ramnit | b2e8e2958872fca322b9e8cc0cd3e95b29cab03032bdc72816bf37bb21a6118d

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15a67ca8c2374635659a6c6a0de2e862_JaffaCakes118.dll
Size

193KB
MD5

15a67ca8c2374635659a6c6a0de2e862
SHA1

2e9c7e3aeae2ed52e3585fe019cc48136443b44d
SHA256

b2e8e2958872fca322b9e8cc0cd3e95b29cab03032bdc72816bf37bb21a6118d
SHA512

5f742205652eb541fbc72c06d96260799745a442cdb1d310bb91fd887f389992e784ac56aaacf94045a687a66fa515f51eb768ff0c6bdf30b97b9ebccfbb0216
SSDEEP

3072:s73MITL/9oSmkbx3ZtffjBTnIwanLMy7L/k6YpQAz8Wnr:6dTpountf75Iwkh7o6BQnr

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

regsvr32mgr.exeWaterMark.exe

pid process

2644 regsvr32mgr.exe
2556 WaterMark.exe
Loads dropped DLL 4 IoCs

Processes:

regsvr32.exeregsvr32mgr.exe

pid process

2232 regsvr32.exe
2232 regsvr32.exe
2644 regsvr32mgr.exe
2644 regsvr32mgr.exe

pid	process
2644	regsvr32mgr.exe
2556	WaterMark.exe

pid	process
2232	regsvr32.exe
2232	regsvr32.exe
2644	regsvr32mgr.exe
2644	regsvr32mgr.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2644-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2644-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2644-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2644-21-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2644-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2644-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2644-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2556-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2556-39-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2556-565-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

Processes:

svchost.exeregsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\Office14\ONLNTCOMLIB.DLL	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGM.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libbluescreen_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\BCSLaunch.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\notificationserver.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.RunTime.Serialization.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationTypes.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_block_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\pkeyconfig.companion.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dt_socket.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libcdg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libchain_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPDMCCore.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Utilities.v3.5.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSPTLS.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmotionblur_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClient.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\librawaud_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\OARPMANR.DLL	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\Shvl.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\VISSHE.DLL	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.ServiceModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\libmemory_keystore_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_smem_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\awt.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libadaptive_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Mail\wabimp.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Selectors.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Xml.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libd3d11va_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\dicjp.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1665.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\INLAUNCH.DLL	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Engine.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Net.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwinhibit_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckg.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	svchost.exe

Modifies registry class 45 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\ = "WMPDeskBand 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\LocalizedString = "@C:\\Users\\Admin\\AppData\\Local\\Temp\\15a67ca8c2374635659a6c6a0de2e862_JaffaCakes118.dll,-101"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ = "IWMPDeskBandDispatch"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ = "&Windows Media Player"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID\ = "WMP.DeskBand"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\ = "&Windows Media Player"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand\ = "&Windows Media Player"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand\CLSID\ = "{0A4286EA-E355-44FB-8086-AF3DF7645BD9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\ = "{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\MenuText = "@C:\\Users\\Admin\\AppData\\Local\\Temp\\15a67ca8c2374635659a6c6a0de2e862_JaffaCakes118.dll,-101"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID\ = "WMP.DeskBand.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\15a67ca8c2374635659a6c6a0de2e862_JaffaCakes118.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\ = "{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\CLSID\ = "{0A4286EA-E355-44FB-8086-AF3DF7645BD9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\15a67ca8c2374635659a6c6a0de2e862_JaffaCakes118.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ = "IWMPDeskBandDispatch"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

WaterMark.exesvchost.exe

pid	process
2556	WaterMark.exe
2556	WaterMark.exe
2556	WaterMark.exe
2556	WaterMark.exe
2556	WaterMark.exe
2556	WaterMark.exe
2556	WaterMark.exe
2556	WaterMark.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WaterMark.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2556 WaterMark.exe
Token: SeDebugPrivilege 2756 svchost.exe
Token: SeDebugPrivilege 2556 WaterMark.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

regsvr32mgr.exeWaterMark.exe

pid process

2644 regsvr32mgr.exe
2556 WaterMark.exe

description	pid	process
Token: SeDebugPrivilege	2556	WaterMark.exe
Token: SeDebugPrivilege	2756	svchost.exe
Token: SeDebugPrivilege	2556	WaterMark.exe

