ramnit | 6f2979c2de75b3c89321f668a6ebc61a4e380b1d54e365a8772de41f70a0e8ab

Resubmissions

28-06-2024 23:57

240628-3zqyjsyepl 3

28-06-2024 23:57

240628-3zmk5ayepj 3

28-06-2024 13:34

240628-qvba3svejk 10

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a50c46b1a0418f833a2933e8a29001b_JaffaCakes118.dll
Size

157KB
MD5

1a50c46b1a0418f833a2933e8a29001b
SHA1

df0d35a24d4c9f5c5f49fe8cc8c878cab2464153
SHA256

6f2979c2de75b3c89321f668a6ebc61a4e380b1d54e365a8772de41f70a0e8ab
SHA512

68e0e171d3235b045ea06c0de3596f6c58e6379589262893513334ddc30a7e697390ea77697ddca15f830830a9b43148a518b8575efda91f73733ed73e0d1a03
SSDEEP

3072:2GpDiQ3K348tFbk0FEXcEJORDxlQ9dPeBxqEcrcZs:HieKTtFbkWAcuyDDiPeWEcrc2

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

rundll32mgr.exeWaterMark.exe

pid process

2416 rundll32mgr.exe
2644 WaterMark.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32mgr.exe

pid process

2352 rundll32.exe
2352 rundll32.exe
2416 rundll32mgr.exe
2416 rundll32mgr.exe

pid	process
2416	rundll32mgr.exe
2644	WaterMark.exe

pid	process
2352	rundll32.exe
2352	rundll32.exe
2416	rundll32mgr.exe
2416	rundll32mgr.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2416-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2416-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2416-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2416-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2416-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2416-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2416-19-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2644-38-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2644-562-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2644-565-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

Processes:

rundll32.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\AUTHZAX.DLL	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubstx3g_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libsapi_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\msvcr100.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\hxdsui.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\rtscom.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libdvbsub_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\NBMapTIP.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libscte27_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\settings.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\settings.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Selectors.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_cycle_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\hprof.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\settings.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IO.Log.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d9_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\deploy.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jdwp.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\qipcap64.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libGLESv2.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Conversion.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libchain_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sawindbg.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libuleaddvaudio_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libnormvol_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemuxdump_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckg.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libaribcam_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdrawable_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\w2k_lsa_auth.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\management.dll	svchost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

WaterMark.exesvchost.exe

pid	process
2644	WaterMark.exe
2644	WaterMark.exe
2644	WaterMark.exe
2644	WaterMark.exe
2644	WaterMark.exe
2644	WaterMark.exe
2644	WaterMark.exe
2644	WaterMark.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WaterMark.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2644 WaterMark.exe
Token: SeDebugPrivilege 1404 svchost.exe
Token: SeDebugPrivilege 2644 WaterMark.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

rundll32mgr.exeWaterMark.exe

pid process

2416 rundll32mgr.exe
2644 WaterMark.exe

description	pid	process
Token: SeDebugPrivilege	2644	WaterMark.exe
Token: SeDebugPrivilege	1404	svchost.exe
Token: SeDebugPrivilege	2644	WaterMark.exe

pid	process
2416	rundll32mgr.exe
2644	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exerundll32mgr.exeWaterMark.exesvchost.exe

