ramnit | 8c923f1cab21f25fa36d4de7d7519817403f25ec0cf4129f3358124a12b277e0

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/01/2025, 20:50 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_60972c3782d680a08f18598dbceb9400.dll
Size

300KB
MD5

60972c3782d680a08f18598dbceb9400
SHA1

ff5502522d41e30cf8ca5481cfb773ec36912d8c
SHA256

8c923f1cab21f25fa36d4de7d7519817403f25ec0cf4129f3358124a12b277e0
SHA512

6e2f5ed70e9fc8afac18155bf0660b57172b884c63c3565c513210510aac144a151e43865f2a01004118e5a195191d9c9d50e08ce99726ceca8913e28547f7f1
SSDEEP

3072:em07c4fHCp/AZX/AGUBUpV7Os2kKerYVSrfishHwJjocVFEn6rLmXGqIFbaghzoC:07dHCc/ASsad1rasdUVUt3gVoWYy

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
3068	regsvr32mgr.exe
1712	WaterMark.exe

Loads dropped DLL 4 IoCs

pid	Process
1996	regsvr32.exe
1996	regsvr32.exe
3068	regsvr32mgr.exe
3068	regsvr32mgr.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3068-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3068-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3068-10-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3068-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3068-18-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3068-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3068-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3068-29-0x0000000000050000-0x0000000000079000-memory.dmp	upx
behavioral1/memory/1712-39-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1712-38-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1712-371-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1712-637-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3068-3787-0x0000000000050000-0x0000000000079000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\qipcap64.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\perf_nt.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_flac_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEXBE.DLL	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\logsession.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java_crw_demo.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationCore.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\jvm.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java_crw_demo.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClientsideProviders.resources.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\hxdsui.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\weather.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationTypes.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libaudioscrobbler_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_gather_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ALRTINTL.DLL	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaremr.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Windows.Presentation.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libsid_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\MemoryAnalyzer.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Printing.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.RunTime.Serialization.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationCore.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libvnc_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\librv32_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEES.DLL	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Conversion.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Design.resources.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\liblogo_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libaribcam_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\libxslt.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IO.Log.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtospdif_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSSOAPR3.DLL	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACER3X.DLL	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32mgr.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1712	WaterMark.exe
