaterMark.exe
Token: SeDebugPrivilege	2716	WaterMark.exe
Token: SeDebugPrivilege	2512	WaterMark.exe
Token: SeDebugPrivilege	1948	svchost.exe
Token: SeDebugPrivilege	2840	svchost.exe
Token: SeDebugPrivilege	2564	svchost.exe
Token: SeDebugPrivilege	2704	WaterMark.exe
Token: SeDebugPrivilege	2716	WaterMark.exe
Token: SeDebugPrivilege	2512	WaterMark.exe
Token: SeDebugPrivilege	2404	svchost.exe
Token: SeDebugPrivilege	2728	svchost.exe

Suspicious use of UnmapMainImage 6 IoCs

Processes:

04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalytics.exe04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalyticsmgr.exeWaterMark.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exe

pid	process
2248	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalytics.exe
1348	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalyticsmgr.exe
2716	WaterMark.exe
2704	WaterMark.exe
2756	WaterMarkmgr.exe
2512	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2248 wrote to memory of 1348	2248	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalytics.exe	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalyticsmgr.exe
PID 2248 wrote to memory of 1348	2248	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalytics.exe	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalyticsmgr.exe
PID 2248 wrote to memory of 1348	2248	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalytics.exe	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalyticsmgr.exe
PID 2248 wrote to memory of 1348	2248	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalytics.exe	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalyticsmgr.exe
PID 2248 wrote to memory of 2716	2248	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalytics.exe	WaterMark.exe
PID 2248 wrote to memory of 2716	2248	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalytics.exe	WaterMark.exe
PID 2248 wrote to memory of 2716	2248	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalytics.exe	WaterMark.exe
PID 2248 wrote to memory of 2716	2248	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalytics.exe	WaterMark.exe
PID 1348 wrote to memory of 2704	1348	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalyticsmgr.exe	WaterMark.exe
PID 1348 wrote to memory of 2704	1348	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalyticsmgr.exe	WaterMark.exe
PID 1348 wrote to memory of 2704	1348	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalyticsmgr.exe	WaterMark.exe
PID 1348 wrote to memory of 2704	1348	04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalyticsmgr.exe	WaterMark.exe
PID 2704 wrote to memory of 2756	2704	WaterMark.exe	WaterMarkmgr.exe
PID 2704 wrote to memory of 2756	2704	WaterMark.exe	WaterMarkmgr.exe
PID 2704 wrote to memory of 2756	2704	WaterMark.exe	WaterMarkmgr.exe
PID 2704 wrote to memory of 2756	2704	WaterMark.exe	WaterMarkmgr.exe
PID 2756 wrote to memory of 2512	2756	WaterMarkmgr.exe	WaterMark.exe
PID 2756 wrote to memory of 2512	2756	WaterMarkmgr.exe	WaterMark.exe
PID 2756 wrote to memory of 2512	2756	WaterMarkmgr.exe	WaterMark.exe
PID 2756 wrote to memory of 2512	2756	WaterMarkmgr.exe	WaterMark.exe
PID 2716 wrote to memory of 2404	2716	WaterMark.exe	svchost.exe
PID 2716 wrote to memory of 2404	2716	WaterMark.exe	svchost.exe
PID 2716 wrote to memory of 2404	2716	WaterMark.exe	svchost.exe
PID 2716 wrote to memory of 2404	2716	WaterMark.exe	svchost.exe
PID 2716 wrote to memory of 2404	2716	WaterMark.exe	svchost.exe
PID 2716 wrote to memory of 2404	2716	WaterMark.exe	svchost.exe
PID 2704 wrote to memory of 2728	2704	WaterMark.exe	svchost.exe
PID 2704 wrote to memory of 2728	2704	WaterMark.exe	svchost.exe
PID 2704 wrote to memory of 2728	2704	WaterMark.exe	svchost.exe
PID 2704 wrote to memory of 2728	2704	WaterMark.exe	svchost.exe
PID 2704 wrote to memory of 2728	2704	WaterMark.exe	svchost.exe
PID 2704 wrote to memory of 2728	2704	WaterMark.exe	svchost.exe
PID 2512 wrote to memory of 1188	2512	WaterMark.exe	svchost.exe
PID 2512 wrote to memory of 1188	2512	WaterMark.exe	svchost.exe
PID 2512 wrote to memory of 1188	2512	WaterMark.exe	svchost.exe
PID 2512 wrote to memory of 1188	2512	WaterMark.exe	svchost.exe
PID 2512 wrote to memory of 1188	2512	WaterMark.exe	svchost.exe
PID 2512 wrote to memory of 1188	2512	WaterMark.exe	svchost.exe
PID 2512 wrote to memory of 1188	2512	WaterMark.exe	svchost.exe
PID 2512 wrote to memory of 1188	2512	WaterMark.exe	svchost.exe
PID 2512 wrote to memory of 1188	2512	WaterMark.exe	svchost.exe
PID 2512 wrote to memory of 1188	2512	WaterMark.exe	svchost.exe
PID 2716 wrote to memory of 2404	2716	WaterMark.exe	svchost.exe
PID 2716 wrote to memory of 2404	2716	WaterMark.exe	svchost.exe
PID 2716 wrote to memory of 2404	2716	WaterMark.exe	svchost.exe
PID 2716 wrote to memory of 2404	2716	WaterMark.exe	svchost.exe
PID 2704 wrote to memory of 2728	2704	WaterMark.exe	svchost.exe
PID 2704 wrote to memory of 2728	2704	WaterMark.exe	svchost.exe
PID 2704 wrote to memory of 2728	2704	WaterMark.exe	svchost.exe
PID 2704 wrote to memory of 2728	2704	WaterMark.exe	svchost.exe
PID 2512 wrote to memory of 1948	2512	WaterMark.exe	svchost.exe
PID 2512 wrote to memory of 1948	2512	WaterMark.exe	svchost.exe
PID 2512 wrote to memory of 1948	2512	WaterMark.exe	svchost.exe
PID 2512 wrote to memory of 1948	2512	WaterMark.exe	svchost.exe
PID 2512 wrote to memory of 1948	2512	WaterMark.exe	svchost.exe
PID 2512 wrote to memory of 1948	2512	WaterMark.exe	svchost.exe
PID 2512 wrote to memory of 1948	2512	WaterMark.exe	svchost.exe
PID 2512 wrote to memory of 1948	2512	WaterMark.exe	svchost.exe
PID 2512 wrote to memory of 1948	2512	WaterMark.exe	svchost.exe
PID 2512 wrote to memory of 1948	2512	WaterMark.exe	svchost.exe
PID 2704 wrote to memory of 2564	2704	WaterMark.exe	svchost.exe
PID 2704 wrote to memory of 2564	2704	WaterMark.exe	svchost.exe
PID 2704 wrote to memory of 2564	2704	WaterMark.exe	svchost.exe
PID 2704 wrote to memory of 2564	2704	WaterMark.exe	svchost.exe

