ramnit | c4a99dae29a2997532a0a9c1862107d2c05d0a4b4aa72313fdbd1f224ad6a54a

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4a99dae29a2997532a0a9c1862107d2c05d0a4b4aa72313fdbd1f224ad6a54a.dll
Size

184KB
MD5

e0eaa8eb8127bf8e357b98ecf0d683ad
SHA1

26b377892798c12f700cca966764030d00de312e
SHA256

c4a99dae29a2997532a0a9c1862107d2c05d0a4b4aa72313fdbd1f224ad6a54a
SHA512

31dfbbf8f523a4d11256451b9a1e3c5e8cb31a5584a60b3fa06086a0bade9ca36c8fe7be9aee67d51082b05a260cea3c9519b88ac65233a21f2d701de488da8a
SSDEEP

3072:jn4cV8gf2u41Z5tKlw+riClf+gfjxbfkhbf:L4y8gOl2zrhlf++xYhb

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
1292	rundll32mgr.exe
2936	WaterMark.exe

Loads dropped DLL 4 IoCs

pid	Process
768	rundll32.exe
768	rundll32.exe
1292	rundll32mgr.exe
1292	rundll32mgr.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1292-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2936-41-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2936-38-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2936-37-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1292-20-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1292-18-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1292-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1292-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1292-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1292-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2936-86-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2936-605-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dcpr.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2native.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnsc_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libps_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_transcode_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcfr.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\libGLESv2.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libmosaic_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_cycle_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kcms.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\liba52_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_delay_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libripple_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcs.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jdwp.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\net.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ChkrRes.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Conversion.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll	svchost.exe
File opened for modification	C:\Program Files\DisconnectSave.htm	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Xml.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libsftp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\jnwdui.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfr.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozavutil.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\vcruntime140.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libupnp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpenc.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClientsideProviders.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Client.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_display_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jaas_nt.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java_crw_demo.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_realrtsp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpsychedelic_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fxplugins.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Selectors.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ps_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2936	WaterMark.exe
2936	WaterMark.exe
2936	WaterMark.exe
2936	WaterMark.exe
2936	WaterMark.exe
2936	WaterMark.exe
2936	WaterMark.exe
2936	WaterMark.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	WaterMark.exe
Token: SeDebugPrivilege	2732	svchost.exe
Token: SeDebugPrivilege	2936	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1292	rundll32mgr.exe
2936	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 768	860	rundll32.exe	30
PID 860 wrote to memory of 768	860	rundll32.exe	30
PID 860 wrote to memory of 768	860	rundll32.exe	30
PID 860 wrote to memory of 768	860	rundll32.exe	30
PID 860 wrote to memory of 768	860	rundll32.exe	30
PID 860 wrote to memory of 768	860	rundll32.exe	30
PID 860 wrote to memory of 768	860	rundll32.exe	30
PID 768 wrote to memory of 1292	768	rundll32.exe	31
PID 768 wrote to memory of 1292	768	rundll32.exe	31
PID 768 wrote to memory of 1292	768	rundll32.exe	31
PID 768 wrote to memory of 1292	768	rundll32.exe	31
PID 1292 wrote to memory of 2936	1292	rundll32mgr.exe	32
PID 1292 wrote to memory of 2936	1292	rundll32mgr.exe	32
PID 1292 wrote to memory of 2936	1292	rundll32mgr.exe	32
PID 1292 wrote to memory of 2936	1292	rundll32mgr.exe	32
PID 2936 wrote to memory of 2768	2936	WaterMark.exe	33
PID 2936 wrote to memory of 2768	2936	WaterMark.exe	33
PID 2936 wrote to memory of 2768	2936	WaterMark.exe	33
PID 2936 wrote to memory of 2768	2936	WaterMark.exe	33
PID 2936 wrote to memory of 2768	2936	WaterMark.exe	33
PID 2936 wrote to memory of 2768	2936	WaterMark.exe	33
PID 2936 wrote to memory of 2768	2936	WaterMark.exe	33
PID 2936 wrote to memory of 2768	2936	WaterMark.exe	33
PID 2936 wrote to memory of 2768	2936	WaterMark.exe	33
PID 2936 wrote to memory of 2768	2936	WaterMark.exe	33
PID 2936 wrote to memory of 2732	2936	WaterMark.exe	34
PID 2936 wrote to memory of 2732	2936	WaterMark.exe	34
PID 2936 wrote to memory of 2732	2936	WaterMark.exe	34
PID 2936 wrote to memory of 2732	2936	WaterMark.exe	34
PID 2936 wrote to memory of 2732	2936	WaterMark.exe	34
PID 2936 wrote to memory of 2732	2936	WaterMark.exe	34
PID 2936 wrote to memory of 2732	2936	WaterMark.exe	34
PID 2936 wrote to memory of 2732	2936	WaterMark.exe	34
PID 2936 wrote to memory of 2732	2936	WaterMark.exe	34
PID 2936 wrote to memory of 2732	2936	WaterMark.exe	34
PID 2732 wrote to memory of 256	2732	svchost.exe	1
PID 2732 wrote to memory of 256	2732	svchost.exe	1
PID 2732 wrote to memory of 256	2732	svchost.exe	1
PID 2732 wrote to memory of 256	2732	svchost.exe	1
PID 2732 wrote to memory of 256	2732	svchost.exe	1
PID 2732 wrote to memory of 332	2732	svchost.exe	2
PID 2732 wrote to memory of 332	2732	svchost.exe	2
PID 2732 wrote to memory of 332	2732	svchost.exe	2
PID 2732 wrote to memory of 332	2732	svchost.exe	2
PID 2732 wrote to memory of 332	2732	svchost.exe	2
PID 2732 wrote to memory of 380	2732	svchost.exe	3
PID 2732 wrote to memory of 380	2732	svchost.exe	3
PID 2732 wrote to memory of 380	2732	svchost.exe	3
PID 2732 wrote to memory of 380	2732	svchost.exe	3
PID 2732 wrote to memory of 380	2732	svchost.exe	3
PID 2732 wrote to memory of 388	2732	svchost.exe	4
PID 2732 wrote to memory of 388	2732	svchost.exe	4
PID 2732 wrote to memory of 388	2732	svchost.exe	4
PID 2732 wrote to memory of 388	2732	svchost.exe	4
PID 2732 wrote to memory of 388	2732	svchost.exe	4
PID 2732 wrote to memory of 428	2732	svchost.exe	5
PID 2732 wrote to memory of 428	2732	svchost.exe	5
PID 2732 wrote to memory of 428	2732	svchost.exe	5
PID 2732 wrote to memory of 428	2732	svchost.exe	5
PID 2732 wrote to memory of 428	2732	svchost.exe	5
PID 2732 wrote to memory of 472	2732	svchost.exe	6
PID 2732 wrote to memory of 472	2732	svchost.exe	6
PID 2732 wrote to memory of 472	2732	svchost.exe	6
PID 2732 wrote to memory of 472	2732	svchost.exe	6