1712	WaterMark.exe
1712	WaterMark.exe
1712	WaterMark.exe
1712	WaterMark.exe
1712	WaterMark.exe
1712	WaterMark.exe
1712	WaterMark.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	WaterMark.exe
Token: SeDebugPrivilege	2752	svchost.exe
Token: SeDebugPrivilege	1712	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3068	regsvr32mgr.exe
1712	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1996	2016	regsvr32.exe	30
PID 2016 wrote to memory of 1996	2016	regsvr32.exe	30
PID 2016 wrote to memory of 1996	2016	regsvr32.exe	30
PID 2016 wrote to memory of 1996	2016	regsvr32.exe	30
PID 2016 wrote to memory of 1996	2016	regsvr32.exe	30
PID 2016 wrote to memory of 1996	2016	regsvr32.exe	30
PID 2016 wrote to memory of 1996	2016	regsvr32.exe	30
PID 1996 wrote to memory of 3068	1996	regsvr32.exe	31
PID 1996 wrote to memory of 3068	1996	regsvr32.exe	31
PID 1996 wrote to memory of 3068	1996	regsvr32.exe	31
PID 1996 wrote to memory of 3068	1996	regsvr32.exe	31
PID 3068 wrote to memory of 1712	3068	regsvr32mgr.exe	32
PID 3068 wrote to memory of 1712	3068	regsvr32mgr.exe	32
PID 3068 wrote to memory of 1712	3068	regsvr32mgr.exe	32
PID 3068 wrote to memory of 1712	3068	regsvr32mgr.exe	32
PID 1712 wrote to memory of 2412	1712	WaterMark.exe	33
PID 1712 wrote to memory of 2412	1712	WaterMark.exe	33
PID 1712 wrote to memory of 2412	1712	WaterMark.exe	33
PID 1712 wrote to memory of 2412	1712	WaterMark.exe	33
PID 1712 wrote to memory of 2412	1712	WaterMark.exe	33
PID 1712 wrote to memory of 2412	1712	WaterMark.exe	33
PID 1712 wrote to memory of 2412	1712	WaterMark.exe	33
PID 1712 wrote to memory of 2412	1712	WaterMark.exe	33
PID 1712 wrote to memory of 2412	1712	WaterMark.exe	33
PID 1712 wrote to memory of 2412	1712	WaterMark.exe	33
PID 1712 wrote to memory of 2752	1712	WaterMark.exe	35
PID 1712 wrote to memory of 2752	1712	WaterMark.exe	35
PID 1712 wrote to memory of 2752	1712	WaterMark.exe	35
PID 1712 wrote to memory of 2752	1712	WaterMark.exe	35
PID 1712 wrote to memory of 2752	1712	WaterMark.exe	35
PID 1712 wrote to memory of 2752	1712	WaterMark.exe	35
PID 1712 wrote to memory of 2752	1712	WaterMark.exe	35
PID 1712 wrote to memory of 2752	1712	WaterMark.exe	35
PID 1712 wrote to memory of 2752	1712	WaterMark.exe	35
PID 1712 wrote to memory of 2752	1712	WaterMark.exe	35
PID 2752 wrote to memory of 256	2752	svchost.exe	1
PID 2752 wrote to memory of 256	2752	svchost.exe	1
PID 2752 wrote to memory of 256	2752	svchost.exe	1
PID 2752 wrote to memory of 256	2752	svchost.exe	1
PID 2752 wrote to memory of 256	2752	svchost.exe	1
PID 2752 wrote to memory of 336	2752	svchost.exe	2
PID 2752 wrote to memory of 336	2752	svchost.exe	2
PID 2752 wrote to memory of 336	2752	svchost.exe	2
PID 2752 wrote to memory of 336	2752	svchost.exe	2
PID 2752 wrote to memory of 336	2752	svchost.exe	2
PID 2752 wrote to memory of 384	2752	svchost.exe	3
PID 2752 wrote to memory of 384	2752	svchost.exe	3
PID 2752 wrote to memory of 384	2752	svchost.exe	3
PID 2752 wrote to memory of 384	2752	svchost.exe	3
PID 2752 wrote to memory of 384	2752	svchost.exe	3
PID 2752 wrote to memory of 392	2752	svchost.exe	4
PID 2752 wrote to memory of 392	2752	svchost.exe	4
PID 2752 wrote to memory of 392	2752	svchost.exe	4
PID 2752 wrote to memory of 392	2752	svchost.exe	4
PID 2752 wrote to memory of 392	2752	svchost.exe	4
PID 2752 wrote to memory of 432	2752	svchost.exe	5
PID 2752 wrote to memory of 432	2752	svchost.exe	5
PID 2752 wrote to memory of 432	2752	svchost.exe	5
PID 2752 wrote to memory of 432	2752	svchost.exe	5
PID 2752 wrote to memory of 432	2752	svchost.exe	5
PID 2752 wrote to memory of 476	2752	svchost.exe	6
PID 2752 wrote to memory of 476	2752	svchost.exe	6
PID 2752 wrote to memory of 476	2752	svchost.exe	6
PID 2752 wrote to memory of 476	2752	svchost.exe	6

