ramnit | e8399a473af5316fbbbafb2b12015562fe73f990596850786d3e5d1a14358fba

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01/01/2025, 07:40 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4c9a1d8f0b983034f302f2622795fa0d.dll
Size

156KB
MD5

4c9a1d8f0b983034f302f2622795fa0d
SHA1

a88c4ae6ec6f29aa6a3bf8723c2deffdb8fbc545
SHA256

e8399a473af5316fbbbafb2b12015562fe73f990596850786d3e5d1a14358fba
SHA512

cfecf60fceef93d7e410da43537c8e1f8a9cec57a2db6a10ff9e0a38ff8f48e2d53713aedf9fe00aa2dce3305fce79f8c47730d850621848175a157313c69963
SSDEEP

3072:G61Ye3TaEu2CoCcn3zO7A4D8XlizSxNP8OZfitqTPwZb:bTa12CoCckAe81gSxNPBfvP

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
1628	rundll32Srv.exe
3016	WaterMark.exe

Loads dropped DLL 4 IoCs

pid	Process
2296	rundll32.exe
2296	rundll32.exe
1628	rundll32Srv.exe
1628	rundll32Srv.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1628-13-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/files/0x00100000000122f3-11.dat	upx
behavioral1/memory/1628-17-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/3016-26-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/3016-31-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/3016-29-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/3016-69-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/3016-675-0x0000000000400000-0x0000000000441000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IO.Log.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libsatip_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msador15.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libamem_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\sunec.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationCore.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsFormsIntegration.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Net.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libantiflicker_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libwall_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\sbdrop.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\iedvtool.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsusf_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libprefetch_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\jsprofilerui.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Client.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d9_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\eventlog_provider.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Management.Instrumentation.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\librotate_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libglwin32_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2native.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Design.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Design.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Design.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libx26410b_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Mail\wabimp.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\pdmproxy100.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ps_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\settings.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRdIF.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Xml.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libdtv_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libhqdn3d_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\flyout.html	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Client.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libsubsdelay_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libedgedetection_plugin.dll	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
832	2296	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32Srv.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
3016	WaterMark.exe
3016	WaterMark.exe
3016	WaterMark.exe
3016	WaterMark.exe
3016	WaterMark.exe
3016	WaterMark.exe
3016	WaterMark.exe
3016	WaterMark.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe
2856	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	WaterMark.exe
Token: SeDebugPrivilege	2856	svchost.exe
Token: SeDebugPrivilege	832	WerFault.exe
Token: SeDebugPrivilege	2296	rundll32.exe
Token: SeDebugPrivilege	3016	WaterMark.exe
Token: SeDebugPrivilege	1892	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 2296	816	rundll32.exe	30
PID 816 wrote to memory of 2296	816	rundll32.exe	30
PID 816 wrote to memory of 2296	816	rundll32.exe	30
PID 816 wrote to memory of 2296	816	rundll32.exe	30
PID 816 wrote to memory of 2296	816	rundll32.exe	30
PID 816 wrote to memory of 2296	816	rundll32.exe	30
PID 816 wrote to memory of 2296	816	rundll32.exe	30
PID 2296 wrote to memory of 1628	2296	rundll32.exe	31
PID 2296 wrote to memory of 1628	2296	rundll32.exe	31
PID 2296 wrote to memory of 1628	2296	rundll32.exe	31
PID 2296 wrote to memory of 1628	2296	rundll32.exe	31
PID 2296 wrote to memory of 832	2296	rundll32.exe	32
PID 2296 wrote to memory of 832	2296	rundll32.exe	32
PID 2296 wrote to memory of 832	2296	rundll32.exe	32
PID 2296 wrote to memory of 832	2296	rundll32.exe	32
PID 1628 wrote to memory of 3016	1628	rundll32Srv.exe	33
PID 1628 wrote to memory of 3016	1628	rundll32Srv.exe	33
PID 1628 wrote to memory of 3016	1628	rundll32Srv.exe	33
PID 1628 wrote to memory of 3016	1628	rundll32Srv.exe	33
PID 3016 wrote to memory of 1892	3016	WaterMark.exe	34
PID 3016 wrote to memory of 1892	3016	WaterMark.exe	34
PID 3016 wrote to memory of 1892	3016	WaterMark.exe	34
PID 3016 wrote to memory of 1892	3016	WaterMark.exe	34
PID 3016 wrote to memory of 1892	3016	WaterMark.exe	34
PID 3016 wrote to memory of 1892	3016	WaterMark.exe	34
PID 3016 wrote to memory of 1892	3016	WaterMark.exe	34
PID 3016 wrote to memory of 1892	3016	WaterMark.exe	34
PID 3016 wrote to memory of 1892	3016	WaterMark.exe	34
PID 3016 wrote to memory of 1892	3016	WaterMark.exe	34
PID 3016 wrote to memory of 2856	3016	WaterMark.exe	35
PID 3016 wrote to memory of 2856	3016	WaterMark.exe	35
PID 3016 wrote to memory of 2856	3016	WaterMark.exe	35
PID 3016 wrote to memory of 2856	3016	WaterMark.exe	35
PID 3016 wrote to memory of 2856	3016	WaterMark.exe	35
PID 3016 wrote to memory of 2856	3016	WaterMark.exe	35
PID 3016 wrote to memory of 2856	3016	WaterMark.exe	35
PID 3016 wrote to memory of 2856	3016	WaterMark.exe	35
PID 3016 wrote to memory of 2856	3016	WaterMark.exe	35
PID 3016 wrote to memory of 2856	3016	WaterMark.exe	35
PID 2856 wrote to memory of 256	2856	svchost.exe	1
PID 2856 wrote to memory of 256	2856	svchost.exe	1
PID 2856 wrote to memory of 256	2856	svchost.exe	1
PID 2856 wrote to memory of 256	2856	svchost.exe	1
PID 2856 wrote to memory of 256	2856	svchost.exe	1
PID 2856 wrote to memory of 332	2856	svchost.exe	2
PID 2856 wrote to memory of 332	2856	svchost.exe	2
PID 2856 wrote to memory of 332	2856	svchost.exe	2
PID 2856 wrote to memory of 332	2856	svchost.exe	2
PID 2856 wrote to memory of 332	2856	svchost.exe	2
PID 2856 wrote to memory of 368	2856	svchost.exe	3
PID 2856 wrote to memory of 368	2856	svchost.exe	3
PID 2856 wrote to memory of 368	2856	svchost.exe	3
PID 2856 wrote to memory of 368	2856	svchost.exe	3
PID 2856 wrote to memory of 368	2856	svchost.exe	3
PID 2856 wrote to memory of 380	2856	svchost.exe	4
PID 2856 wrote to memory of 380	2856	svchost.exe	4
PID 2856 wrote to memory of 380	2856	svchost.exe	4
PID 2856 wrote to memory of 380	2856	svchost.exe	4
PID 2856 wrote to memory of 380	2856	svchost.exe	4
PID 2856 wrote to memory of 412	2856	svchost.exe	5
PID 2856 wrote to memory of 412	2856	svchost.exe	5
PID 2856 wrote to memory of 412	2856	svchost.exe	5
PID 2856 wrote to memory of 412	2856	svchost.exe	5
PID 2856 wrote to memory of 412	2856	svchost.exe	5

