ramnit | 7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c.exe
Size

152KB
MD5

eaf7832ffb424512b69d09b64eb4d5e0
SHA1

e30f9f8c86e3b0b8261dd55784f6f3e58f14202e
SHA256

7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c
SHA512

9409addc001783272292c030e4a84199def6189b93be355b5341072754214b3bcdd55ba52d1a7be2da6a21ab04e112986fb8a1b3139ac7d5fadb0b81b7810187
SSDEEP

3072:SR2xn3k0CdM1vabyzJYWqChYZ4z1sxtbjIUWnoRzp:SR2J0LS6VlZ4zytbLt

Score

10^/10

ramnit banker defense_evasion discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 1 IoCs

pid	Process
2100	WaterMark.exe

Loads dropped DLL 4 IoCs

pid	Process
2336	7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c.exe
2336	7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c.exe
2336	7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c.exe
2100	WaterMark.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2336-19-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2336-18-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2336-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2336-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2336-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2336-8-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2336-7-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2336-20-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2100-42-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2100-72-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2100-91-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2100-627-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsBase.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcolorthres_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\mojo_core.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\jsdbgui.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\decora-sse.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\fontmanager.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libcrystalhd_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationProvider.resources.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\weather.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Client.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationFramework.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libps_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmagnify_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\logsession.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libxa_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEOLEDB.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libcdda_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libvorbis_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\WindowsAccessBridge-64.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1665.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Design.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Management.Instrumentation.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libidummy_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\clock.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwgst.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\hprof.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\zip.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_mmx_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_transcode_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libuleaddvaudio_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_stats_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libdav1d_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libchorus_flanger_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Wplugin.dll	7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c.exe
File opened for modification	C:\Windows\Wplugin.dll	7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c.exe
File created	C:\Windows\explorer.exe.local	7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c.exe
File created	C:\Windows\ws2help.dll	7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c.exe
File opened for modification	C:\Windows\ws2help.dll	7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c.exe
File created	C:\Windows\Wplugin.dll	WaterMark.exe

Hijack Execution Flow: DLL Search Order Hijacking 1 TTPs
Possible initial access via DLL redirection search order hijacking.
defense_evasion

DLL Search Order Hijacking
T1574.001

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2336	7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c.exe
2100	WaterMark.exe
2100	WaterMark.exe
2100	WaterMark.exe
2100	WaterMark.exe
2100	WaterMark.exe
2100	WaterMark.exe
2100	WaterMark.exe
2100	WaterMark.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	WaterMark.exe
Token: SeDebugPrivilege	2620	svchost.exe
Token: SeDebugPrivilege	2100	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2336	7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c.exe
2100	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2100	2336	7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c.exe	30
PID 2336 wrote to memory of 2100	2336	7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c.exe	30
PID 2336 wrote to memory of 2100	2336	7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c.exe	30
PID 2336 wrote to memory of 2100	2336	7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c.exe	30
PID 2100 wrote to memory of 2636	2100	WaterMark.exe	31
PID 2100 wrote to memory of 2636	2100	WaterMark.exe	31
PID 2100 wrote to memory of 2636	2100	WaterMark.exe	31
PID 2100 wrote to memory of 2636	2100	WaterMark.exe	31
PID 2100 wrote to memory of 2636	2100	WaterMark.exe	31
PID 2100 wrote to memory of 2636	2100	WaterMark.exe	31
PID 2100 wrote to memory of 2636	2100	WaterMark.exe	31
PID 2100 wrote to memory of 2636	2100	WaterMark.exe	31
PID 2100 wrote to memory of 2636	2100	WaterMark.exe	31
PID 2100 wrote to memory of 2636	2100	WaterMark.exe	31
PID 2100 wrote to memory of 2620	2100	WaterMark.exe	32
PID 2100 wrote to memory of 2620	2100	WaterMark.exe	32
PID 2100 wrote to memory of 2620	2100	WaterMark.exe	32
PID 2100 wrote to memory of 2620	2100	WaterMark.exe	32
PID 2100 wrote to memory of 2620	2100	WaterMark.exe	32
PID 2100 wrote to memory of 2620	2100	WaterMark.exe	32
PID 2100 wrote to memory of 2620	2100	WaterMark.exe	32
PID 2100 wrote to memory of 2620	2100	WaterMark.exe	32
PID 2100 wrote to memory of 2620	2100	WaterMark.exe	32
PID 2100 wrote to memory of 2620	2100	WaterMark.exe	32
PID 2620 wrote to memory of 256	2620	svchost.exe	1
PID 2620 wrote to memory of 256	2620	svchost.exe	1
PID 2620 wrote to memory of 256	2620	svchost.exe	1
PID 2620 wrote to memory of 256	2620	svchost.exe	1
PID 2620 wrote to memory of 256	2620	svchost.exe	1
PID 2620 wrote to memory of 332	2620	svchost.exe	2
PID 2620 wrote to memory of 332	2620	svchost.exe	2
PID 2620 wrote to memory of 332	2620	svchost.exe	2
PID 2620 wrote to memory of 332	2620	svchost.exe	2
PID 2620 wrote to memory of 332	2620	svchost.exe	2
PID 2620 wrote to memory of 384	2620	svchost.exe	3
PID 2620 wrote to memory of 384	2620	svchost.exe	3
PID 2620 wrote to memory of 384	2620	svchost.exe	3
PID 2620 wrote to memory of 384	2620	svchost.exe	3
PID 2620 wrote to memory of 384	2620	svchost.exe	3
PID 2620 wrote to memory of 392	2620	svchost.exe	4
PID 2620 wrote to memory of 392	2620	svchost.exe	4
PID 2620 wrote to memory of 392	2620	svchost.exe	4
PID 2620 wrote to memory of 392	2620	svchost.exe	4
PID 2620 wrote to memory of 392	2620	svchost.exe	4
PID 2620 wrote to memory of 432	2620	svchost.exe	5
PID 2620 wrote to memory of 432	2620	svchost.exe	5
PID 2620 wrote to memory of 432	2620	svchost.exe	5
PID 2620 wrote to memory of 432	2620	svchost.exe	5
PID 2620 wrote to memory of 432	2620	svchost.exe	5
PID 2620 wrote to memory of 476	2620	svchost.exe	6
PID 2620 wrote to memory of 476	2620	svchost.exe	6
PID 2620 wrote to memory of 476	2620	svchost.exe	6
PID 2620 wrote to memory of 476	2620	svchost.exe	6
PID 2620 wrote to memory of 476	2620	svchost.exe	6
PID 2620 wrote to memory of 492	2620	svchost.exe	7
PID 2620 wrote to memory of 492	2620	svchost.exe	7
PID 2620 wrote to memory of 492	2620	svchost.exe	7
PID 2620 wrote to memory of 492	2620	svchost.exe	7
PID 2620 wrote to memory of 492	2620	svchost.exe	7
PID 2620 wrote to memory of 500	2620	svchost.exe	8
PID 2620 wrote to memory of 500	2620	svchost.exe	8
PID 2620 wrote to memory of 500	2620	svchost.exe	8
PID 2620 wrote to memory of 500	2620	svchost.exe	8
PID 2620 wrote to memory of 500	2620	svchost.exe	8

