ramnit | ffbe830db63d9aa6c99439513bc7415ddcc5fd4a74aa3089cb11a533c6f1a393

General

Target

ffbe830db63d9aa6c99439513bc7415ddcc5fd4a74aa3089cb11a533c6f1a393.dll
Size

157KB
MD5

65c33f336e53a2b8e132bd4121224a84
SHA1

7cc8cd99f20923e5c2126596019a67cecbd7ce2a
SHA256

ffbe830db63d9aa6c99439513bc7415ddcc5fd4a74aa3089cb11a533c6f1a393
SHA512

c56133e3839f0f1f4c45b0852be648107d47e8bf11b3fb29efc0181ab6ec813e4247066155105edec1a65f3ea7e1e21b595fd2e534e4f82ceeeb79d8f3ffa591
SSDEEP

3072:IMr6N9WfdNAbxBU69VyZhDsHYZ3rDINcQR0n6ecZdGU1QLaLNmYqhPzxm1C:IMqWfdNANO6yEYZ7DVQgsQLPzo1C

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

UPX dump on OEP (original entry point) 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2364-28-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral1/memory/2364-30-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral1/memory/2364-29-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral1/memory/2364-34-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral1/memory/2592-133-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral1/memory/2808-89-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral1/memory/1732-57-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral1/memory/2364-27-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral1/memory/2364-26-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral1/memory/2624-183-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral1/memory/2640-185-0x0000000000400000-0x0000000000421000-memory.dmp	UPX

Executes dropped EXE 6 IoCs

Processes:

rundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exe

pid process

2364 rundll32mgr.exe
1732 rundll32mgrmgr.exe
2624 WaterMark.exe
2640 WaterMark.exe
2808 WaterMarkmgr.exe
2592 WaterMark.exe

pid	process
2364	rundll32mgr.exe
1732	rundll32mgrmgr.exe
2624	WaterMark.exe
2640	WaterMark.exe
2808	WaterMarkmgr.exe
2592	WaterMark.exe

Loads dropped DLL 12 IoCs

Processes:

rundll32.exerundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMarkmgr.exe

pid	process
1720	rundll32.exe
1720	rundll32.exe
2364	rundll32mgr.exe
2364	rundll32mgr.exe
2364	rundll32mgr.exe
2364	rundll32mgr.exe
1732	rundll32mgrmgr.exe
1732	rundll32mgrmgr.exe
2624	WaterMark.exe
2624	WaterMark.exe
2808	WaterMarkmgr.exe
2808	WaterMarkmgr.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2364-28-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2364-30-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2364-29-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2364-34-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2592-97-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2592-133-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2808-84-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2808-89-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1732-57-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2364-27-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2364-26-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2364-25-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2624-183-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2640-185-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

Processes:

rundll32.exerundll32mgr.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\bin\jsdt.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationTypes.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.DataSetExtensions.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msaddsr.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\deploy.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jpeg.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mraut.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_av1_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jdwp.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libudp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\wmlaunch.exe	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\settings.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_display_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libripple_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\penusa.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Speech.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\liblogo_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_block_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClient.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcroppadd_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\IA2Marshal.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\ReachFramework.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libgrey_yuv_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libsdp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libchorus_flanger_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libdeinterlace_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\currency.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationTypes.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libimem_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libstereo_widen_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libadummy_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_h264_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Design.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationFramework.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\axvlc.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Csi.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\instrument.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libEGL.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwgst.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html	svchost.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

WaterMark.exeWaterMark.exe

pid	process
2640	WaterMark.exe
2640	WaterMark.exe
2624	WaterMark.exe
2624	WaterMark.exe
2624	WaterMark.exe
2624	WaterMark.exe
2624	WaterMark.exe
2624	WaterMark.exe
2624	WaterMark.exe
2624	WaterMark.exe
2640	WaterMark.exe
2640	WaterMark.exe
2640	WaterMark.exe
2640	WaterMark.exe
2640	WaterMark.exe
2640	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

rundll32.exeWaterMark.exeWaterMark.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1720	rundll32.exe
Token: SeDebugPrivilege	2640	WaterMark.exe
Token: SeDebugPrivilege	2624	WaterMark.exe
Token: SeDebugPrivilege	340	svchost.exe
Token: SeDebugPrivilege	2868	svchost.exe