description	pid	process	target process
PID 1876 wrote to memory of 2352	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 2352	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 2352	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 2352	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 2352	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 2352	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 2352	1876	rundll32.exe	rundll32.exe
PID 2352 wrote to memory of 2416	2352	rundll32.exe	rundll32mgr.exe
PID 2352 wrote to memory of 2416	2352	rundll32.exe	rundll32mgr.exe
PID 2352 wrote to memory of 2416	2352	rundll32.exe	rundll32mgr.exe
PID 2352 wrote to memory of 2416	2352	rundll32.exe	rundll32mgr.exe
PID 2416 wrote to memory of 2644	2416	rundll32mgr.exe	WaterMark.exe
PID 2416 wrote to memory of 2644	2416	rundll32mgr.exe	WaterMark.exe
PID 2416 wrote to memory of 2644	2416	rundll32mgr.exe	WaterMark.exe
PID 2416 wrote to memory of 2644	2416	rundll32mgr.exe	WaterMark.exe
PID 2644 wrote to memory of 2936	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 2936	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 2936	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 2936	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 2936	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 2936	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 2936	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 2936	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 2936	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 2936	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 1404	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 1404	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 1404	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 1404	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 1404	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 1404	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 1404	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 1404	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 1404	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 1404	2644	WaterMark.exe	svchost.exe
PID 1404 wrote to memory of 256	1404	svchost.exe	smss.exe
PID 1404 wrote to memory of 256	1404	svchost.exe	smss.exe
PID 1404 wrote to memory of 256	1404	svchost.exe	smss.exe
PID 1404 wrote to memory of 256	1404	svchost.exe	smss.exe
PID 1404 wrote to memory of 256	1404	svchost.exe	smss.exe
PID 1404 wrote to memory of 336	1404	svchost.exe	csrss.exe
PID 1404 wrote to memory of 336	1404	svchost.exe	csrss.exe
PID 1404 wrote to memory of 336	1404	svchost.exe	csrss.exe
PID 1404 wrote to memory of 336	1404	svchost.exe	csrss.exe
PID 1404 wrote to memory of 336	1404	svchost.exe	csrss.exe
PID 1404 wrote to memory of 384	1404	svchost.exe	wininit.exe
PID 1404 wrote to memory of 384	1404	svchost.exe	wininit.exe
PID 1404 wrote to memory of 384	1404	svchost.exe	wininit.exe
PID 1404 wrote to memory of 384	1404	svchost.exe	wininit.exe
PID 1404 wrote to memory of 384	1404	svchost.exe	wininit.exe
PID 1404 wrote to memory of 392	1404	svchost.exe	csrss.exe
PID 1404 wrote to memory of 392	1404	svchost.exe	csrss.exe
PID 1404 wrote to memory of 392	1404	svchost.exe	csrss.exe
PID 1404 wrote to memory of 392	1404	svchost.exe	csrss.exe
PID 1404 wrote to memory of 392	1404	svchost.exe	csrss.exe
PID 1404 wrote to memory of 432	1404	svchost.exe	winlogon.exe
PID 1404 wrote to memory of 432	1404	svchost.exe	winlogon.exe
PID 1404 wrote to memory of 432	1404	svchost.exe	winlogon.exe
PID 1404 wrote to memory of 432	1404	svchost.exe	winlogon.exe
PID 1404 wrote to memory of 432	1404	svchost.exe	winlogon.exe
PID 1404 wrote to memory of 476	1404	svchost.exe	services.exe
PID 1404 wrote to memory of 476	1404	svchost.exe	services.exe
PID 1404 wrote to memory of 476	1404	svchost.exe	services.exe
PID 1404 wrote to memory of 476	1404	svchost.exe	services.exe

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:852

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
4⤵
PID:996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:816

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:856

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
4⤵
PID:2028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:268

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1068

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:2216

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:1276

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a50c46b1a0418f833a2933e8a29001b_JaffaCakes118.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a50c46b1a0418f833a2933e8a29001b_JaffaCakes118.dll,#1
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2416

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize
259KB

MD5
8ac088f3b7bb6ef128d2e62cc42a38cc

SHA1
700f4aeb10f45a26b1b1d01895eec63f908c2f0b

SHA256
3f7a8ea0dd63c1fb2128f2380984ef20061e5865737051d71411087642403d0a

SHA512
ca80d044f08148df5e4f8af620082b7c87e04080208f0dc9708b264cefa5e79f986c7c37c6c9f165779324b2acfafd589813d5da564017ca3d04426e3944bfcb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize
255KB

MD5
f63652ea6138557fafa7dc90a41a0c8c

SHA1
5db9f3d1f522824fdbffb9c904c3a5228af658a1

SHA256
d590e8f9e2d36605c17ccfb85a258310d53f3f537e4e002aa6b5998e68d78dc1

SHA512
d81512e756c7fd239f07cf6768a17d5b4046671b1038ccbd82323cdbe8982a4981f2cb6f3c8e32fd0b7a21aae535869b8c4d7777a40740a13e1bb828c6faf9ad

Download Submit
\Windows\SysWOW64\rundll32mgr.exe
Filesize
123KB

MD5
58ae04d47a7587cba542671907b6a9af

SHA1
1f1e13105f87605281aac5666e8e448ab388b113

SHA256
aaaccf3120e3a27abb632e12c69b5e21056ec88780f001605d763eed9a2d1709

SHA512
78e2ecd54578cf8413f025f060412df7855ba661c07fafe0891a6827295a80caa8c3eae2be771786bc49ef5492163530319b86eba10cc6627d40b1677a496401

Download Submit
memory/1404-88-0x00000000777E0000-0x00000000777E1000-memory.dmp

Filesize
4KB

Download
memory/1404-90-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1404-91-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1404-89-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1404-71-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1404-87-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1404-86-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1404-81-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1404-85-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2352-4-0x0000000000240000-0x000000000026B000-memory.dmp

Filesize
172KB

Download
memory/2352-0-0x0000000000200000-0x0000000000233000-memory.dmp

Filesize
204KB

Download
memory/2352-1-0x0000000000200000-0x0000000000233000-memory.dmp

Filesize
204KB

Download
memory/2416-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2416-18-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2416-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2416-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2416-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2416-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2416-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2416-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2644-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2644-562-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2644-41-0x00000000777DF000-0x00000000777E0000-memory.dmp

Filesize
4KB

Download
memory/2644-80-0x00000000777DF000-0x00000000777E0000-memory.dmp

Filesize
4KB

Download
memory/2644-40-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2644-69-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2644-30-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2644-565-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2936-45-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2936-59-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2936-54-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2936-52-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2936-64-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2936-66-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2936-1006-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2936-53-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2936-43-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download