ramnit | dd32e1e9e2417e47708a7553a41bfcf5208bd3ca89a7f04742b202c910483e25

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15d00fc2efbd85c50422b973081840bc_JaffaCakes118.dll
Size

337KB
MD5

15d00fc2efbd85c50422b973081840bc
SHA1

cf3d6bc5ebf9d8d989166adbfd967be2bef3ef74
SHA256

dd32e1e9e2417e47708a7553a41bfcf5208bd3ca89a7f04742b202c910483e25
SHA512

c91c07e4355a5887d058ea5f10b402792730c0d3f8e221a130a78eb9371d0667fc96e7111ac5337f144d12ff29b9f9a590ee454936d747abd29e5fa1c4cbd02a
SSDEEP

6144:qN0yr1sO/wIKS0FKtOT/OrDtgUi0uvQee7Qee/0QeesQeeglQeekQeeDC7M3HCRD:qG6wndYtamDSU1MHCRflZ

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

regsvr32mgr.exeWaterMark.exe

pid process

2420 regsvr32mgr.exe
1712 WaterMark.exe
Loads dropped DLL 4 IoCs

Processes:

regsvr32.exeregsvr32mgr.exe

pid process

1740 regsvr32.exe
1740 regsvr32.exe
2420 regsvr32mgr.exe
2420 regsvr32mgr.exe

pid	process
2420	regsvr32mgr.exe
1712	WaterMark.exe

pid	process
1740	regsvr32.exe
1740	regsvr32.exe
2420	regsvr32mgr.exe
2420	regsvr32mgr.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2420-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2420-23-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2420-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2420-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2420-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2420-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2420-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1712-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1712-39-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1712-566-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

Processes:

regsvr32.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\zip.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libsmb_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubstx3g_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_wav_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libvdr_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudio_format_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libclone_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\ieproxy.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libfaad_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libaudioscrobbler_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libposterize_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\NBDoc.DLL	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\PipeTran.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationCore.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libcvdsub_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGM.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\hxdsui.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Client.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libgl_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\authplay.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_h264_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscene_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Mail\oeimport.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Mail\wabimp.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\settings.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsFormsIntegration.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\wmprph.exe	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EURO\MSOEURO.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\net.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPNSSUI.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_sse2_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\j2pcsc.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kcms.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHEVI.DLL	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\clock.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSPTLS.DLL	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\softokn3.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPDMCCore.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\hxdsui.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_XPS.DLL	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcor.dll	svchost.exe

Modifies registry class 4 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58F1580-0DF3-401C-93B1-2D9DDA61CF04}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58F1580-0DF3-401C-93B1-2D9DDA61CF04}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58F1580-0DF3-401C-93B1-2D9DDA61CF04}\1.0	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

WaterMark.exesvchost.exe

pid	process
1712	WaterMark.exe
1712	WaterMark.exe
1712	WaterMark.exe
1712	WaterMark.exe
1712	WaterMark.exe
1712	WaterMark.exe
1712	WaterMark.exe
1712	WaterMark.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WaterMark.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1712 WaterMark.exe
Token: SeDebugPrivilege 2528 svchost.exe
Token: SeDebugPrivilege 1712 WaterMark.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

regsvr32mgr.exeWaterMark.exe

pid process

2420 regsvr32mgr.exe
1712 WaterMark.exe

description	pid	process
Token: SeDebugPrivilege	1712	WaterMark.exe
Token: SeDebugPrivilege	2528	svchost.exe
Token: SeDebugPrivilege	1712	WaterMark.exe

pid	process
2420	regsvr32mgr.exe
1712	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32mgr.exeWaterMark.exesvchost.exe