Suspicious use of UnmapMainImage 6 IoCs

Processes:

rundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exe

pid process

2364 rundll32mgr.exe
1732 rundll32mgrmgr.exe
2640 WaterMark.exe
2624 WaterMark.exe
2808 WaterMarkmgr.exe
2592 WaterMark.exe

pid	process
2364	rundll32mgr.exe
1732	rundll32mgrmgr.exe
2640	WaterMark.exe
2624	WaterMark.exe
2808	WaterMarkmgr.exe
2592	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exerundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exe

description	pid	process	target process
PID 1736 wrote to memory of 1720	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1720	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1720	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1720	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1720	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1720	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1720	1736	rundll32.exe	rundll32.exe
PID 1720 wrote to memory of 2364	1720	rundll32.exe	rundll32mgr.exe
PID 1720 wrote to memory of 2364	1720	rundll32.exe	rundll32mgr.exe
PID 1720 wrote to memory of 2364	1720	rundll32.exe	rundll32mgr.exe
PID 1720 wrote to memory of 2364	1720	rundll32.exe	rundll32mgr.exe
PID 2364 wrote to memory of 1732	2364	rundll32mgr.exe	rundll32mgrmgr.exe
PID 2364 wrote to memory of 1732	2364	rundll32mgr.exe	rundll32mgrmgr.exe
PID 2364 wrote to memory of 1732	2364	rundll32mgr.exe	rundll32mgrmgr.exe
PID 2364 wrote to memory of 1732	2364	rundll32mgr.exe	rundll32mgrmgr.exe
PID 2364 wrote to memory of 2624	2364	rundll32mgr.exe	WaterMark.exe
PID 2364 wrote to memory of 2624	2364	rundll32mgr.exe	WaterMark.exe
PID 2364 wrote to memory of 2624	2364	rundll32mgr.exe	WaterMark.exe
PID 2364 wrote to memory of 2624	2364	rundll32mgr.exe	WaterMark.exe
PID 1732 wrote to memory of 2640	1732	rundll32mgrmgr.exe	WaterMark.exe
PID 1732 wrote to memory of 2640	1732	rundll32mgrmgr.exe	WaterMark.exe
PID 1732 wrote to memory of 2640	1732	rundll32mgrmgr.exe	WaterMark.exe
PID 1732 wrote to memory of 2640	1732	rundll32mgrmgr.exe	WaterMark.exe
PID 2624 wrote to memory of 2808	2624	WaterMark.exe	WaterMarkmgr.exe
PID 2624 wrote to memory of 2808	2624	WaterMark.exe	WaterMarkmgr.exe
PID 2624 wrote to memory of 2808	2624	WaterMark.exe	WaterMarkmgr.exe
PID 2624 wrote to memory of 2808	2624	WaterMark.exe	WaterMarkmgr.exe
PID 2808 wrote to memory of 2592	2808	WaterMarkmgr.exe	WaterMark.exe
PID 2808 wrote to memory of 2592	2808	WaterMarkmgr.exe	WaterMark.exe
PID 2808 wrote to memory of 2592	2808	WaterMarkmgr.exe	WaterMark.exe
PID 2808 wrote to memory of 2592	2808	WaterMarkmgr.exe	WaterMark.exe
PID 2624 wrote to memory of 2216	2624	WaterMark.exe	svchost.exe
PID 2624 wrote to memory of 2216	2624	WaterMark.exe	svchost.exe
PID 2624 wrote to memory of 2216	2624	WaterMark.exe	svchost.exe
PID 2624 wrote to memory of 2216	2624	WaterMark.exe	svchost.exe
PID 2624 wrote to memory of 2216	2624	WaterMark.exe	svchost.exe
PID 2624 wrote to memory of 2216	2624	WaterMark.exe	svchost.exe
PID 2624 wrote to memory of 2216	2624	WaterMark.exe	svchost.exe
PID 2624 wrote to memory of 2216	2624	WaterMark.exe	svchost.exe
PID 2624 wrote to memory of 2216	2624	WaterMark.exe	svchost.exe
PID 2624 wrote to memory of 2216	2624	WaterMark.exe	svchost.exe
PID 2640 wrote to memory of 1100	2640	WaterMark.exe	svchost.exe
PID 2640 wrote to memory of 1100	2640	WaterMark.exe	svchost.exe
PID 2640 wrote to memory of 1100	2640	WaterMark.exe	svchost.exe
PID 2640 wrote to memory of 1100	2640	WaterMark.exe	svchost.exe
PID 2640 wrote to memory of 1100	2640	WaterMark.exe	svchost.exe
PID 2640 wrote to memory of 1100	2640	WaterMark.exe	svchost.exe
PID 2640 wrote to memory of 1100	2640	WaterMark.exe	svchost.exe
PID 2640 wrote to memory of 1100	2640	WaterMark.exe	svchost.exe
PID 2640 wrote to memory of 1100	2640	WaterMark.exe	svchost.exe
PID 2640 wrote to memory of 1100	2640	WaterMark.exe	svchost.exe
PID 2624 wrote to memory of 340	2624	WaterMark.exe	svchost.exe
PID 2624 wrote to memory of 340	2624	WaterMark.exe	svchost.exe
PID 2624 wrote to memory of 340	2624	WaterMark.exe	svchost.exe
PID 2624 wrote to memory of 340	2624	WaterMark.exe	svchost.exe
PID 2624 wrote to memory of 340	2624	WaterMark.exe	svchost.exe
PID 2624 wrote to memory of 340	2624	WaterMark.exe	svchost.exe
PID 2624 wrote to memory of 340	2624	WaterMark.exe	svchost.exe
PID 2624 wrote to memory of 340	2624	WaterMark.exe	svchost.exe
PID 2624 wrote to memory of 340	2624	WaterMark.exe	svchost.exe
PID 2624 wrote to memory of 340	2624	WaterMark.exe	svchost.exe
PID 2640 wrote to memory of 2868	2640	WaterMark.exe	svchost.exe
PID 2640 wrote to memory of 2868	2640	WaterMark.exe	svchost.exe
PID 2640 wrote to memory of 2868	2640	WaterMark.exe	svchost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffbe830db63d9aa6c99439513bc7415ddcc5fd4a74aa3089cb11a533c6f1a393.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffbe830db63d9aa6c99439513bc7415ddcc5fd4a74aa3089cb11a533c6f1a393.dll,#1
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\SysWOW64\rundll32mgrmgr.exe
C:\Windows\SysWOW64\rundll32mgrmgr.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1732

