ramnit | 245b4df9ceafa31e854f40ce9836424d48a29f930b7d0783f928701138114756

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/12/2024, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe
Size

4.3MB
MD5

bdb49ef7be7155f04cbfd0fc4da33c08
SHA1

5908c9f6f41a8f9c8187d96442947c0cec5cc504
SHA256

245b4df9ceafa31e854f40ce9836424d48a29f930b7d0783f928701138114756
SHA512

cabfe018729925919c2c1bb9259ab63f1aa3cf4abed0042f9afe7949e08a95ff1f208e845f9caf34f231c5b467a35cbdf3d76539706709a7d0f7d026697db676
SSDEEP

98304:Ed675opH8FnKhoIkrxLHCx9D0MEPrPTff4RSoj9ghi1RebMIg9Cbk/V8giirSeF:K810Wx2Xm7Tff4RSojDIg9Cbk/V88

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2688	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnitmgr.exe
2404	WaterMark.exe

Loads dropped DLL 14 IoCs

pid	Process
2248	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe
2248	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe
2688	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnitmgr.exe
2688	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnitmgr.exe
2248	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe
2248	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe
2248	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe
2248	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe
2248	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe
2248	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe
2248	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe
2248	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe
2248	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe
2248	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2404-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2404-35-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2688-20-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2688-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2688-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2688-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2688-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2688-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2688-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2404-82-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2404-647-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ALRTINTL.DLL	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\perf_nt.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libamem_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libvorbis_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_display_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\management.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\j2pcsc.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libEGL.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Management.Instrumentation.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgaussianblur_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Speech.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdasql.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\libGLESv2.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsound.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\jvm.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\net.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\flyout.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\xlsrvintl.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClientsideProviders.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Conversion.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libskiptags_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadco.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\mlib_image.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Client.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmagnify_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\MSPVWCTL.DLL	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\wsdetect.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationCore.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libimem_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\picturePuzzle.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEDAO.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Net.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\glib-lite.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libcaf_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXEV.DLL	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Conversion.v3.5.resources.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnitmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2404	WaterMark.exe
2404	WaterMark.exe
2404	WaterMark.exe
2404	WaterMark.exe
2404	WaterMark.exe
2404	WaterMark.exe
2404	WaterMark.exe
2404	WaterMark.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	WaterMark.exe
Token: SeDebugPrivilege	2600	svchost.exe
Token: SeDebugPrivilege	2248	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe
Token: SeDebugPrivilege	2404	WaterMark.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2248	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe
2248	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2688	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnitmgr.exe
2404	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2688	2248	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe	30