description	pid	process	target process
PID 1976 wrote to memory of 1740	1976	regsvr32.exe	regsvr32.exe
PID 1976 wrote to memory of 1740	1976	regsvr32.exe	regsvr32.exe
PID 1976 wrote to memory of 1740	1976	regsvr32.exe	regsvr32.exe
PID 1976 wrote to memory of 1740	1976	regsvr32.exe	regsvr32.exe
PID 1976 wrote to memory of 1740	1976	regsvr32.exe	regsvr32.exe
PID 1976 wrote to memory of 1740	1976	regsvr32.exe	regsvr32.exe
PID 1976 wrote to memory of 1740	1976	regsvr32.exe	regsvr32.exe
PID 1740 wrote to memory of 2420	1740	regsvr32.exe	regsvr32mgr.exe
PID 1740 wrote to memory of 2420	1740	regsvr32.exe	regsvr32mgr.exe
PID 1740 wrote to memory of 2420	1740	regsvr32.exe	regsvr32mgr.exe
PID 1740 wrote to memory of 2420	1740	regsvr32.exe	regsvr32mgr.exe
PID 2420 wrote to memory of 1712	2420	regsvr32mgr.exe	WaterMark.exe
PID 2420 wrote to memory of 1712	2420	regsvr32mgr.exe	WaterMark.exe
PID 2420 wrote to memory of 1712	2420	regsvr32mgr.exe	WaterMark.exe
PID 2420 wrote to memory of 1712	2420	regsvr32mgr.exe	WaterMark.exe
PID 1712 wrote to memory of 2724	1712	WaterMark.exe	svchost.exe
PID 1712 wrote to memory of 2724	1712	WaterMark.exe	svchost.exe
PID 1712 wrote to memory of 2724	1712	WaterMark.exe	svchost.exe
PID 1712 wrote to memory of 2724	1712	WaterMark.exe	svchost.exe
PID 1712 wrote to memory of 2724	1712	WaterMark.exe	svchost.exe
PID 1712 wrote to memory of 2724	1712	WaterMark.exe	svchost.exe
PID 1712 wrote to memory of 2724	1712	WaterMark.exe	svchost.exe
PID 1712 wrote to memory of 2724	1712	WaterMark.exe	svchost.exe
PID 1712 wrote to memory of 2724	1712	WaterMark.exe	svchost.exe
PID 1712 wrote to memory of 2724	1712	WaterMark.exe	svchost.exe
PID 1712 wrote to memory of 2528	1712	WaterMark.exe	svchost.exe
PID 1712 wrote to memory of 2528	1712	WaterMark.exe	svchost.exe
PID 1712 wrote to memory of 2528	1712	WaterMark.exe	svchost.exe
PID 1712 wrote to memory of 2528	1712	WaterMark.exe	svchost.exe
PID 1712 wrote to memory of 2528	1712	WaterMark.exe	svchost.exe
PID 1712 wrote to memory of 2528	1712	WaterMark.exe	svchost.exe
PID 1712 wrote to memory of 2528	1712	WaterMark.exe	svchost.exe
PID 1712 wrote to memory of 2528	1712	WaterMark.exe	svchost.exe
PID 1712 wrote to memory of 2528	1712	WaterMark.exe	svchost.exe
PID 1712 wrote to memory of 2528	1712	WaterMark.exe	svchost.exe
PID 2528 wrote to memory of 256	2528	svchost.exe	smss.exe
PID 2528 wrote to memory of 256	2528	svchost.exe	smss.exe
PID 2528 wrote to memory of 256	2528	svchost.exe	smss.exe
PID 2528 wrote to memory of 256	2528	svchost.exe	smss.exe
PID 2528 wrote to memory of 256	2528	svchost.exe	smss.exe
PID 2528 wrote to memory of 332	2528	svchost.exe	csrss.exe
PID 2528 wrote to memory of 332	2528	svchost.exe	csrss.exe
PID 2528 wrote to memory of 332	2528	svchost.exe	csrss.exe
PID 2528 wrote to memory of 332	2528	svchost.exe	csrss.exe
PID 2528 wrote to memory of 332	2528	svchost.exe	csrss.exe
PID 2528 wrote to memory of 384	2528	svchost.exe	wininit.exe
PID 2528 wrote to memory of 384	2528	svchost.exe	wininit.exe
PID 2528 wrote to memory of 384	2528	svchost.exe	wininit.exe
PID 2528 wrote to memory of 384	2528	svchost.exe	wininit.exe
PID 2528 wrote to memory of 384	2528	svchost.exe	wininit.exe
PID 2528 wrote to memory of 392	2528	svchost.exe	csrss.exe
PID 2528 wrote to memory of 392	2528	svchost.exe	csrss.exe
PID 2528 wrote to memory of 392	2528	svchost.exe	csrss.exe
PID 2528 wrote to memory of 392	2528	svchost.exe	csrss.exe
PID 2528 wrote to memory of 392	2528	svchost.exe	csrss.exe
PID 2528 wrote to memory of 432	2528	svchost.exe	winlogon.exe
PID 2528 wrote to memory of 432	2528	svchost.exe	winlogon.exe
PID 2528 wrote to memory of 432	2528	svchost.exe	winlogon.exe
PID 2528 wrote to memory of 432	2528	svchost.exe	winlogon.exe
PID 2528 wrote to memory of 432	2528	svchost.exe	winlogon.exe
PID 2528 wrote to memory of 476	2528	svchost.exe	services.exe
PID 2528 wrote to memory of 476	2528	svchost.exe	services.exe
PID 2528 wrote to memory of 476	2528	svchost.exe	services.exe
PID 2528 wrote to memory of 476	2528	svchost.exe	services.exe

