ramnit | 29eafd0921383977f0bd7d8b57ba9e44d326520ea1e0d02fbef2806870fae303

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/01/2025, 16:27 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_f06fb99cbc73c95a41baa4f84e6d3ba7.exe
Size

136KB
MD5

f06fb99cbc73c95a41baa4f84e6d3ba7
SHA1

f45aa611eddbe9b1d35900b6462a1dbb2c9e0793
SHA256

29eafd0921383977f0bd7d8b57ba9e44d326520ea1e0d02fbef2806870fae303
SHA512

7bc1e58563c292180febf136694510f3ac85362596ec59830dc79dc13a8290237cba6f34184a8cde289ab48c552367976ee5f3a502d0e2383ae794f6d62b48a8
SSDEEP

768:h06R0UEgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9ICY:HR0In3Pc0LCH9MtbvabUDzJYWu3Bb

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 1 IoCs

pid	Process
2824	WaterMark.exe

Loads dropped DLL 2 IoCs

pid	Process
3064	JaffaCakes118_f06fb99cbc73c95a41baa4f84e6d3ba7.exe
3064	JaffaCakes118_f06fb99cbc73c95a41baa4f84e6d3ba7.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3064-4-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3064-3-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3064-8-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3064-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3064-7-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3064-2-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3064-1-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2824-26-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2824-28-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2824-69-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2824-587-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\IA2Marshal.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozglue.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libtta_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java_crw_demo.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\RSSFeeds.html	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\msvcr100.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Selectors.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemuxdump_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libwall_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libfreetype_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\settings.html	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\hxdsui.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\freebl3.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsharpen_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\clock.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IO.Log.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationTypes.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\liboldrc_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CoolType.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jdwp.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\installer.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\currency.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\logsession.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\librv32_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\liboldmovie_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubstx3g_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libskiptags_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jawt.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libcrystalhd_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Xml.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libfaad_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libaudioscrobbler_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1655.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\npt.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Windows.Presentation.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_record_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libgrey_yuv_plugin.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f06fb99cbc73c95a41baa4f84e6d3ba7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2824	WaterMark.exe
2824	WaterMark.exe
2824	WaterMark.exe
2824	WaterMark.exe
2824	WaterMark.exe
2824	WaterMark.exe
2824	WaterMark.exe
2824	WaterMark.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	WaterMark.exe
Token: SeDebugPrivilege	2192	svchost.exe
Token: SeDebugPrivilege	2824	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3064	JaffaCakes118_f06fb99cbc73c95a41baa4f84e6d3ba7.exe
2824	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2824	3064	JaffaCakes118_f06fb99cbc73c95a41baa4f84e6d3ba7.exe	30
PID 3064 wrote to memory of 2824	3064	JaffaCakes118_f06fb99cbc73c95a41baa4f84e6d3ba7.exe	30
PID 3064 wrote to memory of 2824	3064	JaffaCakes118_f06fb99cbc73c95a41baa4f84e6d3ba7.exe	30
PID 3064 wrote to memory of 2824	3064	JaffaCakes118_f06fb99cbc73c95a41baa4f84e6d3ba7.exe	30
PID 2824 wrote to memory of 2688	2824	WaterMark.exe	31
PID 2824 wrote to memory of 2688	2824	WaterMark.exe	31
PID 2824 wrote to memory of 2688	2824	WaterMark.exe	31
PID 2824 wrote to memory of 2688	2824	WaterMark.exe	31
PID 2824 wrote to memory of 2688	2824	WaterMark.exe	31
PID 2824 wrote to memory of 2688	2824	WaterMark.exe	31
PID 2824 wrote to memory of 2688	2824	WaterMark.exe	31
PID 2824 wrote to memory of 2688	2824	WaterMark.exe	31
PID 2824 wrote to memory of 2688	2824	WaterMark.exe	31
PID 2824 wrote to memory of 2688	2824	WaterMark.exe	31
PID 2824 wrote to memory of 2192	2824	WaterMark.exe	32
PID 2824 wrote to memory of 2192	2824	WaterMark.exe	32
PID 2824 wrote to memory of 2192	2824	WaterMark.exe	32
PID 2824 wrote to memory of 2192	2824	WaterMark.exe	32
PID 2824 wrote to memory of 2192	2824	WaterMark.exe	32
PID 2824 wrote to memory of 2192	2824	WaterMark.exe	32
PID 2824 wrote to memory of 2192	2824	WaterMark.exe	32
PID 2824 wrote to memory of 2192	2824	WaterMark.exe	32
PID 2824 wrote to memory of 2192	2824	WaterMark.exe	32
PID 2824 wrote to memory of 2192	2824	WaterMark.exe	32
PID 2192 wrote to memory of 256	2192	svchost.exe	1
PID 2192 wrote to memory of 256	2192	svchost.exe	1
PID 2192 wrote to memory of 256	2192	svchost.exe	1
PID 2192 wrote to memory of 256	2192	svchost.exe	1
PID 2192 wrote to memory of 256	2192	svchost.exe	1
PID 2192 wrote to memory of 332	2192	svchost.exe	2
PID 2192 wrote to memory of 332	2192	svchost.exe	2
PID 2192 wrote to memory of 332	2192	svchost.exe	2
PID 2192 wrote to memory of 332	2192	svchost.exe	2
PID 2192 wrote to memory of 332	2192	svchost.exe	2
PID 2192 wrote to memory of 368	2192	svchost.exe	3
PID 2192 wrote to memory of 368	2192	svchost.exe	3
PID 2192 wrote to memory of 368	2192	svchost.exe	3
PID 2192 wrote to memory of 368	2192	svchost.exe	3
PID 2192 wrote to memory of 368	2192	svchost.exe	3
PID 2192 wrote to memory of 380	2192	svchost.exe	4
PID 2192 wrote to memory of 380	2192	svchost.exe	4
PID 2192 wrote to memory of 380	2192	svchost.exe	4
PID 2192 wrote to memory of 380	2192	svchost.exe	4
PID 2192 wrote to memory of 380	2192	svchost.exe	4
PID 2192 wrote to memory of 416	2192	svchost.exe	5
PID 2192 wrote to memory of 416	2192	svchost.exe	5
PID 2192 wrote to memory of 416	2192	svchost.exe	5
PID 2192 wrote to memory of 416	2192	svchost.exe	5
PID 2192 wrote to memory of 416	2192	svchost.exe	5
PID 2192 wrote to memory of 468	2192	svchost.exe	6
PID 2192 wrote to memory of 468	2192	svchost.exe	6
PID 2192 wrote to memory of 468	2192	svchost.exe	6
PID 2192 wrote to memory of 468	2192	svchost.exe	6
PID 2192 wrote to memory of 468	2192	svchost.exe	6
PID 2192 wrote to memory of 476	2192	svchost.exe	7
PID 2192 wrote to memory of 476	2192	svchost.exe	7
PID 2192 wrote to memory of 476	2192	svchost.exe	7
PID 2192 wrote to memory of 476	2192	svchost.exe	7
PID 2192 wrote to memory of 476	2192	svchost.exe	7
PID 2192 wrote to memory of 484	2192	svchost.exe	8
PID 2192 wrote to memory of 484	2192	svchost.exe	8
PID 2192 wrote to memory of 484	2192	svchost.exe	8
PID 2192 wrote to memory of 484	2192	svchost.exe	8
PID 2192 wrote to memory of 484	2192	svchost.exe	8