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:472
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:596
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1264
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:316
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:680
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:748
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:816
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1164
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:852
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2160
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:964
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:108
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:344
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1044
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1108
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:340
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2476
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2268
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:388

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c4a99dae29a2997532a0a9c1862107d2c05d0a4b4aa72313fdbd1f224ad6a54a.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c4a99dae29a2997532a0a9c1862107d2c05d0a4b4aa72313fdbd1f224ad6a54a.dll,#1
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\SysWOW64\rundll32mgr.exe
      C:\Windows\SysWOW64\rundll32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2768
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
198KB

MD5
12ba74ef680738bd5cfefceb6d2b00de

SHA1
e4f682389ad31a28d676e167ecee244674ae1aaf

SHA256
a95d28c3a82a674c4367322893abbf1bde0535cc48cf779e3d8454901a889314

SHA512
056d3bfd8303d82f1ec6f18799b96fa0a57b76eb3f31ebb6797abac2cea7aa246ecd986f5c5554aa9d00c60062d5f2944de71c5abc28bf4fc67170715b6545db

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
194KB

MD5
561244e57e5406f73d840e77615c1781

SHA1
8b48784e2f38d5928aadaadcc89fdbc4b383ea00

SHA256
9cb49a48696c8eaa2c8c939713d9545a8d5de258a13ef85bb2d9965276a1398f

SHA512
ae9390290aafbfdcac759178e4fba7b77e799fd9d4bff6bd5757606052450e64847d1ff82fd7e4e852bd9b74334c98a7e332433150d6715783a3e22b908a62c9

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
92KB

MD5
dace075bf1731bb90fc56f559f9e864f

SHA1
2147f6b576b71bba1f1c1117f86ecb123e941bab

SHA256
bc2ed6ce2caca16e2d4f77e2f59608fa901993a87a419e8066cda64eae8b9e8d

SHA512
f28c6c90c8ea26f8af6a62963249f4c420605040d2048db0b516dcd10f196173ea9dfbc8ab595db5241e0f3c4f57e9db690eb57abd4d795278f748651a01d0cf

Download Submit
memory/768-4-0x0000000000180000-0x00000000001A9000-memory.dmp

Filesize
164KB

Download
memory/768-1-0x0000000010000000-0x000000001002F000-memory.dmp

Filesize
188KB

Download
memory/1292-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1292-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1292-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1292-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1292-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1292-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1292-16-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1292-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1292-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2732-92-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2732-87-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2732-91-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/2732-89-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2732-81-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2732-90-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2732-85-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2732-88-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2732-72-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2768-62-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2768-65-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2768-352-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2768-43-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2768-58-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2768-45-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2768-61-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2768-60-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2768-53-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2936-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2936-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2936-86-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2936-70-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2936-349-0x0000000077C0F000-0x0000000077C10000-memory.dmp

Filesize
4KB

Download
memory/2936-40-0x0000000077C0F000-0x0000000077C10000-memory.dmp

Filesize
4KB

Download
memory/2936-605-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2936-39-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2936-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download