pid	process
2644	regsvr32mgr.exe
2556	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32mgr.exeWaterMark.exesvchost.exe

description	pid	process	target process
PID 2240 wrote to memory of 2232	2240	regsvr32.exe	regsvr32.exe
PID 2240 wrote to memory of 2232	2240	regsvr32.exe	regsvr32.exe
PID 2240 wrote to memory of 2232	2240	regsvr32.exe	regsvr32.exe
PID 2240 wrote to memory of 2232	2240	regsvr32.exe	regsvr32.exe
PID 2240 wrote to memory of 2232	2240	regsvr32.exe	regsvr32.exe
PID 2240 wrote to memory of 2232	2240	regsvr32.exe	regsvr32.exe
PID 2240 wrote to memory of 2232	2240	regsvr32.exe	regsvr32.exe
PID 2232 wrote to memory of 2644	2232	regsvr32.exe	regsvr32mgr.exe
PID 2232 wrote to memory of 2644	2232	regsvr32.exe	regsvr32mgr.exe
PID 2232 wrote to memory of 2644	2232	regsvr32.exe	regsvr32mgr.exe
PID 2232 wrote to memory of 2644	2232	regsvr32.exe	regsvr32mgr.exe
PID 2644 wrote to memory of 2556	2644	regsvr32mgr.exe	WaterMark.exe
PID 2644 wrote to memory of 2556	2644	regsvr32mgr.exe	WaterMark.exe
PID 2644 wrote to memory of 2556	2644	regsvr32mgr.exe	WaterMark.exe
PID 2644 wrote to memory of 2556	2644	regsvr32mgr.exe	WaterMark.exe
PID 2556 wrote to memory of 2472	2556	WaterMark.exe	svchost.exe
PID 2556 wrote to memory of 2472	2556	WaterMark.exe	svchost.exe
PID 2556 wrote to memory of 2472	2556	WaterMark.exe	svchost.exe
PID 2556 wrote to memory of 2472	2556	WaterMark.exe	svchost.exe
PID 2556 wrote to memory of 2472	2556	WaterMark.exe	svchost.exe
PID 2556 wrote to memory of 2472	2556	WaterMark.exe	svchost.exe
PID 2556 wrote to memory of 2472	2556	WaterMark.exe	svchost.exe
PID 2556 wrote to memory of 2472	2556	WaterMark.exe	svchost.exe
PID 2556 wrote to memory of 2472	2556	WaterMark.exe	svchost.exe
PID 2556 wrote to memory of 2472	2556	WaterMark.exe	svchost.exe
PID 2556 wrote to memory of 2756	2556	WaterMark.exe	svchost.exe
PID 2556 wrote to memory of 2756	2556	WaterMark.exe	svchost.exe
PID 2556 wrote to memory of 2756	2556	WaterMark.exe	svchost.exe
PID 2556 wrote to memory of 2756	2556	WaterMark.exe	svchost.exe
PID 2556 wrote to memory of 2756	2556	WaterMark.exe	svchost.exe
PID 2556 wrote to memory of 2756	2556	WaterMark.exe	svchost.exe
PID 2556 wrote to memory of 2756	2556	WaterMark.exe	svchost.exe
PID 2556 wrote to memory of 2756	2556	WaterMark.exe	svchost.exe
PID 2556 wrote to memory of 2756	2556	WaterMark.exe	svchost.exe
PID 2556 wrote to memory of 2756	2556	WaterMark.exe	svchost.exe
PID 2756 wrote to memory of 260	2756	svchost.exe	smss.exe
PID 2756 wrote to memory of 260	2756	svchost.exe	smss.exe
PID 2756 wrote to memory of 260	2756	svchost.exe	smss.exe
PID 2756 wrote to memory of 260	2756	svchost.exe	smss.exe
PID 2756 wrote to memory of 260	2756	svchost.exe	smss.exe
PID 2756 wrote to memory of 340	2756	svchost.exe	csrss.exe
PID 2756 wrote to memory of 340	2756	svchost.exe	csrss.exe
PID 2756 wrote to memory of 340	2756	svchost.exe	csrss.exe
PID 2756 wrote to memory of 340	2756	svchost.exe	csrss.exe
PID 2756 wrote to memory of 340	2756	svchost.exe	csrss.exe
PID 2756 wrote to memory of 388	2756	svchost.exe	wininit.exe
PID 2756 wrote to memory of 388	2756	svchost.exe	wininit.exe
PID 2756 wrote to memory of 388	2756	svchost.exe	wininit.exe
PID 2756 wrote to memory of 388	2756	svchost.exe	wininit.exe
PID 2756 wrote to memory of 388	2756	svchost.exe	wininit.exe
PID 2756 wrote to memory of 400	2756	svchost.exe	csrss.exe
PID 2756 wrote to memory of 400	2756	svchost.exe	csrss.exe
PID 2756 wrote to memory of 400	2756	svchost.exe	csrss.exe
PID 2756 wrote to memory of 400	2756	svchost.exe	csrss.exe
PID 2756 wrote to memory of 400	2756	svchost.exe	csrss.exe
PID 2756 wrote to memory of 436	2756	svchost.exe	winlogon.exe
PID 2756 wrote to memory of 436	2756	svchost.exe	winlogon.exe
PID 2756 wrote to memory of 436	2756	svchost.exe	winlogon.exe
PID 2756 wrote to memory of 436	2756	svchost.exe	winlogon.exe
PID 2756 wrote to memory of 436	2756	svchost.exe	winlogon.exe
PID 2756 wrote to memory of 480	2756	svchost.exe	services.exe
PID 2756 wrote to memory of 480	2756	svchost.exe	services.exe
PID 2756 wrote to memory of 480	2756	svchost.exe	services.exe
PID 2756 wrote to memory of 480	2756	svchost.exe	services.exe