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:468
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:600
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1128
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1588
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:2000
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:680
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:756
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:816
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1232
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:864
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:1000
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:300
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:288
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1040
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1132
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1160
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1856
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:824
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:476
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1280
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f06fb99cbc73c95a41baa4f84e6d3ba7.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f06fb99cbc73c95a41baa4f84e6d3ba7.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in System32 directory
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:2688
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2192

Network

DNS

google.com

svchost.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

142.250.180.14
DNS

rterybrstutnrsbberve.com

svchost.exe

Remote address:

8.8.8.8:53

Request

rterybrstutnrsbberve.com

IN A

Response

rterybrstutnrsbberve.com

IN A

34.253.216.9
DNS

erwbtkidthetcwerc.com

svchost.exe

Remote address:

8.8.8.8:53

Request

erwbtkidthetcwerc.com

IN A

Response

erwbtkidthetcwerc.com

IN A

34.253.216.9
DNS

erwbtkidthetcwerc.com

svchost.exe

Remote address:

8.8.8.8:53

Request

erwbtkidthetcwerc.com

IN A
DNS

rvbwtbeitwjeitv.com

svchost.exe

Remote address:

8.8.8.8:53

Request

rvbwtbeitwjeitv.com

IN A

Response

rvbwtbeitwjeitv.com

IN A

204.95.99.221
DNS

rvbwtbeitwjeitv.com

svchost.exe

Remote address:

