ramnit | 4b2ce9a231e91061ea9032d1cb8de7f26aca96a8608bd5e3f42f69daff359964

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe13a9f694e43272be9782eb58b8cd15_JaffaCakes118.dll
Size

337KB
MD5

fe13a9f694e43272be9782eb58b8cd15
SHA1

18565f31bd76725b20c5cc2fb615ffc8f1915654
SHA256

4b2ce9a231e91061ea9032d1cb8de7f26aca96a8608bd5e3f42f69daff359964
SHA512

15dbee26ce652f1d439316a892fd6895af23ceace9320aa368dc732922a0412eea57b2fb598b1ac64b7098774ea20d5a199f8e26cda6c88faef42013f1f24098
SSDEEP

6144:jN0yr1sO/wIKS0FKtOT/OrDtgUi0uvQee7Qee/0QeesQeeglQeekQeeDC7MB9Ce6:JG6wndYtamDSU1U9mSn8

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
2836	regsvr32mgr.exe
540	WaterMark.exe

Loads dropped DLL 4 IoCs

pid	Process
1992	regsvr32.exe
1992	regsvr32.exe
2836	regsvr32mgr.exe
2836	regsvr32mgr.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/540-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/540-38-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/540-37-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2836-19-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2836-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2836-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2836-14-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2836-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2836-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2836-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2836-10-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/540-372-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/540-636-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sawindbg.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\sunmscapi.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationTypes.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IO.Log.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.DataSetExtensions.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\ShvlRes.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\micaut.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libcdg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationProvider.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Design.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libvnc_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\RSSFeeds.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\w2k_lsa_auth.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libhttps_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EURO\MSOEURO.DLL	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\penkor.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\t2k.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\libxslt.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\MoreGames.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmad_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ChkrRes.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libx26410b_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\msvcr100.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\librawaud_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libpanoramix_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\settings.html	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libnetsync_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libadjust_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Engine.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\InkDiv.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ACEODBCI.DLL	svchost.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	regsvr32mgr.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DAO\dao360.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\dicjp.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58F1580-0DF3-401C-93B1-2D9DDA61CF04}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58F1580-0DF3-401C-93B1-2D9DDA61CF04}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58F1580-0DF3-401C-93B1-2D9DDA61CF04}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
540	WaterMark.exe
540	WaterMark.exe
540	WaterMark.exe
540	WaterMark.exe
540	WaterMark.exe
540	WaterMark.exe
540	WaterMark.exe
540	WaterMark.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	540	WaterMark.exe
Token: SeDebugPrivilege	2740	svchost.exe
Token: SeDebugPrivilege	540	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2836	regsvr32mgr.exe
540	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1992	2232	regsvr32.exe	31
PID 2232 wrote to memory of 1992	2232	regsvr32.exe	31
PID 2232 wrote to memory of 1992	2232	regsvr32.exe	31
PID 2232 wrote to memory of 1992	2232	regsvr32.exe	31
PID 2232 wrote to memory of 1992	2232	regsvr32.exe	31
PID 2232 wrote to memory of 1992	2232	regsvr32.exe	31
PID 2232 wrote to memory of 1992	2232	regsvr32.exe	31
PID 1992 wrote to memory of 2836	1992	regsvr32.exe	32
PID 1992 wrote to memory of 2836	1992	regsvr32.exe	32
PID 1992 wrote to memory of 2836	1992	regsvr32.exe	32
PID 1992 wrote to memory of 2836	1992	regsvr32.exe	32
PID 2836 wrote to memory of 540	2836	regsvr32mgr.exe	33
PID 2836 wrote to memory of 540	2836	regsvr32mgr.exe	33
PID 2836 wrote to memory of 540	2836	regsvr32mgr.exe	33
PID 2836 wrote to memory of 540	2836	regsvr32mgr.exe	33
PID 540 wrote to memory of 2616	540	WaterMark.exe	34
PID 540 wrote to memory of 2616	540	WaterMark.exe	34
PID 540 wrote to memory of 2616	540	WaterMark.exe	34
PID 540 wrote to memory of 2616	540	WaterMark.exe	34
PID 540 wrote to memory of 2616	540	WaterMark.exe	34
PID 540 wrote to memory of 2616	540	WaterMark.exe	34
PID 540 wrote to memory of 2616	540	WaterMark.exe	34
PID 540 wrote to memory of 2616	540	WaterMark.exe	34
PID 540 wrote to memory of 2616	540	WaterMark.exe	34
PID 540 wrote to memory of 2616	540	WaterMark.exe	34
PID 540 wrote to memory of 2740	540	WaterMark.exe	35
PID 540 wrote to memory of 2740	540	WaterMark.exe	35
PID 540 wrote to memory of 2740	540	WaterMark.exe	35
PID 540 wrote to memory of 2740	540	WaterMark.exe	35
PID 540 wrote to memory of 2740	540	WaterMark.exe	35
PID 540 wrote to memory of 2740	540	WaterMark.exe	35
PID 540 wrote to memory of 2740	540	WaterMark.exe	35
PID 540 wrote to memory of 2740	540	WaterMark.exe	35
PID 540 wrote to memory of 2740	540	WaterMark.exe	35
PID 540 wrote to memory of 2740	540	WaterMark.exe	35
PID 2740 wrote to memory of 256	2740	svchost.exe	1
PID 2740 wrote to memory of 256	2740	svchost.exe	1
PID 2740 wrote to memory of 256	2740	svchost.exe	1
PID 2740 wrote to memory of 256	2740	svchost.exe	1
PID 2740 wrote to memory of 256	2740	svchost.exe	1
PID 2740 wrote to memory of 332	2740	svchost.exe	2
PID 2740 wrote to memory of 332	2740	svchost.exe	2
PID 2740 wrote to memory of 332	2740	svchost.exe	2
PID 2740 wrote to memory of 332	2740	svchost.exe	2
PID 2740 wrote to memory of 332	2740	svchost.exe	2
PID 2740 wrote to memory of 384	2740	svchost.exe	3
PID 2740 wrote to memory of 384	2740	svchost.exe	3
PID 2740 wrote to memory of 384	2740	svchost.exe	3
PID 2740 wrote to memory of 384	2740	svchost.exe	3
PID 2740 wrote to memory of 384	2740	svchost.exe	3
PID 2740 wrote to memory of 396	2740	svchost.exe	4
PID 2740 wrote to memory of 396	2740	svchost.exe	4
PID 2740 wrote to memory of 396	2740	svchost.exe	4
PID 2740 wrote to memory of 396	2740	svchost.exe	4
PID 2740 wrote to memory of 396	2740	svchost.exe	4
PID 2740 wrote to memory of 432	2740	svchost.exe	5
PID 2740 wrote to memory of 432	2740	svchost.exe	5
PID 2740 wrote to memory of 432	2740	svchost.exe	5
PID 2740 wrote to memory of 432	2740	svchost.exe	5
PID 2740 wrote to memory of 432	2740	svchost.exe	5
PID 2740 wrote to memory of 476	2740	svchost.exe	6
PID 2740 wrote to memory of 476	2740	svchost.exe	6
PID 2740 wrote to memory of 476	2740	svchost.exe	6
PID 2740 wrote to memory of 476	2740	svchost.exe	6

