ramnit | 5e0c94ebef74deec4ca62fc13195c8084fa79ef42cd43a597dc89444debea842

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1a2253d2dc01f2581d82006f5699ad9_JaffaCakes118.dll
Size

132KB
MD5

e1a2253d2dc01f2581d82006f5699ad9
SHA1

75fdd7aa2b25cbcd5d4a46f0eb94d8467cd59e34
SHA256

5e0c94ebef74deec4ca62fc13195c8084fa79ef42cd43a597dc89444debea842
SHA512

0810663a169edc199ea9477a0459625bf24d29da293716b774d579f2e67bec4bc95e8ae0279db76cd4d4f4438e0431dcd40adcdf5fd0d1fe9873038f37166bef
SSDEEP

1536:tibToqp78CcWWG6yhhdikVYFjX0aQe5ID/08htEDotqm:tibTTp78CcW6yVdYWmG0joIm

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
2864	rundll32mgr.exe
2596	WaterMark.exe

Loads dropped DLL 4 IoCs

pid	Process
2716	rundll32.exe
2716	rundll32.exe
2864	rundll32mgr.exe
2864	rundll32mgr.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2864-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2864-23-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2864-21-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2864-20-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2864-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2864-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2864-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2596-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2596-41-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2596-89-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2596-83-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2596-668-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.ServiceModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libmft_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_sse2_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\weather.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\F12Tools.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\skchui.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libclone_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEXBE.DLL	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadco.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClientsideProviders.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Client.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libcompressor_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\sunmscapi.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClient.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_transcode_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\libgoom_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\NBDoc.DLL	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\networkinspection.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIB.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dts_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationFramework.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\libfile_keystore_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Csi.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcs.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdfmap.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jawt.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationCore.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\npvlc.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_srt_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_livehttp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdaps.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_shmem.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Conversion.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_block_plugin.dll	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2964	2716	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2596	WaterMark.exe
2596	WaterMark.exe
2596	WaterMark.exe
2596	WaterMark.exe
2596	WaterMark.exe
2596	WaterMark.exe
2596	WaterMark.exe
2596	WaterMark.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	WaterMark.exe
Token: SeDebugPrivilege	2628	svchost.exe
Token: SeDebugPrivilege	2716	rundll32.exe
Token: SeDebugPrivilege	2964	WerFault.exe
Token: SeDebugPrivilege	2596	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2864	rundll32mgr.exe
2596	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2716	2672	rundll32.exe	30
PID 2672 wrote to memory of 2716	2672	rundll32.exe	30
PID 2672 wrote to memory of 2716	2672	rundll32.exe	30
PID 2672 wrote to memory of 2716	2672	rundll32.exe	30
PID 2672 wrote to memory of 2716	2672	rundll32.exe	30
PID 2672 wrote to memory of 2716	2672	rundll32.exe	30
PID 2672 wrote to memory of 2716	2672	rundll32.exe	30
PID 2716 wrote to memory of 2864	2716	rundll32.exe	31
PID 2716 wrote to memory of 2864	2716	rundll32.exe	31
PID 2716 wrote to memory of 2864	2716	rundll32.exe	31
PID 2716 wrote to memory of 2864	2716	rundll32.exe	31
PID 2716 wrote to memory of 2964	2716	rundll32.exe	32
PID 2716 wrote to memory of 2964	2716	rundll32.exe	32
PID 2716 wrote to memory of 2964	2716	rundll32.exe	32
PID 2716 wrote to memory of 2964	2716	rundll32.exe	32
PID 2864 wrote to memory of 2596	2864	rundll32mgr.exe	33
PID 2864 wrote to memory of 2596	2864	rundll32mgr.exe	33
PID 2864 wrote to memory of 2596	2864	rundll32mgr.exe	33
PID 2864 wrote to memory of 2596	2864	rundll32mgr.exe	33
PID 2596 wrote to memory of 2632	2596	WaterMark.exe	34
PID 2596 wrote to memory of 2632	2596	WaterMark.exe	34
PID 2596 wrote to memory of 2632	2596	WaterMark.exe	34
PID 2596 wrote to memory of 2632	2596	WaterMark.exe	34
PID 2596 wrote to memory of 2632	2596	WaterMark.exe	34
PID 2596 wrote to memory of 2632	2596	WaterMark.exe	34
PID 2596 wrote to memory of 2632	2596	WaterMark.exe	34
PID 2596 wrote to memory of 2632	2596	WaterMark.exe	34
PID 2596 wrote to memory of 2632	2596	WaterMark.exe	34
PID 2596 wrote to memory of 2632	2596	WaterMark.exe	34
PID 2596 wrote to memory of 2628	2596	WaterMark.exe	35
PID 2596 wrote to memory of 2628	2596	WaterMark.exe	35
PID 2596 wrote to memory of 2628	2596	WaterMark.exe	35
PID 2596 wrote to memory of 2628	2596	WaterMark.exe	35
PID 2596 wrote to memory of 2628	2596	WaterMark.exe	35
PID 2596 wrote to memory of 2628	2596	WaterMark.exe	35
PID 2596 wrote to memory of 2628	2596	WaterMark.exe	35
PID 2596 wrote to memory of 2628	2596	WaterMark.exe	35
PID 2596 wrote to memory of 2628	2596	WaterMark.exe	35
PID 2596 wrote to memory of 2628	2596	WaterMark.exe	35
PID 2628 wrote to memory of 256	2628	svchost.exe	1
PID 2628 wrote to memory of 256	2628	svchost.exe	1
PID 2628 wrote to memory of 256	2628	svchost.exe	1
PID 2628 wrote to memory of 256	2628	svchost.exe	1
PID 2628 wrote to memory of 256	2628	svchost.exe	1
PID 2628 wrote to memory of 332	2628	svchost.exe	2
PID 2628 wrote to memory of 332	2628	svchost.exe	2
PID 2628 wrote to memory of 332	2628	svchost.exe	2
PID 2628 wrote to memory of 332	2628	svchost.exe	2
PID 2628 wrote to memory of 332	2628	svchost.exe	2
PID 2628 wrote to memory of 380	2628	svchost.exe	3
PID 2628 wrote to memory of 380	2628	svchost.exe	3
PID 2628 wrote to memory of 380	2628	svchost.exe	3
PID 2628 wrote to memory of 380	2628	svchost.exe	3
PID 2628 wrote to memory of 380	2628	svchost.exe	3
PID 2628 wrote to memory of 392	2628	svchost.exe	4
PID 2628 wrote to memory of 392	2628	svchost.exe	4
PID 2628 wrote to memory of 392	2628	svchost.exe	4
PID 2628 wrote to memory of 392	2628	svchost.exe	4
PID 2628 wrote to memory of 392	2628	svchost.exe	4
PID 2628 wrote to memory of 428	2628	svchost.exe	5
PID 2628 wrote to memory of 428	2628	svchost.exe	5
PID 2628 wrote to memory of 428	2628	svchost.exe	5
PID 2628 wrote to memory of 428	2628	svchost.exe	5
PID 2628 wrote to memory of 428	2628	svchost.exe	5