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:340

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:388

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:616

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:1552

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
4⤵
PID:968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:832

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:876

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
4⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:1008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:356

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1036

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:556

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:2120

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:496

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:504

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:400

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1340

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\15a67ca8c2374635659a6c6a0de2e862_JaffaCakes118.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\15a67ca8c2374635659a6c6a0de2e862_JaffaCakes118.dll
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\regsvr32mgr.exe
C:\Windows\SysWOW64\regsvr32mgr.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2644

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2472

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize
206KB

MD5
b361cb99691ec9d097253f917754e959

SHA1
06f151e6153cc8021b5d12643cdf819e12456aa4

SHA256
8ea155db9552a15c0b1857701a1b86965bc5d202a6477d435314323576237cc6

SHA512
e3337fc98cbc0bcf31180594728e607160a350488886036f48b448c500c3e669c98a691e57a953fd4b292af6b0cd33a53814f9cbd5b6c679c4a6369dfb4ad51a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize
202KB

MD5
96d3c5632a01c5bc215df4285faceaa3

SHA1
4908c7aff8ba2557154ceff04887d512be0a74d3

SHA256
c45c701891e5c64663e4b835ac95bfde50b551227dcaca5d210878746072b428

SHA512
4e81cd897bce2fe65673fa80e7ec3c633f143b1ebb165deded9a549100647b1348cb153d2a9132f8d35a17a776e9cda0a6cfcde92b58921da6f7dfabe28eccdd

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe
Filesize
96KB

MD5
8c51fd9d6daa7b6137634de19a49452c

SHA1
db2a11cca434bacad2bf42adeecae38e99cf64f8

SHA256
528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3

SHA512
b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837

Download Submit
memory/2232-1-0x0000000074380000-0x00000000743B3000-memory.dmp

Filesize
204KB

Download
memory/2232-3-0x0000000000210000-0x0000000000245000-memory.dmp

Filesize
212KB

Download
memory/2472-62-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2472-46-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2472-65-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2472-53-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2472-44-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2472-63-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2472-64-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2472-58-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2556-565-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2556-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2556-41-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2556-42-0x000000007714F000-0x0000000077150000-memory.dmp

Filesize
4KB

Download
memory/2556-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2556-70-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2644-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2644-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2644-24-0x0000000000050000-0x0000000000085000-memory.dmp

Filesize
212KB

Download
memory/2644-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2644-20-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2644-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2644-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2644-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2644-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2644-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2756-82-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2756-87-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2756-88-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2756-90-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2756-89-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2756-86-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2756-85-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2756-72-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download