8.8.8.8:53

Request

rvbwtbeitwjeitv.com

IN A
DNS

google.com

svchost.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

142.250.180.14
DNS

google.com

svchost.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

91.220.62.30:443

svchost.exe

152 B
3
142.250.180.14:80

google.com

svchost.exe

98 B
52 B
2
1
91.220.62.30:443

svchost.exe

152 B
3
34.253.216.9:443

rterybrstutnrsbberve.com

https

svchost.exe

190 B
216 B
4
5
34.253.216.9:443

rterybrstutnrsbberve.com

https

svchost.exe

274 B
176 B
4
4
34.253.216.9:443

erwbtkidthetcwerc.com

https

svchost.exe

334 B
256 B
7
6
34.253.216.9:443

erwbtkidthetcwerc.com

https

svchost.exe

360 B
256 B
6
6
204.95.99.221:443

rvbwtbeitwjeitv.com

https

svchost.exe

559 B
132 B
12
3
204.95.99.221:443

rvbwtbeitwjeitv.com

https

svchost.exe

1.1kB
52 B
12
1
142.250.180.14:80

google.com

svchost.exe

150 B
52 B
3
1
142.250.180.14:80

google.com

svchost.exe

98 B
52 B
2
1

8.8.8.8:53

google.com

dns

svchost.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

142.250.180.14
8.8.8.8:53

rterybrstutnrsbberve.com

dns

svchost.exe

70 B
86 B
1
1

DNS Request

rterybrstutnrsbberve.com

DNS Response

34.253.216.9
8.8.8.8:53

erwbtkidthetcwerc.com

dns

svchost.exe

134 B
83 B
2
1

DNS Request

erwbtkidthetcwerc.com

DNS Request

erwbtkidthetcwerc.com

DNS Response

34.253.216.9
8.8.8.8:53

rvbwtbeitwjeitv.com

dns

svchost.exe

130 B
81 B
2
1

DNS Request

rvbwtbeitwjeitv.com

DNS Request

rvbwtbeitwjeitv.com

DNS Response

204.95.99.221
8.8.8.8:53

google.com

dns

svchost.exe

112 B
72 B
2
1

DNS Request

google.com

DNS Request

google.com

DNS Response

142.250.180.14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
286KB

MD5
e828b3dcf5c9b2210da25dc88b76433a

SHA1
e197d9b39c8ca69a8b718a08dec8e37aeb0a38d3

SHA256
d1cdd502a746d3fc1c391b55f84819cfd5a45ed9b242783b99f4f312307463ed

SHA512
7be44f95ec9fbffac96fbd41bc9b7f6e46b1b310d480b4efa51a1ef80628aab40d1d8ade6fcb897489752106531cbc526badccd337faee58251d396f2d33666b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
282KB

MD5
d182f1a8da9d15cbb6b87e93266b11e8

SHA1
d99c868c9d8893d8b1e30bc9147b2395a2a0e003

SHA256
7a33116ac26577ef59adcc659dc5505a5a056a7bac6d9675012ca684d60de875

SHA512
f29fb073f8b19d372d011b63c3cc790f47f13bd59b778d2f3f7c4c0c345fe287a99056fa9def6528fa0bfd05ef2590e8b0288769344e7d803a8616a70a24f9a2

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
136KB

MD5
f06fb99cbc73c95a41baa4f84e6d3ba7

SHA1
f45aa611eddbe9b1d35900b6462a1dbb2c9e0793

SHA256
29eafd0921383977f0bd7d8b57ba9e44d326520ea1e0d02fbef2806870fae303

SHA512
7bc1e58563c292180febf136694510f3ac85362596ec59830dc79dc13a8290237cba6f34184a8cde289ab48c552367976ee5f3a502d0e2383ae794f6d62b48a8

Download Submit
memory/2192-60-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2192-80-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2192-81-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2192-77-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2192-78-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2192-79-0x0000000076F60000-0x0000000076F61000-memory.dmp

Filesize
4KB

Download
memory/2192-76-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2192-74-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2192-70-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2688-52-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2688-47-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2688-31-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2688-33-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2688-41-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2688-40-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2688-42-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2688-53-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2688-334-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2688-51-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2824-59-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2824-58-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2824-28-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2824-27-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2824-69-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2824-29-0x0000000076F5F000-0x0000000076F60000-memory.dmp

Filesize
4KB

Download
memory/2824-26-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2824-587-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2824-75-0x0000000076F5F000-0x0000000076F60000-memory.dmp

Filesize
4KB

Download
memory/3064-6-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3064-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3064-2-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3064-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3064-8-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3064-0-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3064-1-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3064-3-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3064-4-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.