ramnit | 5c81f6cbe9028f358e71d67da0acc6fb14cee4d1f9d3e9996120c0f2cf69bf00

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1fcf2a538f2708342acbfb01ce584b77.dll
Size

272KB
MD5

1fcf2a538f2708342acbfb01ce584b77
SHA1

0c4d2ff956f0319261203ec2946235546f46e8c0
SHA256

5c81f6cbe9028f358e71d67da0acc6fb14cee4d1f9d3e9996120c0f2cf69bf00
SHA512

d821f64ae78a724d62c2b4097938c7c3bbc4e28a9ddc884d10b30c9085ad44debc17b46d86b0e9a069f133606d64f24b064ba79580e92c35796b9151037e1498
SSDEEP

3072:261Ye3TaEu2CoCcn3zO7A4D8XHDfTGuwnh7BJz3gOu2RkEVae:rTa12CoCckAe8Dgt0Ol

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2652	rundll32mgr.exe
2120	WaterMark.exe

Loads dropped DLL 4 IoCs

pid	Process
2880	rundll32.exe
2880	rundll32.exe
2652	rundll32mgr.exe
2652	rundll32mgr.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2652-16-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/2652-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2652-21-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2652-19-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2120-39-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2120-41-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2120-35-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/2652-18-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2652-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2652-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2652-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2120-88-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2120-684-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.DataSetExtensions.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFPrevHndlr.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\npt.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nss3.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libstereo_widen_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libspdif_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\JNTFiltr.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSOINTL.DLL	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Selectors.Resources.dll	svchost.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files\Internet Explorer\iedvtool.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\optimization_guide_internal.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\fontmanager.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\sqmapi.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\libvlc.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxwebkit.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libhttp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libd3d11va_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_chromecast_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Design.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\zip.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\InkSeg.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\dicjp.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\OARPMANR.DLL	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\ucrtbase.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Management.Instrumentation.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libvhs_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingEngine.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUOPTIN.DLL	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libddummy_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\jvm.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_sse2_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JAWTAccessBridge-64.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2native.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2816	2880	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2120	WaterMark.exe
2120	WaterMark.exe
2120	WaterMark.exe
2120	WaterMark.exe
2120	WaterMark.exe
2120	WaterMark.exe
2120	WaterMark.exe
2120	WaterMark.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	WaterMark.exe
Token: SeDebugPrivilege	2968	svchost.exe
Token: SeDebugPrivilege	2880	rundll32.exe
Token: SeDebugPrivilege	2120	WaterMark.exe
Token: SeDebugPrivilege	2816	WerFault.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2652	rundll32mgr.exe
2120	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2880	2452	rundll32.exe	31
PID 2452 wrote to memory of 2880	2452	rundll32.exe	31
PID 2452 wrote to memory of 2880	2452	rundll32.exe	31
PID 2452 wrote to memory of 2880	2452	rundll32.exe	31
PID 2452 wrote to memory of 2880	2452	rundll32.exe	31
PID 2452 wrote to memory of 2880	2452	rundll32.exe	31
PID 2452 wrote to memory of 2880	2452	rundll32.exe	31
PID 2880 wrote to memory of 2652	2880	rundll32.exe	32
PID 2880 wrote to memory of 2652	2880	rundll32.exe	32
PID 2880 wrote to memory of 2652	2880	rundll32.exe	32
PID 2880 wrote to memory of 2652	2880	rundll32.exe	32
PID 2652 wrote to memory of 2120	2652	rundll32mgr.exe	33
PID 2652 wrote to memory of 2120	2652	rundll32mgr.exe	33
PID 2652 wrote to memory of 2120	2652	rundll32mgr.exe	33
PID 2652 wrote to memory of 2120	2652	rundll32mgr.exe	33
PID 2880 wrote to memory of 2816	2880	rundll32.exe	34
PID 2880 wrote to memory of 2816	2880	rundll32.exe	34
PID 2880 wrote to memory of 2816	2880	rundll32.exe	34
PID 2880 wrote to memory of 2816	2880	rundll32.exe	34
PID 2120 wrote to memory of 2900	2120	WaterMark.exe	35
PID 2120 wrote to memory of 2900	2120	WaterMark.exe	35
PID 2120 wrote to memory of 2900	2120	WaterMark.exe	35
PID 2120 wrote to memory of 2900	2120	WaterMark.exe	35
PID 2120 wrote to memory of 2900	2120	WaterMark.exe	35
PID 2120 wrote to memory of 2900	2120	WaterMark.exe	35
PID 2120 wrote to memory of 2900	2120	WaterMark.exe	35
PID 2120 wrote to memory of 2900	2120	WaterMark.exe	35
PID 2120 wrote to memory of 2900	2120	WaterMark.exe	35
PID 2120 wrote to memory of 2900	2120	WaterMark.exe	35
PID 2120 wrote to memory of 2968	2120	WaterMark.exe	36
PID 2120 wrote to memory of 2968	2120	WaterMark.exe	36
PID 2120 wrote to memory of 2968	2120	WaterMark.exe	36
PID 2120 wrote to memory of 2968	2120	WaterMark.exe	36
PID 2120 wrote to memory of 2968	2120	WaterMark.exe	36
PID 2120 wrote to memory of 2968	2120	WaterMark.exe	36
PID 2120 wrote to memory of 2968	2120	WaterMark.exe	36
PID 2120 wrote to memory of 2968	2120	WaterMark.exe	36
PID 2120 wrote to memory of 2968	2120	WaterMark.exe	36
PID 2120 wrote to memory of 2968	2120	WaterMark.exe	36
PID 2968 wrote to memory of 256	2968	svchost.exe	1
PID 2968 wrote to memory of 256	2968	svchost.exe	1
PID 2968 wrote to memory of 256	2968	svchost.exe	1
PID 2968 wrote to memory of 256	2968	svchost.exe	1
PID 2968 wrote to memory of 256	2968	svchost.exe	1
PID 2968 wrote to memory of 332	2968	svchost.exe	2
PID 2968 wrote to memory of 332	2968	svchost.exe	2
PID 2968 wrote to memory of 332	2968	svchost.exe	2
PID 2968 wrote to memory of 332	2968	svchost.exe	2
PID 2968 wrote to memory of 332	2968	svchost.exe	2
PID 2968 wrote to memory of 384	2968	svchost.exe	3
PID 2968 wrote to memory of 384	2968	svchost.exe	3
PID 2968 wrote to memory of 384	2968	svchost.exe	3
PID 2968 wrote to memory of 384	2968	svchost.exe	3
PID 2968 wrote to memory of 384	2968	svchost.exe	3
PID 2968 wrote to memory of 396	2968	svchost.exe	4
PID 2968 wrote to memory of 396	2968	svchost.exe	4
PID 2968 wrote to memory of 396	2968	svchost.exe	4
PID 2968 wrote to memory of 396	2968	svchost.exe	4
PID 2968 wrote to memory of 396	2968	svchost.exe	4
PID 2968 wrote to memory of 432	2968	svchost.exe	5
PID 2968 wrote to memory of 432	2968	svchost.exe	5
PID 2968 wrote to memory of 432	2968	svchost.exe	5
PID 2968 wrote to memory of 432	2968	svchost.exe	5
PID 2968 wrote to memory of 432	2968	svchost.exe	5

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:604
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1680
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:800
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:1492
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:688
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:752
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:820
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1160
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:856
  - - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:1820
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:972
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:284
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:328
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1072
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1108
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1500
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2548
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2352
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcf2a538f2708342acbfb01ce584b77.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcf2a538f2708342acbfb01ce584b77.dll,#1
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\rundll32mgr.exe
      C:\Windows\SysWOW64\rundll32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2120
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2900
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 224
      4⤵
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
428KB

MD5
94fe4660585652f794b7e524c3588556

SHA1
da00f9f98253520ad2a8343ab9b8965ef5ba7d70

SHA256
719780cd46dc227b4204a88d876b02e363cdba0b629e0a90ea8b2a3e32aeb1c1

SHA512
2ee3d757e29dcf37aca7de35d8cefffc6ae86cbd7f882199c73f2b9813752346eff9dc26fee92b9dca4ac9b108db898a16ca8b2a0f687c5caba299bc3526a822

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
424KB

MD5
7f7511423c71e1ec5fee704518f87578

SHA1
8f6bff29c7dd6ade023d816731019e025eca746a

SHA256
7cf68511497ff34f3f2435b51092816002da077cd68b7d5bbf3cc1d6b4043f47

SHA512
47634cecc799970f11524b984909152ed94dbd8c7786c0a81502772704865f3ecb980745098000d086e6eff3646f17194f35425f87ced2e4eaf57889d8e159c9

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
207KB

MD5
d27fdd034caf68959b687174ef2ab8db

SHA1
5c1003a7383d8a9163efd9f1b30345d2ab6a49b8

SHA256
f5b72968cebc82ccce4cad4b1bad411e13dc29ee92d0133f4818f2de36d52b0c

SHA512
8750ffb67b6fa73078a99b5a2c7db8454885a3758e5813c3074689d3de0c23e4553d62ae092349aafeba863b54429d0a2fa6eea58b48d4d4576d1550c6cbc3f7

Download Submit
memory/2120-40-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2120-35-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2120-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2120-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2120-42-0x000000007760F000-0x0000000077610000-memory.dmp

Filesize
4KB

Download
memory/2120-43-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2120-72-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2120-684-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2120-88-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2120-415-0x000000007760F000-0x0000000077610000-memory.dmp

Filesize
4KB

Download
memory/2652-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2652-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2652-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2652-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2652-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2652-17-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2652-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2652-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2652-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2880-7-0x000000006D100000-0x000000006D144000-memory.dmp

Filesize
272KB

Download
memory/2880-8-0x000000006D100000-0x000000006D144000-memory.dmp

Filesize
272KB

Download
memory/2880-421-0x000000006D100000-0x000000006D144000-memory.dmp

Filesize
272KB

Download
memory/2880-9-0x0000000000240000-0x000000000027F000-memory.dmp

Filesize
252KB

Download
memory/2900-66-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2900-59-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2900-54-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2900-68-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2900-46-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2900-44-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2900-67-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2900-65-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2900-418-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2968-87-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2968-90-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2968-89-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2968-91-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2968-92-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2968-93-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2968-94-0x0000000077610000-0x0000000077611000-memory.dmp

Filesize
4KB

Download
memory/2968-83-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2968-74-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download