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:472
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:604
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1408
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1572
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:2864
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:680
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:768
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:816
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1120
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:856
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:972
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:268
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1048
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1060
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1144
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1180
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2988
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2164
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e1a2253d2dc01f2581d82006f5699ad9_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e1a2253d2dc01f2581d82006f5699ad9_JaffaCakes118.dll,#1
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\rundll32mgr.exe
      C:\Windows\SysWOW64\rundll32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2632
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 224
      4⤵
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
197KB

MD5
3b13c6ba2611c64912f02e32f6094cbc

SHA1
b01f6170dd2c6e42300ffc01c9125f0b7d0e8e27

SHA256
d034348b442c14d41c06cf3085babf3a50f360100997944e247ee5e829271f7a

SHA512
d2c411bf50712a94938f31bdc972c538a4e405bc174782eca5f4a09cc3b74c6a4a8e2cd7c33c7bb79a3619941855fdad9980f6be568b9622ec74bb31420424e1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
193KB

MD5
484b299469746f7e58e61b4ac5ac7fa0

SHA1
edeb89113ecdac2d0bbcc11d4ee5344ddd465786

SHA256
52fb097cc832e99d00e1c6c7971a021a938ab0d0fa6c9b9c029d22608c75dde4

SHA512
a0165a861713d897f6c3ea192f0f2fae04af93a3b4f2f3de4b7f3325b07f476661200b4c2d27a9b6d77026b7346ccf80f7e94ecd7015295030fa47990207bb41

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
92KB

MD5
a3b5b19b09613a76bd054ce279edb5f2

SHA1
4324c72de65b2812bfe9cc969f7fba7022a85a55

SHA256
13629c42889859682a721bc0927ff258a135f39951a64fd45409ba0d209212ce

SHA512
32d3c8a71eaaea6d6074ed63d7fd7b41c5dd4dea66e8c3f5ce84ad4f6ead79838ed28548d4b73103dfb06e426236835622ff337fa692872d7d23cd58da3ae865

Download Submit
memory/2596-72-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2596-668-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2596-44-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2596-89-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2596-73-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2596-90-0x0000000077BCF000-0x0000000077BD0000-memory.dmp

Filesize
4KB

Download
memory/2596-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2596-43-0x0000000077BCF000-0x0000000077BD0000-memory.dmp

Filesize
4KB

Download
memory/2596-83-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2596-42-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2596-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2628-91-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2628-88-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2628-84-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2628-94-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2628-96-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2628-95-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2628-93-0x0000000077BD0000-0x0000000077BD1000-memory.dmp

Filesize
4KB

Download
memory/2628-74-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2628-92-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2632-55-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2632-405-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2632-54-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2632-56-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2632-45-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2632-68-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2632-60-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2632-61-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2632-63-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2632-47-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2716-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2716-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2716-3369-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2716-3367-0x000000006D080000-0x000000006D0A1000-memory.dmp

Filesize
132KB

Download
memory/2716-3-0x000000006D080000-0x000000006D0A1000-memory.dmp

Filesize
132KB

Download
memory/2716-0-0x000000006D080000-0x000000006D0A1000-memory.dmp

Filesize
132KB

Download
memory/2716-2-0x000000006D080000-0x000000006D0A1000-memory.dmp

Filesize
132KB

Download
memory/2864-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-19-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2864-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-13-0x0000000000400000-0x0000000000428E39-memory.dmp

Filesize
163KB

Download
memory/2864-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download