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:596
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1996
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1580
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:668
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:748
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:820
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1044
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:852
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2844
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:972
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:284
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1068
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1076
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1156
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1384
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1788
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2076
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1128
- C:\Users\Admin\AppData\Local\Temp\7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c.exe
  "C:\Users\Admin\AppData\Local\Temp\7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in System32 directory
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:2636
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

DLL Search Order Hijacking

T1574.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

DLL Search Order Hijacking

T1574.001

Defense Evasion

Hijack Execution Flow

T1574

DLL Search Order Hijacking

T1574.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
318KB

MD5
25b7e12fe53cd4cc474955c0855ff188

SHA1
c89deffb82674b38cd6ff4a3bfd8df57bd577323

SHA256
79cd2364d34d34a8ce16dcbe53f3368ff1651a42992f57ac05afe55af5a3b6bf

SHA512
d13d39c1419d1f6b563cd1cc8493e49e5715971c68beb13acc62e95e5de054056eb7d89c4b40cbb051c1794d00a8b5f8d8fb624fa8e9f56fe62bb29a171cac6c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
314KB

MD5
37bdb938f6951c857b3588c571f9d0ab

SHA1
2ee3dcf7c3d5e58f9242e8e99d1155223941220e

SHA256
373fa66960e2bb131aaf7e0304982fdaaff72b19cbe5e1f9d0a513da23f93f8b

SHA512
f9e144cfc08eb245c31711bba4fc421ad6186985c2f51733646cea0863c871b3ba4c11500386ba8ba1d600f99cf2e2151cd9760e9c1a639b95f80dabdd501042

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
152KB

MD5
eaf7832ffb424512b69d09b64eb4d5e0

SHA1
e30f9f8c86e3b0b8261dd55784f6f3e58f14202e

SHA256
7ac19536816657338fea7d09f0072158aff97ed2145cf133b3d312f5691f859c

SHA512
9409addc001783272292c030e4a84199def6189b93be355b5341072754214b3bcdd55ba52d1a7be2da6a21ab04e112986fb8a1b3139ac7d5fadb0b81b7810187

Download Submit
\Users\Admin\AppData\Roaming\Wplugin.dll

Filesize
108KB

MD5
8847a8302dacc1d6fca61f125c8fe8e0

SHA1
f399142bbf03660bee1df555ebbf3acc8f658cf0

SHA256
9c2726defa122089f8251fa104f76d66830f448774ab9bd634adbb6e492e3943

SHA512
2b028bb4139c352b80db1509d1a3f479a8ef7e9b3b73ddbf62e2d83d4e59adf4a0bd6b9d68409bc0b6fafb7a5f56844fbfed6d00b824a6b370689801ce1c837f

Download Submit
memory/2100-72-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2100-627-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2100-42-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2100-93-0x00000000774FF000-0x0000000077500000-memory.dmp

Filesize
4KB

Download
memory/2100-91-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2100-45-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2100-43-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2100-75-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2100-44-0x00000000774FF000-0x0000000077500000-memory.dmp

Filesize
4KB

Download
memory/2336-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2336-31-0x0000000000050000-0x0000000000073000-memory.dmp

Filesize
140KB

Download
memory/2336-24-0x0000000000050000-0x0000000000073000-memory.dmp

Filesize
140KB

Download
memory/2336-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2336-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2336-8-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2336-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2336-14-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2336-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2336-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2336-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2336-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2620-95-0x0000000077500000-0x0000000077501000-memory.dmp

Filesize
4KB

Download
memory/2620-96-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2620-92-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2620-94-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2620-77-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2620-97-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2620-90-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2620-86-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2620-98-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2636-62-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2636-58-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2636-69-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2636-63-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2636-56-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2636-65-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2636-364-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2636-57-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2636-48-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2636-46-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download