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:592
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:2024
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1628
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:660
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:748
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:812
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1156
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:856
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2824
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:968
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:236
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1012
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1060
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1100
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1420
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2552
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2404
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60972c3782d680a08f18598dbceb9400.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60972c3782d680a08f18598dbceb9400.dll
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\regsvr32mgr.exe
      C:\Windows\SysWOW64\regsvr32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2412
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752

Network

DNS

google.com

svchost.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

216.58.214.174
DNS

rterybrstutnrsbberve.com

svchost.exe

Remote address:

8.8.8.8:53

Request

rterybrstutnrsbberve.com

IN A

Response

rterybrstutnrsbberve.com

IN A

34.253.216.9
DNS

erwbtkidthetcwerc.com

svchost.exe

Remote address:

8.8.8.8:53

Request

erwbtkidthetcwerc.com

IN A

Response

erwbtkidthetcwerc.com

IN A

34.253.216.9
DNS

rvbwtbeitwjeitv.com

svchost.exe

Remote address:

8.8.8.8:53

Request

rvbwtbeitwjeitv.com

IN A

Response

rvbwtbeitwjeitv.com

IN A

204.95.99.221

91.220.62.30:443

svchost.exe

152 B
3
216.58.214.174:80

google.com

svchost.exe

98 B
52 B
2
1
91.220.62.30:443

svchost.exe

152 B
3
34.253.216.9:443

rterybrstutnrsbberve.com

https

svchost.exe

191 B
176 B
4
4
34.253.216.9:443

rterybrstutnrsbberve.com

https

svchost.exe

268 B
216 B
4
5
34.253.216.9:443

erwbtkidthetcwerc.com

https

svchost.exe

190 B
216 B
4
5
34.253.216.9:443

erwbtkidthetcwerc.com

https

svchost.exe

268 B
216 B
4
5
204.95.99.221:443

rvbwtbeitwjeitv.com

https

svchost.exe

558 B
132 B
12
3
204.95.99.221:443

rvbwtbeitwjeitv.com

https

svchost.exe

1.3kB
132 B
14
3
216.58.214.174:80

google.com

svchost.exe

98 B
52 B
2
1
216.58.214.174:80

google.com

svchost.exe

98 B
52 B
2
1

8.8.8.8:53

google.com

dns

svchost.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

216.58.214.174
8.8.8.8:53

rterybrstutnrsbberve.com

dns

svchost.exe

70 B
86 B
1
1

DNS Request

rterybrstutnrsbberve.com

DNS Response

34.253.216.9
8.8.8.8:53

erwbtkidthetcwerc.com

dns

svchost.exe

67 B
83 B
1
1

DNS Request

erwbtkidthetcwerc.com

DNS Response

34.253.216.9
8.8.8.8:53

rvbwtbeitwjeitv.com

dns

svchost.exe

65 B
81 B
1
1

DNS Request

rvbwtbeitwjeitv.com

DNS Response

204.95.99.221

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
204KB

MD5
4730a139742aacb64a6cb63c5154e022

SHA1
9264ac01152e853aab90e3fd89a20a7965205a0f

SHA256
53571ef002284c00fcbef9da6981adcd1d160c0986537c605761ff6e5eca88ab

SHA512
5cb196ede8e5448f557071d675bb94527b2adbdc910cdc7d60aff2d1a94613fe28105292af4f6ed13d5ff7e533fc3a98174b66794faba9a5f0eec83220e717ba

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
200KB

MD5
a88f01a0a053b6c4b1271c51a397cb0c

SHA1
ea307de2d8a370dfb02d3704fef0cb505380d75e

SHA256
8ca449d4ee52f985c74642b9028296133f2083c88a976ed7b5eda68615471f50

SHA512
12cf8466f42a6eb5a29bf4407fe383f253ff5489c574eab1357be0ec94cd567cbe38927930ba76e3fa985c04ef834064c413f144340a9f25a0ecb2d89f59eff6

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
95KB

MD5
83176054d3fb2f5846d1ad15f0a1a377

SHA1
6770d091852d08f0dfd2ff0bc79ecf7a09445b19

SHA256
36a6025aea777d2e8cdd53529875bb9c90a51088af7f4148967e5a5d1ece4181

SHA512
151b11ed40722f7eb70850f3d84fc6918cbc88587a0968769f30bacf3fdf87e5fcd42de1aaa7dbf3ffbb34333ef59f1daceb9f0c4f30872a0ce745f9b719d933

Download Submit
memory/1712-70-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1712-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1712-637-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1712-374-0x0000000077ADF000-0x0000000077AE0000-memory.dmp

Filesize
4KB

Download
memory/1712-371-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1712-42-0x0000000077ADF000-0x0000000077AE0000-memory.dmp

Filesize
4KB

Download
memory/1712-71-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1712-41-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/1712-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1996-1-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1996-3-0x0000000000150000-0x0000000000179000-memory.dmp

Filesize
164KB

Download
memory/2412-59-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2412-61-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2412-66-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2412-55-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2412-54-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2412-53-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2412-46-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2412-44-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2752-88-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2752-90-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2752-86-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2752-87-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2752-72-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2752-82-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2752-85-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2752-89-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3068-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3068-28-0x0000000000050000-0x0000000000079000-memory.dmp

Filesize
164KB

Download
memory/3068-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3068-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3068-29-0x0000000000050000-0x0000000000079000-memory.dmp

Filesize
164KB

Download
memory/3068-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3068-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3068-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3068-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3068-11-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/3068-3787-0x0000000000050000-0x0000000000079000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.