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:604
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:2012
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1488
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:1408
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:684
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:764
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:820
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1048
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:864
  - - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:1860
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:976
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:276
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1064
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1084
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1168
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1424
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2868
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2188
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1132
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\fe13a9f694e43272be9782eb58b8cd15_JaffaCakes118.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\fe13a9f694e43272be9782eb58b8cd15_JaffaCakes118.dll
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\SysWOW64\regsvr32mgr.exe
      C:\Windows\SysWOW64\regsvr32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:540
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2616
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
206KB

MD5
e454478bf7eb7a36d1ef1666c3421a03

SHA1
3941208dfdc76faab909b919f05c150e7bc5670e

SHA256
15dca450af516476576d7a2053333a8816db8ed9312b7143c3e2192160e9b04f

SHA512
e940d815a68cae0c340dfb0ae589fb6493303d5e0583529fa99ed3b8eecb50e2432cd6d34adcce7648eb64b20df242c233e3793537ee6ea5636c6833b0c26fca

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
202KB

MD5
1cff6e967ff37b161316ba502ca09a15

SHA1
4778f7279fc53027b4117560dd6d511ab6365891

SHA256
d60bde461d0de3fcba30ebcd7aee1997e1612ae57167fd04e3855927f634e2bb

SHA512
140980e8adeca7821b27458cea46a9e6deef6f0406ceb63828b0efe4a7d16d89ff705f24c13b5cb42bb54e1f58d943e2d63e5eab3cb40f8d776cf59e9f3fb43f

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
96KB

MD5
8c51fd9d6daa7b6137634de19a49452c

SHA1
db2a11cca434bacad2bf42adeecae38e99cf64f8

SHA256
528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3

SHA512
b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837

Download Submit
memory/540-636-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/540-372-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/540-39-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/540-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/540-37-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/540-41-0x000000007777F000-0x0000000077780000-memory.dmp

Filesize
4KB

Download
memory/540-69-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/540-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/540-633-0x000000007777F000-0x0000000077780000-memory.dmp

Filesize
4KB

Download
memory/1992-1-0x0000000074990000-0x00000000749E7000-memory.dmp

Filesize
348KB

Download
memory/1992-9-0x00000000004A0000-0x00000000004D5000-memory.dmp

Filesize
212KB

Download
memory/2616-58-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2616-43-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2616-65-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2616-45-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2616-52-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2616-57-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2616-60-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2616-59-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2740-81-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2740-88-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2740-85-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2740-86-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2740-71-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2740-87-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2740-84-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2740-89-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2836-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2836-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2836-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2836-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2836-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2836-15-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2836-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2836-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2836-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download