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:464
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:588
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1660
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1740
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:664
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:748
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:796
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1296
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:848
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:984
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:284
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1012
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1032
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1196
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1456
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2484
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2520
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:480
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:412

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1336
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c9a1d8f0b983034f302f2622795fa0d.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c9a1d8f0b983034f302f2622795fa0d.dll,#1
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\SysWOW64\rundll32Srv.exe
      C:\Windows\SysWOW64\rundll32Srv.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 228
      4⤵
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:832

Network

DNS

google.com

svchost.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

216.58.214.174
DNS

fget-career.com

svchost.exe

Remote address:

8.8.8.8:53

Request

fget-career.com

IN A

Response

fget-career.com

IN A

34.253.216.9
DNS

eavytybstr.com

svchost.exe

Remote address:

8.8.8.8:53

Request

eavytybstr.com

IN A

Response
DNS

eavytybstr.com

svchost.exe

Remote address:

8.8.8.8:53

Request

eavytybstr.com

IN A

Response
DNS

tybsrthynuyksrtvyaerb.com

svchost.exe

Remote address:

8.8.8.8:53

Request

tybsrthynuyksrtvyaerb.com

IN A

Response
DNS

waecybuojityer.com

svchost.exe

Remote address:

8.8.8.8:53

Request

waecybuojityer.com

IN A

Response

waecybuojityer.com

IN A

34.253.216.9
DNS

qwreertyutifgjdfgsdvxcb.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qwreertyutifgjdfgsdvxcb.com