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:2012

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
4⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:820

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:864

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
4⤵
PID:2844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:324

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1084

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:2096

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:1212

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:480

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalytics.exe"
2⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Admin\AppData\Local\Temp\04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalyticsmgr.exe
C:\Users\Admin\AppData\Local\Temp\04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalyticsmgr.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1348

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2704

C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2756

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1188

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize
782KB

MD5
11b1d72c88b2aee327bb6d5559a33a77

SHA1
52adacaa444bd88d447e10e54fb0c455279c225b

SHA256
2d813360b2bd1c02c207ea1e26a020aa5ce056982be3e738ab1d107904e93294

SHA512
0ee4342bd2a335e751ed801156cc35d7a539f5f3b5d00f6247a36a28485736ba84513e09e9559ccd3c9fe0d54df85ad555e0f58db568d1bc540d434402c8f347

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize
779KB

MD5
19a35e745201d5383f4f15924e85380e

SHA1
0d396fef59e87b7181e76e96a235a58148e232fa

SHA256
25756f70d53a7178373d18003d6e6528e11054eb789995bee41c316788214a71

SHA512
4a05eec478ce6236b4e08f95192b7ec56ef2fb10b063d43226f28efe7e288389a0ac27f88c137fa320dc6f8c4ae4357c8f238d484809a59b6d81c2ca4efe7b4f

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
384KB

MD5
996c62c43013653ccb15711c62875d90

SHA1
d91ae854d03c95b5d05d42892d1f3d19fc5ced34

SHA256
04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e

SHA512
f83b01bc275db8c88079eaf330282784aea939cdfa0d4dbb68aae86a6fd2d588858ddd23f5ca9933b930a94ea1ab4ab67fb300bebaeb67ce4235e6815ecc9c0f

Download Submit
\Users\Admin\AppData\Local\Temp\04ed3acbb8ab4546d3f0fdcf12ab7e64d8b772da82db356842c1a53b02963a5e_NeikiAnalyticsmgr.exe
Filesize
191KB

MD5
e2eb051d51dd5a956b7070c03fcf467f

SHA1
e5d9ce816454cddf643719ef71b6891fd8c0e429

SHA256
c05dc40a59dc4c41af052c5a9e02e72545f62bbe8b908ec9114183daef880576

SHA512
e09268688bc34ba899fffa8f42daed6916fabc2eaa8b5a8887fd4a27d3745dfb6c9f6bc05282371fe4b8eb2b1ff0c9e15a3d1abdaacb820a7ba89c285b5dc2fd

Download Submit
memory/1348-38-0x0000000000290000-0x00000000002FD000-memory.dmp

Filesize
436KB

Download
memory/1348-29-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1348-18-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2248-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2248-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2248-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2248-13-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2248-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2248-8-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2248-14-0x00000000000B0000-0x00000000000EC000-memory.dmp

Filesize
240KB

Download
memory/2248-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2248-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2248-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2248-12-0x00000000000B0000-0x00000000000EC000-memory.dmp

Filesize
240KB

Download
memory/2404-88-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2404-90-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2512-85-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2512-772-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2512-86-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2704-78-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2704-41-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2704-64-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/2704-65-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/2704-70-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2716-67-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2716-77-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2756-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2756-76-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download