ramnit | 0ef40872ce33c49e3c7123a70b5c63bb496a9eebb0fd11888f82a7d1835246ac

Analysis

max time kernel
120s
max time network
95s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ef40872ce33c49e3c7123a70b5c63bb496a9eebb0fd11888f82a7d1835246acN.dll
Size

287KB
MD5

efbff07c2e71962c8fe0e928c4feaa70
SHA1

7d70d137d39d4b27b40328358f405a42628cc72e
SHA256

0ef40872ce33c49e3c7123a70b5c63bb496a9eebb0fd11888f82a7d1835246ac
SHA512

b2cea60521b3e39e9b126c058c59d904bce54084ed944d4fbad50a4999405acb3c9744fc768a85d1cda0178aefd980c650ef4173936e21003d06382b709f86a7
SSDEEP

3072:fCuuNCRs/Pj03pJEEC9ti9pocimFFVW6E1fZim4v5TRRJBYeBTg4vRPW9vc/Bm6l:fCIGPj038tAgFMldWNX+2ehIRAl

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2064	rundll32mgr.exe
2140	WaterMark.exe

Loads dropped DLL 4 IoCs

pid	Process
2988	rundll32.exe
2988	rundll32.exe
2064	rundll32mgr.exe
2064	rundll32mgr.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2064-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2064-18-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2064-21-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2064-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2064-15-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2064-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2064-10-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2140-41-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2140-39-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2064-19-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2140-83-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2140-681-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libhttps_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libadf_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblendbench_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationFramework.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Net.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libglinterop_dxva2_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\MemoryAnalyzer.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IO.Log.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\JavaAccessBridge-64.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPSideShowGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libpanoramix_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libmarq_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libdeinterlace_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libyuv_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdasql.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.RunTime.Serialization.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libaes3_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\glib-lite.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Speech.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libcdda_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\IEShims.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwinhibit_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Speech.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Printing.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libchorus_flanger_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libvc1_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libreal_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\npjp2.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\VISSHE.DLL	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Net.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libimage_plugin.dll	svchost.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sawindbg.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\hprof.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Xml.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_dummy_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libgrey_yuv_plugin.dll	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2700	2988	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2140	WaterMark.exe
2140	WaterMark.exe
2140	WaterMark.exe
2140	WaterMark.exe
2140	WaterMark.exe
2140	WaterMark.exe
2140	WaterMark.exe
2140	WaterMark.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	WaterMark.exe
Token: SeDebugPrivilege	1984	svchost.exe
Token: SeDebugPrivilege	2988	rundll32.exe
Token: SeDebugPrivilege	2140	WaterMark.exe
Token: SeDebugPrivilege	2700	WerFault.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2064	rundll32mgr.exe
2140	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2988	2128	rundll32.exe	31
PID 2128 wrote to memory of 2988	2128	rundll32.exe	31
PID 2128 wrote to memory of 2988	2128	rundll32.exe	31
PID 2128 wrote to memory of 2988	2128	rundll32.exe	31
PID 2128 wrote to memory of 2988	2128	rundll32.exe	31
PID 2128 wrote to memory of 2988	2128	rundll32.exe	31
PID 2128 wrote to memory of 2988	2128	rundll32.exe	31
PID 2988 wrote to memory of 2064	2988	rundll32.exe	32
PID 2988 wrote to memory of 2064	2988	rundll32.exe	32
PID 2988 wrote to memory of 2064	2988	rundll32.exe	32
PID 2988 wrote to memory of 2064	2988	rundll32.exe	32
PID 2064 wrote to memory of 2140	2064	rundll32mgr.exe	33
PID 2064 wrote to memory of 2140	2064	rundll32mgr.exe	33
PID 2064 wrote to memory of 2140	2064	rundll32mgr.exe	33
PID 2064 wrote to memory of 2140	2064	rundll32mgr.exe	33
PID 2988 wrote to memory of 2700	2988	rundll32.exe	34
PID 2988 wrote to memory of 2700	2988	rundll32.exe	34
PID 2988 wrote to memory of 2700	2988	rundll32.exe	34
PID 2988 wrote to memory of 2700	2988	rundll32.exe	34
PID 2140 wrote to memory of 2676	2140	WaterMark.exe	35
PID 2140 wrote to memory of 2676	2140	WaterMark.exe	35
PID 2140 wrote to memory of 2676	2140	WaterMark.exe	35
PID 2140 wrote to memory of 2676	2140	WaterMark.exe	35
PID 2140 wrote to memory of 2676	2140	WaterMark.exe	35
PID 2140 wrote to memory of 2676	2140	WaterMark.exe	35
PID 2140 wrote to memory of 2676	2140	WaterMark.exe	35
PID 2140 wrote to memory of 2676	2140	WaterMark.exe	35
PID 2140 wrote to memory of 2676	2140	WaterMark.exe	35
PID 2140 wrote to memory of 2676	2140	WaterMark.exe	35
PID 2140 wrote to memory of 1984	2140	WaterMark.exe	36
PID 2140 wrote to memory of 1984	2140	WaterMark.exe	36
PID 2140 wrote to memory of 1984	2140	WaterMark.exe	36
PID 2140 wrote to memory of 1984	2140	WaterMark.exe	36
PID 2140 wrote to memory of 1984	2140	WaterMark.exe	36
PID 2140 wrote to memory of 1984	2140	WaterMark.exe	36
PID 2140 wrote to memory of 1984	2140	WaterMark.exe	36
PID 2140 wrote to memory of 1984	2140	WaterMark.exe	36
PID 2140 wrote to memory of 1984	2140	WaterMark.exe	36
PID 2140 wrote to memory of 1984	2140	WaterMark.exe	36
PID 1984 wrote to memory of 256	1984	svchost.exe	1
PID 1984 wrote to memory of 256	1984	svchost.exe	1
PID 1984 wrote to memory of 256	1984	svchost.exe	1
PID 1984 wrote to memory of 256	1984	svchost.exe	1
PID 1984 wrote to memory of 256	1984	svchost.exe	1
PID 1984 wrote to memory of 332	1984	svchost.exe	2
PID 1984 wrote to memory of 332	1984	svchost.exe	2
PID 1984 wrote to memory of 332	1984	svchost.exe	2
PID 1984 wrote to memory of 332	1984	svchost.exe	2
PID 1984 wrote to memory of 332	1984	svchost.exe	2
PID 1984 wrote to memory of 380	1984	svchost.exe	3
PID 1984 wrote to memory of 380	1984	svchost.exe	3
PID 1984 wrote to memory of 380	1984	svchost.exe	3
PID 1984 wrote to memory of 380	1984	svchost.exe	3
PID 1984 wrote to memory of 380	1984	svchost.exe	3
PID 1984 wrote to memory of 396	1984	svchost.exe	4
PID 1984 wrote to memory of 396	1984	svchost.exe	4
PID 1984 wrote to memory of 396	1984	svchost.exe	4
PID 1984 wrote to memory of 396	1984	svchost.exe	4
PID 1984 wrote to memory of 396	1984	svchost.exe	4
PID 1984 wrote to memory of 432	1984	svchost.exe	5
PID 1984 wrote to memory of 432	1984	svchost.exe	5
PID 1984 wrote to memory of 432	1984	svchost.exe	5
PID 1984 wrote to memory of 432	1984	svchost.exe	5
PID 1984 wrote to memory of 432	1984	svchost.exe	5