IN A

Response

34.253.216.9:443

fget-career.com

https

svchost.exe

282 B
256 B
6
6
216.58.214.174:80

google.com

svchost.exe

98 B
52 B
2
1
34.253.216.9:443

fget-career.com

https

svchost.exe

273 B
216 B
4
5
34.253.216.9:443

waecybuojityer.com

https

svchost.exe

190 B
216 B
4
5
34.253.216.9:443

waecybuojityer.com

https

svchost.exe

365 B
256 B
6
6
216.58.214.174:80

google.com

svchost.exe

98 B
52 B
2
1
216.58.214.174:80

google.com

svchost.exe

98 B
52 B
2
1

8.8.8.8:53

google.com

dns

svchost.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

216.58.214.174
8.8.8.8:53

fget-career.com

dns

svchost.exe

61 B
77 B
1
1

DNS Request

fget-career.com

DNS Response

34.253.216.9
8.8.8.8:53

eavytybstr.com

dns

svchost.exe

60 B
60 B
1
1

DNS Request

eavytybstr.com
8.8.8.8:53

eavytybstr.com

dns

svchost.exe

60 B
60 B
1
1

DNS Request

eavytybstr.com
8.8.8.8:53

tybsrthynuyksrtvyaerb.com

dns

svchost.exe

71 B
144 B
1
1

DNS Request

tybsrthynuyksrtvyaerb.com
8.8.8.8:53

waecybuojityer.com

dns

svchost.exe

64 B
80 B
1
1

DNS Request

waecybuojityer.com

DNS Response

34.253.216.9
8.8.8.8:53

qwreertyutifgjdfgsdvxcb.com

dns

svchost.exe

73 B
146 B
1
1

DNS Request

qwreertyutifgjdfgsdvxcb.com

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html

Filesize
201KB

MD5
767eb5d6751aa8fcff636622d12f7046

SHA1
eac9bfdcdd60fdbf9026ec238fb3f2ab29b63d9d

SHA256
ae220ed6ae256b5e3cc14a22cfb7939f2840582662a424dbc57ff1e6e068d2d5

SHA512
f24289c178882e1ef77c668df03abb85e6f2d89f59b54933218c95718d9138e34e210f84b050cceac83d953e64b1d47213dc56de96d7a88bc3af34086488272b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html

Filesize
198KB

MD5
664c40bc41bb809363bb527caf71eae7

SHA1
d63e50230a1d575517d0ee638ae631f6eaa62879

SHA256
3fb0037804ec5de62b46a7427f69eada8d40579fb0ffc79213c7587c2e9933bc

SHA512
8d30aeda2932ff39337f29c169ecb6ea942df15240c4d5d5baa7f60f9a9853880d4892eddf13259786ab7ab6d2f6cdf5c6e466363df7068b01e4167e7aff35d3

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
94KB

MD5
f6736faa3126f64ed4a7109e40c47806

SHA1
0d50917f44d6e173bac24916c95343616dcbf18c

SHA256
bc0cb854888c155cbfed860a6546bea3c82db643df30437fe14d91194939a874

SHA512
29cc26cd4df360252917a5d913e5e4776b6d05061b464f09dbb33918491affdc15cac9e142a9227a48f27d26db1f8ee85bd3d417365d6fef9b2fd380e090efe5

Download Submit
memory/1628-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1628-14-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1628-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1892-33-0x0000000020010000-0x0000000020021000-memory.dmp

Filesize
68KB

Download
memory/1892-39-0x0000000020010000-0x0000000020021000-memory.dmp

Filesize
68KB

Download
memory/1892-43-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1892-44-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1892-53-0x0000000020010000-0x0000000020021000-memory.dmp

Filesize
68KB

Download
memory/1892-45-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1892-420-0x0000000020010000-0x0000000020021000-memory.dmp

Filesize
68KB

Download
memory/1892-48-0x0000000020010000-0x0000000020021000-memory.dmp

Filesize
68KB

Download
memory/1892-35-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2296-28-0x000000006D100000-0x000000006D127000-memory.dmp

Filesize
156KB

Download
memory/2296-0-0x000000006D100000-0x000000006D127000-memory.dmp

Filesize
156KB

Download
memory/2296-3-0x000000006D100000-0x000000006D127000-memory.dmp

Filesize
156KB

Download
memory/2296-12-0x0000000000200000-0x0000000000241000-memory.dmp

Filesize
260KB

Download
memory/2296-2-0x000000006D100000-0x000000006D127000-memory.dmp

Filesize
156KB

Download
memory/2296-1-0x000000006D100000-0x000000006D127000-memory.dmp

Filesize
156KB

Download
memory/2856-68-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2856-75-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2856-72-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2856-58-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2856-64-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2856-73-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2856-74-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2856-71-0x00000000774E0000-0x00000000774E1000-memory.dmp

Filesize
4KB

Download
memory/2856-70-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/3016-69-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-29-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-55-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3016-56-0x00000000774DF000-0x00000000774E0000-memory.dmp

Filesize
4KB

Download
memory/3016-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-672-0x00000000774DF000-0x00000000774E0000-memory.dmp

Filesize
4KB

Download
memory/3016-675-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-30-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/3016-26-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.