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
PID:1100

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2624

C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2808

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
6⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2592

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2216

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:340

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize
257KB

MD5
ea6283f88fb261f48b344f85b807d275

SHA1
8fa72a0d9c83ef55647334a55d61c591abe0af6d

SHA256
24facaad0272ae0141568e1e6c897dfc4336a9a229d5efaff527b834c2c01424

SHA512
b587231e6cfa2514eaf82e543e49b3ee341780f0e086091f5570ef7e5b2a07de50186f53e1c0c5b06250d2ba8ab25985ee52052de7271fb58ab2a88a37c65dce

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize
253KB

MD5
716d666ff423daaf10ad02eff1a8d8cb

SHA1
56b5757448a2225e71ec4ce391ee5273916804f7

SHA256
fa95d6bf7913fc3439e393255a20f793f24593a078a122521f7dfdec0222c359

SHA512
14a15a0ee07f6918cdb72e4fda57405de2bf6efd17b1c5d08e516bc1b98d191320c6ffc055555af49a304cb371364bc9896df5fa91ff79383af82c7d8a1e5eac

Download Submit
\Windows\SysWOW64\rundll32mgr.exe
Filesize
122KB

MD5
c5255edf109342e3e1d1eb0990b2d094

SHA1
ba029b47b9b3a5ccccae3038d90382ec68a1dd44

SHA256
ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5

SHA512
6b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe
Filesize
59KB

MD5
f2c8b7e238a07cce22920efb1c8645a6

SHA1
cd2af4b30add747e222f938206b78d7730fdf346

SHA256
6b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e

SHA512
c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699

Download Submit
memory/1720-2-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/1720-3-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-10-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1720-11-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1720-13-0x0000000077D70000-0x0000000077D71000-memory.dmp

Filesize
4KB

Download
memory/1720-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-24-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1732-59-0x0000000000401000-0x0000000000416000-memory.dmp

Filesize
84KB

Download
memory/1732-57-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1732-58-0x0000000000416000-0x0000000000420000-memory.dmp

Filesize
40KB

Download
memory/2216-110-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2216-118-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2216-100-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2216-102-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2216-114-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2364-33-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2364-34-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2364-23-0x0000000000130000-0x0000000000153000-memory.dmp

Filesize
140KB

Download
memory/2364-25-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2364-30-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2364-28-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2364-26-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2364-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2364-17-0x0000000000130000-0x0000000000153000-memory.dmp

Filesize
140KB

Download
memory/2364-29-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2592-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-133-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2624-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-67-0x0000000000120000-0x0000000000143000-memory.dmp

Filesize
140KB

Download
memory/2624-183-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2640-78-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2640-185-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2808-84-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2808-89-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2808-96-0x00000000001C0000-0x00000000001F3000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads