ramnit | c7c8de4b4943d9c245fb59ca60ea5697120d70495c50abccf56617ac3e13c990

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_85d5610e08d116e2edf3846ee138ea80.dll
Size

216KB
MD5

85d5610e08d116e2edf3846ee138ea80
SHA1

bbfcf941f4b5f18f1a884f38475a2c1681e3f9a7
SHA256

c7c8de4b4943d9c245fb59ca60ea5697120d70495c50abccf56617ac3e13c990
SHA512

fda76353c51b99d90a4c0c2cecf3e4a6970eef0101d0365290989b5017c49546b5b76863bc1ad5f54eba4060b232a685c16d5743c4fb4fa6aa233a1d239967d4
SSDEEP

3072:E2UxPvVKNiNz1a2JRC+Tq/Kc7/md/l9KIgzXnR5:nGvQ4Nx9RHTVVRL8Xnn

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2784	rundll32mgr.exe
2932	WaterMark.exe

Loads dropped DLL 4 IoCs

pid	Process
2764	rundll32.exe
2764	rundll32.exe
2784	rundll32mgr.exe
2784	rundll32mgr.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2784-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2784-20-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2784-18-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2784-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2784-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2784-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2784-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2784-25-0x0000000000050000-0x000000000007D000-memory.dmp	upx
behavioral1/memory/2932-36-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2932-41-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2932-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2932-44-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2932-84-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2932-89-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2932-629-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.RunTime.Serialization.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Design.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libexport_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\management.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\zip.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libimage_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	svchost.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\RSSFeeds.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdolby_surround_decoder_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libdav1d_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libx26410b_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\weather.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsFormsIntegration.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_file_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\rtscom.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClientsideProviders.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libattachment_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuvp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpuzzle_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libvdummy_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\clock.html	svchost.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\libmemory_keystore_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	svchost.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextService.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\penusa.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libaudiobargraph_v_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\settings.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\xlsrvintl.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jfr.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Design.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Net.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libamem_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libstl_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libnormvol_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libgrey_yuv_plugin.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2932	WaterMark.exe
2932	WaterMark.exe
2932	WaterMark.exe
2932	WaterMark.exe
2932	WaterMark.exe
2932	WaterMark.exe
2932	WaterMark.exe
2932	WaterMark.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	WaterMark.exe
Token: SeDebugPrivilege	3068	svchost.exe
Token: SeDebugPrivilege	2932	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2784	rundll32mgr.exe
2932	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2764	2980	rundll32.exe	31
PID 2980 wrote to memory of 2764	2980	rundll32.exe	31
PID 2980 wrote to memory of 2764	2980	rundll32.exe	31
PID 2980 wrote to memory of 2764	2980	rundll32.exe	31
PID 2980 wrote to memory of 2764	2980	rundll32.exe	31
PID 2980 wrote to memory of 2764	2980	rundll32.exe	31
PID 2980 wrote to memory of 2764	2980	rundll32.exe	31
PID 2764 wrote to memory of 2784	2764	rundll32.exe	32
PID 2764 wrote to memory of 2784	2764	rundll32.exe	32
PID 2764 wrote to memory of 2784	2764	rundll32.exe	32
PID 2764 wrote to memory of 2784	2764	rundll32.exe	32
PID 2784 wrote to memory of 2932	2784	rundll32mgr.exe	33
PID 2784 wrote to memory of 2932	2784	rundll32mgr.exe	33
PID 2784 wrote to memory of 2932	2784	rundll32mgr.exe	33
PID 2784 wrote to memory of 2932	2784	rundll32mgr.exe	33
PID 2932 wrote to memory of 2632	2932	WaterMark.exe	34
PID 2932 wrote to memory of 2632	2932	WaterMark.exe	34
PID 2932 wrote to memory of 2632	2932	WaterMark.exe	34
PID 2932 wrote to memory of 2632	2932	WaterMark.exe	34
PID 2932 wrote to memory of 2632	2932	WaterMark.exe	34
PID 2932 wrote to memory of 2632	2932	WaterMark.exe	34
PID 2932 wrote to memory of 2632	2932	WaterMark.exe	34
PID 2932 wrote to memory of 2632	2932	WaterMark.exe	34
PID 2932 wrote to memory of 2632	2932	WaterMark.exe	34
PID 2932 wrote to memory of 2632	2932	WaterMark.exe	34
PID 2932 wrote to memory of 3068	2932	WaterMark.exe	35
PID 2932 wrote to memory of 3068	2932	WaterMark.exe	35
PID 2932 wrote to memory of 3068	2932	WaterMark.exe	35
PID 2932 wrote to memory of 3068	2932	WaterMark.exe	35
PID 2932 wrote to memory of 3068	2932	WaterMark.exe	35
PID 2932 wrote to memory of 3068	2932	WaterMark.exe	35
PID 2932 wrote to memory of 3068	2932	WaterMark.exe	35
PID 2932 wrote to memory of 3068	2932	WaterMark.exe	35
PID 2932 wrote to memory of 3068	2932	WaterMark.exe	35
PID 2932 wrote to memory of 3068	2932	WaterMark.exe	35
PID 3068 wrote to memory of 256	3068	svchost.exe	1
PID 3068 wrote to memory of 256	3068	svchost.exe	1
PID 3068 wrote to memory of 256	3068	svchost.exe	1
PID 3068 wrote to memory of 256	3068	svchost.exe	1
PID 3068 wrote to memory of 256	3068	svchost.exe	1
PID 3068 wrote to memory of 332	3068	svchost.exe	2
PID 3068 wrote to memory of 332	3068	svchost.exe	2
PID 3068 wrote to memory of 332	3068	svchost.exe	2
PID 3068 wrote to memory of 332	3068	svchost.exe	2
PID 3068 wrote to memory of 332	3068	svchost.exe	2
PID 3068 wrote to memory of 380	3068	svchost.exe	3
PID 3068 wrote to memory of 380	3068	svchost.exe	3
PID 3068 wrote to memory of 380	3068	svchost.exe	3
PID 3068 wrote to memory of 380	3068	svchost.exe	3
PID 3068 wrote to memory of 380	3068	svchost.exe	3
PID 3068 wrote to memory of 388	3068	svchost.exe	4
PID 3068 wrote to memory of 388	3068	svchost.exe	4
PID 3068 wrote to memory of 388	3068	svchost.exe	4
PID 3068 wrote to memory of 388	3068	svchost.exe	4
PID 3068 wrote to memory of 388	3068	svchost.exe	4
PID 3068 wrote to memory of 428	3068	svchost.exe	5
PID 3068 wrote to memory of 428	3068	svchost.exe	5
PID 3068 wrote to memory of 428	3068	svchost.exe	5
PID 3068 wrote to memory of 428	3068	svchost.exe	5
PID 3068 wrote to memory of 428	3068	svchost.exe	5
PID 3068 wrote to memory of 472	3068	svchost.exe	6
PID 3068 wrote to memory of 472	3068	svchost.exe	6
PID 3068 wrote to memory of 472	3068	svchost.exe	6
PID 3068 wrote to memory of 472	3068	svchost.exe	6