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:480
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:612
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:2040
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:112
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:2964
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:688
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:768
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:816
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1072
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:860
  - - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:1960
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:968
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:272
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1084
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1092
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1172
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1516
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2052
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2188
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1144
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ef40872ce33c49e3c7123a70b5c63bb496a9eebb0fd11888f82a7d1835246acN.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ef40872ce33c49e3c7123a70b5c63bb496a9eebb0fd11888f82a7d1835246acN.dll,#1
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\SysWOW64\rundll32mgr.exe
      C:\Windows\SysWOW64\rundll32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2064
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2140
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2676
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 224
      4⤵
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
253KB

MD5
8b5b4d22ce498c2cc9ac575d3c4825c6

SHA1
3c0b9a2bcd83d54b1bdde32dc4f016dde6b8d072

SHA256
c13823d80479280b467802d2aa0218a6bb3e21c2203545e985b9ca50a0a6ced3

SHA512
874ed997e461025ccbe77719faa0b8e9ea9e42ca754ffe20c366225ef6dce754676a33f56ee27c61498b91cb2b771500d0f09e04034a8d8c708bd4ecce09dc84

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
249KB

MD5
53c0eddb061881b81cf984b833a3ad4c

SHA1
2741dc311a653eaa90f0710630150120c117b17a

SHA256
6f5b4ecae02ccdcafabf0ade75c6173dc3a3cc91871174fde81562a91e7019b4

SHA512
b2ddd86880cd9acea84967e42305164ecd3a00fded8dd5fd93ea6e437476125afc12092678f8c354d42a020278c941e52446d7620406a6e68d7aa58b5fd15544

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
120KB

MD5
6c5a1f8cb177e400928e970bf3023e42

SHA1
df335cb43d37ed50cb198e35b574fe284e70134e

SHA256
4e79c0272252c466b18fcace7b7ec9ef1551587d560f2a9697eeba5e3a5cac6f

SHA512
767efe61e94933ea7799f78d6cf9d86e7b2494077295915f4a91c605a30e9685ce297d43c61b74d744038a728f91525590c2221230056e2486c79333a0179673

Download Submit
memory/1984-90-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1984-88-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1984-73-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1984-84-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1984-93-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1984-94-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1984-92-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1984-95-0x00000000774A0000-0x00000000774A1000-memory.dmp

Filesize
4KB

Download
memory/1984-91-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2064-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2064-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2064-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2064-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2064-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2064-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2064-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2064-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2064-17-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2140-89-0x000000007749F000-0x00000000774A0000-memory.dmp

Filesize
4KB

Download
memory/2140-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2140-681-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2140-43-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2140-35-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2140-42-0x000000007749F000-0x00000000774A0000-memory.dmp

Filesize
4KB

Download
memory/2140-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2140-71-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2140-72-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2140-40-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2140-83-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2676-46-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2676-44-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2676-59-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2676-55-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2676-67-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2676-62-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2676-60-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2676-53-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2676-54-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2676-415-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2988-418-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/2988-8-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/2988-9-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/2988-12-0x0000000000200000-0x000000000023A000-memory.dmp

Filesize
232KB

Download