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:344

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
4⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:820

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:864

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
4⤵
PID:1732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:280

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1052

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:2016

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:2240

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\15d00fc2efbd85c50422b973081840bc_JaffaCakes118.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\15d00fc2efbd85c50422b973081840bc_JaffaCakes118.dll
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\regsvr32mgr.exe
C:\Windows\SysWOW64\regsvr32mgr.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2420

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2724

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize
206KB

MD5
f705cf5f5d402776a3f883538d4f75e0

SHA1
db8064bd28595f56e57426aacfd7875b18c1ecac

SHA256
e2481e772bda0b1faba2fcf4b8c6aa5a22a126d3d4ef44f25de9406ef82936ed

SHA512
6bf037f84af1df01daab74b01a7e8d034a671c5af7473dd60a92ad9758b821b2ff9fdfb7a36c9aa7107da23097507b0fbc7917733c4576c1b67228e3bef25a50

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize
202KB

MD5
f3e3cb4ebbf134b9c24d08b1ecf79bb3

SHA1
fa422fc2a7026261059d9f220dd471b829871897

SHA256
373c5e99a90a446e10c7c06102cd6855347eccab7691db5f38cdf7da8644d3fe

SHA512
0aef0149fb74d03ee223f476afc349dfdecd8dedac01896f4ae6d8f6bd70bf3d59e9a3841dd10a1a696956716df4494d94458299e4aac759e764d360af3b9702

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe
Filesize
96KB

MD5
8c51fd9d6daa7b6137634de19a49452c

SHA1
db2a11cca434bacad2bf42adeecae38e99cf64f8

SHA256
528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3

SHA512
b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837

Download Submit
memory/1712-566-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1712-71-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1712-41-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/1712-42-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1712-43-0x00000000771FF000-0x0000000077200000-memory.dmp

Filesize
4KB

Download
memory/1712-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1712-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1740-1-0x0000000074400000-0x0000000074457000-memory.dmp

Filesize
348KB

Download
memory/1740-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1740-3-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2420-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2420-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2420-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2420-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2420-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2420-22-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2420-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2420-11-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2528-73-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2528-91-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2528-89-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2528-90-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2528-88-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2528-87-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2528-86-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2528-83-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2724-61-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2724-60-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2724-59-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2724-67-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2724-62-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2724-54-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2724-44-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2724-46-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download