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:472
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:612
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1272
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1684
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:2820
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:688
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:764
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:824
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1184
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:852
  - - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2276
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:976
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:284
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:492
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1040
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1120
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1532
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1728
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2448
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:388

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_85d5610e08d116e2edf3846ee138ea80.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_85d5610e08d116e2edf3846ee138ea80.dll,#1
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\rundll32mgr.exe
      C:\Windows\SysWOW64\rundll32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2632
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
244KB

MD5
fa7abf51d60f2de57a3f125a1769808f

SHA1
70e120beb3ac529ee4e68afd198f29e69dadc662

SHA256
8f49372badb8c2efe87f7fdd71c8cdbe2d212802631a13a184243355493e4749

SHA512
b385141a7dc4424e9c8f3d99c2f21a8a43cb34869482a28d33bcccad09c30499bd2054cc62683dd3c475e7a35d8b8e65fcb5e2f6b717942a7dd458ac1c6d6e29

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
240KB

MD5
2fd13dc281d28d29d269b3b745e4aeaf

SHA1
7674dc5cae5337cfd5dc19efa387d3a4a8b4e365

SHA256
8139eb120a75b8407dbd3fae689b7bef120df0437e4b36882d472724b03eb7ba

SHA512
e6cdd37fa091823c947fd0b8043917f33e607c24a03563c7ce53ed32af9d87ee17942086f4ec7bc8e9606cdab32151002eae95559af93aefc9fe6b7f2bbb2ac0

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
115KB

MD5
0a745aeddb83ec4d137dfcc0f3d1ccad

SHA1
bc9f3298a33b71a6a26dc56408eca55d313800ab

SHA256
d28522f5a1bdd4cc70d29ce457e9bfcbb75d6d5fd2537ff15877ee2a502dd907

SHA512
85be6d620235ac9447ab8a65055cbf4d29ef0b6dbffc5d38bfd35071c26622fd0c48729daf4323d7c58e34b0204ba131792b40c9ec38bb4a597f5693e5ba2eaf

Download Submit
memory/2632-61-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2632-62-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2632-46-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2632-55-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2632-68-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2632-366-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2632-59-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2632-60-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2632-64-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2632-48-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2764-11-0x00000000001F0000-0x000000000021D000-memory.dmp

Filesize
180KB

Download
memory/2764-0-0x000000006D280000-0x000000006D2B6000-memory.dmp

Filesize
216KB

Download
memory/2764-1-0x000000006D280000-0x000000006D2B6000-memory.dmp

Filesize
216KB

Download
memory/2764-9-0x00000000001F0000-0x000000000021D000-memory.dmp

Filesize
180KB

Download
memory/2764-3227-0x00000000001F0000-0x000000000021D000-memory.dmp

Filesize
180KB

Download
memory/2784-13-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2784-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2784-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2784-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2784-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2784-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2784-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2784-25-0x0000000000050000-0x000000000007D000-memory.dmp

Filesize
180KB

Download
memory/2784-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2932-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2932-36-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2932-73-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2932-89-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2932-84-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2932-43-0x00000000772BF000-0x00000000772C0000-memory.dmp

Filesize
4KB

Download
memory/2932-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2932-44-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2932-629-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2932-42-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2932-363-0x00000000772BF000-0x00000000772C0000-memory.dmp

Filesize
4KB

Download
memory/3068-95-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/3068-91-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/3068-85-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/3068-92-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/3068-93-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/3068-94-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3068-96-0x00000000772C0000-0x00000000772C1000-memory.dmp

Filesize
4KB

Download
memory/3068-90-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/3068-75-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download