PID 2248 wrote to memory of 2688	2248	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe	30
PID 2248 wrote to memory of 2688	2248	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe	30
PID 2248 wrote to memory of 2688	2248	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe	30
PID 2688 wrote to memory of 2404	2688	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnitmgr.exe	31
PID 2688 wrote to memory of 2404	2688	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnitmgr.exe	31
PID 2688 wrote to memory of 2404	2688	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnitmgr.exe	31
PID 2688 wrote to memory of 2404	2688	2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnitmgr.exe	31
PID 2404 wrote to memory of 2652	2404	WaterMark.exe	32
PID 2404 wrote to memory of 2652	2404	WaterMark.exe	32
PID 2404 wrote to memory of 2652	2404	WaterMark.exe	32
PID 2404 wrote to memory of 2652	2404	WaterMark.exe	32
PID 2404 wrote to memory of 2652	2404	WaterMark.exe	32
PID 2404 wrote to memory of 2652	2404	WaterMark.exe	32
PID 2404 wrote to memory of 2652	2404	WaterMark.exe	32
PID 2404 wrote to memory of 2652	2404	WaterMark.exe	32
PID 2404 wrote to memory of 2652	2404	WaterMark.exe	32
PID 2404 wrote to memory of 2652	2404	WaterMark.exe	32
PID 2404 wrote to memory of 2600	2404	WaterMark.exe	33
PID 2404 wrote to memory of 2600	2404	WaterMark.exe	33
PID 2404 wrote to memory of 2600	2404	WaterMark.exe	33
PID 2404 wrote to memory of 2600	2404	WaterMark.exe	33
PID 2404 wrote to memory of 2600	2404	WaterMark.exe	33
PID 2404 wrote to memory of 2600	2404	WaterMark.exe	33
PID 2404 wrote to memory of 2600	2404	WaterMark.exe	33
PID 2404 wrote to memory of 2600	2404	WaterMark.exe	33
PID 2404 wrote to memory of 2600	2404	WaterMark.exe	33
PID 2404 wrote to memory of 2600	2404	WaterMark.exe	33
PID 2600 wrote to memory of 256	2600	svchost.exe	1
PID 2600 wrote to memory of 256	2600	svchost.exe	1
PID 2600 wrote to memory of 256	2600	svchost.exe	1
PID 2600 wrote to memory of 256	2600	svchost.exe	1
PID 2600 wrote to memory of 256	2600	svchost.exe	1
PID 2600 wrote to memory of 336	2600	svchost.exe	2
PID 2600 wrote to memory of 336	2600	svchost.exe	2
PID 2600 wrote to memory of 336	2600	svchost.exe	2
PID 2600 wrote to memory of 336	2600	svchost.exe	2
PID 2600 wrote to memory of 336	2600	svchost.exe	2
PID 2600 wrote to memory of 384	2600	svchost.exe	3
PID 2600 wrote to memory of 384	2600	svchost.exe	3
PID 2600 wrote to memory of 384	2600	svchost.exe	3
PID 2600 wrote to memory of 384	2600	svchost.exe	3
PID 2600 wrote to memory of 384	2600	svchost.exe	3
PID 2600 wrote to memory of 392	2600	svchost.exe	4
PID 2600 wrote to memory of 392	2600	svchost.exe	4
PID 2600 wrote to memory of 392	2600	svchost.exe	4
PID 2600 wrote to memory of 392	2600	svchost.exe	4
PID 2600 wrote to memory of 392	2600	svchost.exe	4
PID 2600 wrote to memory of 432	2600	svchost.exe	5
PID 2600 wrote to memory of 432	2600	svchost.exe	5
PID 2600 wrote to memory of 432	2600	svchost.exe	5
PID 2600 wrote to memory of 432	2600	svchost.exe	5
PID 2600 wrote to memory of 432	2600	svchost.exe	5
PID 2600 wrote to memory of 476	2600	svchost.exe	6
PID 2600 wrote to memory of 476	2600	svchost.exe	6
PID 2600 wrote to memory of 476	2600	svchost.exe	6
PID 2600 wrote to memory of 476	2600	svchost.exe	6
PID 2600 wrote to memory of 476	2600	svchost.exe	6
PID 2600 wrote to memory of 492	2600	svchost.exe	7
PID 2600 wrote to memory of 492	2600	svchost.exe	7
PID 2600 wrote to memory of 492	2600	svchost.exe	7
PID 2600 wrote to memory of 492	2600	svchost.exe	7
PID 2600 wrote to memory of 492	2600	svchost.exe	7
PID 2600 wrote to memory of 500	2600	svchost.exe	8

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:592
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1508
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1008
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:2264
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:676
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:744
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:812
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1096
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:852
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:964
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:108
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1032
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1068
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1132
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1212
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2520
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2168
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1160
- C:\Users\Admin\AppData\Local\Temp\2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnit.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnitmgr.exe
    C:\Users\Admin\AppData\Local\Temp\2024-12-11_bdb49ef7be7155f04cbfd0fc4da33c08_mafia_ramnitmgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2404
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2652
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
112KB

MD5
be1d07ff1a7206787fe1ab3acff017d8

SHA1
7098919b3b0ad48e7297ab1c0526e41d3c084916

SHA256
553a6c845b90d293e243a5c90a0a6fbb127a4c2ad6bea7eac6539f35cc0a0b4f

SHA512
5bf7320645bf80ccd625689cb294a47eeaa8a8bfcfe59f3b731da6bbeb579e3d6aef6d63b0694d44b28c4e9f92d2ac3457b87e28832b9dd87b3e023a39e38757

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
238KB

MD5
4dc511e16953902e2f074e4edbc8b258

SHA1
1833875de6d52a55ba6ff2bc7c358eaf06e5ad45

SHA256
28592df75d634944db7d91ac567816009aaa407098f34be995ce4f529315c80d

SHA512
3c34751b21953d176b49810b52e70bbdc45d5ea5aa53b89598ebdd1d7e99e79ac7808d38d70498f04204ce6637634498ddf387500cb364b986551016ba26af08

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
234KB

MD5
e01a40d8bfe1062941538d7c3e62bc66

SHA1
0765d1bbae64cabca0eaccb288573a5cdbfe1270

SHA256
eaeb1604d36f5aff2984faaf6a6fe45cf15cf7bdd90f5f8768dbdb5cadec89de

SHA512
dfa35c0a2e7bf5e53c314b45a6796f338b6308b1ce2d83f0ab197340939995da4947abed5b1bd3716aa9ad128691383bec55a6ad9afef996a570b990b58c51e2

Download Submit
memory/2248-3735-0x0000000004630000-0x000000000466A000-memory.dmp

Filesize
232KB

Download
memory/2248-1904-0x0000000004590000-0x00000000045CA000-memory.dmp

Filesize
232KB

Download
memory/2248-3978-0x0000000004630000-0x000000000466A000-memory.dmp

Filesize
232KB

Download
memory/2248-75-0x0000000004630000-0x000000000466A000-memory.dmp

Filesize
232KB

Download
memory/2248-3734-0x0000000004630000-0x000000000466A000-memory.dmp

Filesize
232KB

Download
memory/2248-3733-0x0000000004630000-0x000000000466A000-memory.dmp

Filesize
232KB

Download
memory/2248-2999-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2248-2998-0x0000000000F80000-0x00000000013D8000-memory.dmp

Filesize
4.3MB

Download
memory/2248-3980-0x0000000004630000-0x000000000466A000-memory.dmp

Filesize
232KB

Download
memory/2248-6005-0x0000000004590000-0x00000000045CA000-memory.dmp

Filesize
232KB

Download
memory/2248-6006-0x0000000004590000-0x00000000045CA000-memory.dmp

Filesize
232KB

Download
memory/2248-3979-0x0000000004630000-0x000000000466A000-memory.dmp

Filesize
232KB

Download
memory/2248-1905-0x0000000004590000-0x00000000045CA000-memory.dmp

Filesize
232KB

Download
memory/2248-88-0x0000000004630000-0x000000000466A000-memory.dmp

Filesize
232KB

Download
memory/2248-83-0x0000000004630000-0x000000000466A000-memory.dmp

Filesize
232KB

Download
memory/2248-84-0x0000000004630000-0x000000000466A000-memory.dmp

Filesize
232KB

Download
memory/2248-79-0x0000000004630000-0x000000000466A000-memory.dmp

Filesize
232KB

Download
memory/2248-78-0x0000000004630000-0x000000000466A000-memory.dmp

Filesize
232KB

Download
memory/2248-74-0x0000000004630000-0x000000000466A000-memory.dmp

Filesize
232KB

Download
memory/2248-9-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2248-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2248-7-0x0000000000F80000-0x00000000013D8000-memory.dmp

Filesize
4.3MB

Download
memory/2404-644-0x000000007792F000-0x0000000077930000-memory.dmp

Filesize
4KB

Download
memory/2404-39-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2404-42-0x000000007792F000-0x0000000077930000-memory.dmp

Filesize
4KB

Download
memory/2404-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2404-35-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2404-647-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2404-82-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2404-91-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2600-102-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2600-391-0x0000000077930000-0x0000000077931000-memory.dmp

Filesize
4KB

Download
memory/2600-106-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2600-111-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2600-110-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2600-109-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2600-108-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2600-107-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2600-93-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2652-44-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2652-87-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2652-67-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2652-60-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2652-59-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2652-58-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2652-57-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2652-53-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2652-46-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2688-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2688-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2688-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2688-11-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2688-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2688-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2688-19-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2688-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2688-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download