ramnit | 622ace3bd4b8fe20fccc53365a4c9189af3482a000b56ac7576aef7d1e9af780

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bc1ec8789758ea996e78b7be429ee06_JaffaCakes118.dll
Size

132KB
MD5

1bc1ec8789758ea996e78b7be429ee06
SHA1

7e52a3f078a0fc3cf522f06a14406a5db6a5cc8d
SHA256

622ace3bd4b8fe20fccc53365a4c9189af3482a000b56ac7576aef7d1e9af780
SHA512

f1a28f8a66dbfc79239e7107ac6fc3fda18f9a267af85086af844a0eaeb7cc9bac6b2fec06d29f6735685fa847368689e4e61d251385497e7e685f58eed1b6df
SSDEEP

3072:po6nwLqrSa4I+VC2L99ZgyXf9MWebpjMGlDCdrv:W6ux7vBsGdv

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

regsvr32mgr.exeWaterMark.exe

pid process

2768 regsvr32mgr.exe
2644 WaterMark.exe
Loads dropped DLL 4 IoCs

Processes:

regsvr32.exeregsvr32mgr.exe

pid process

2056 regsvr32.exe
2056 regsvr32.exe
2768 regsvr32mgr.exe
2768 regsvr32mgr.exe

pid	process
2768	regsvr32mgr.exe
2644	WaterMark.exe

pid	process
2056	regsvr32.exe
2056	regsvr32.exe
2768	regsvr32mgr.exe
2768	regsvr32mgr.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2768-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2644-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2644-41-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2644-39-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2644-35-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2768-21-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2768-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2768-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2768-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2768-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2768-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2644-564-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

Processes:

regsvr32.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exeregsvr32mgr.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\WebKit.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jsound.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Design.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\net.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libattachment_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\currency.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\hxdsui.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libheadphone_channel_mixer_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\dicjp.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwjpn.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mpjpeg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_copy_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DAO\dao360.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px10C3.tmp	regsvr32mgr.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libclone_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\flyout.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\weather.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcr100.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Speech.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\notificationserver.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ogg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libwall_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\EEINTL.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libhttps_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libswscale_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\MSPVWCTL.DLL	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\clock.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\InkDiv.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.RunTime.Serialization.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libsdp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\liboldrc_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_display_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html	svchost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

WaterMark.exesvchost.exe

pid	process
2644	WaterMark.exe
2644	WaterMark.exe
2644	WaterMark.exe
2644	WaterMark.exe
2644	WaterMark.exe
2644	WaterMark.exe
2644	WaterMark.exe
2644	WaterMark.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WaterMark.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2644 WaterMark.exe
Token: SeDebugPrivilege 1324 svchost.exe
Token: SeDebugPrivilege 2644 WaterMark.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

regsvr32mgr.exeWaterMark.exe

pid process

2768 regsvr32mgr.exe
2644 WaterMark.exe

description	pid	process
Token: SeDebugPrivilege	2644	WaterMark.exe
Token: SeDebugPrivilege	1324	svchost.exe
Token: SeDebugPrivilege	2644	WaterMark.exe

pid	process
2768	regsvr32mgr.exe
2644	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32mgr.exeWaterMark.exesvchost.exe

description	pid	process	target process
PID 1648 wrote to memory of 2056	1648	regsvr32.exe	regsvr32.exe
PID 1648 wrote to memory of 2056	1648	regsvr32.exe	regsvr32.exe
PID 1648 wrote to memory of 2056	1648	regsvr32.exe	regsvr32.exe
PID 1648 wrote to memory of 2056	1648	regsvr32.exe	regsvr32.exe
PID 1648 wrote to memory of 2056	1648	regsvr32.exe	regsvr32.exe
PID 1648 wrote to memory of 2056	1648	regsvr32.exe	regsvr32.exe
PID 1648 wrote to memory of 2056	1648	regsvr32.exe	regsvr32.exe
PID 2056 wrote to memory of 2768	2056	regsvr32.exe	regsvr32mgr.exe
PID 2056 wrote to memory of 2768	2056	regsvr32.exe	regsvr32mgr.exe
PID 2056 wrote to memory of 2768	2056	regsvr32.exe	regsvr32mgr.exe
PID 2056 wrote to memory of 2768	2056	regsvr32.exe	regsvr32mgr.exe
PID 2768 wrote to memory of 2644	2768	regsvr32mgr.exe	WaterMark.exe
PID 2768 wrote to memory of 2644	2768	regsvr32mgr.exe	WaterMark.exe
PID 2768 wrote to memory of 2644	2768	regsvr32mgr.exe	WaterMark.exe
PID 2768 wrote to memory of 2644	2768	regsvr32mgr.exe	WaterMark.exe
PID 2644 wrote to memory of 2848	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 2848	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 2848	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 2848	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 2848	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 2848	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 2848	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 2848	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 2848	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 2848	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 1324	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 1324	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 1324	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 1324	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 1324	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 1324	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 1324	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 1324	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 1324	2644	WaterMark.exe	svchost.exe
PID 2644 wrote to memory of 1324	2644	WaterMark.exe	svchost.exe
PID 1324 wrote to memory of 256	1324	svchost.exe	smss.exe
PID 1324 wrote to memory of 256	1324	svchost.exe	smss.exe
PID 1324 wrote to memory of 256	1324	svchost.exe	smss.exe
PID 1324 wrote to memory of 256	1324	svchost.exe	smss.exe
PID 1324 wrote to memory of 256	1324	svchost.exe	smss.exe
PID 1324 wrote to memory of 332	1324	svchost.exe	csrss.exe
PID 1324 wrote to memory of 332	1324	svchost.exe	csrss.exe
PID 1324 wrote to memory of 332	1324	svchost.exe	csrss.exe
PID 1324 wrote to memory of 332	1324	svchost.exe	csrss.exe
PID 1324 wrote to memory of 332	1324	svchost.exe	csrss.exe
PID 1324 wrote to memory of 380	1324	svchost.exe	wininit.exe
PID 1324 wrote to memory of 380	1324	svchost.exe	wininit.exe
PID 1324 wrote to memory of 380	1324	svchost.exe	wininit.exe
PID 1324 wrote to memory of 380	1324	svchost.exe	wininit.exe
PID 1324 wrote to memory of 380	1324	svchost.exe	wininit.exe
PID 1324 wrote to memory of 392	1324	svchost.exe	csrss.exe
PID 1324 wrote to memory of 392	1324	svchost.exe	csrss.exe
PID 1324 wrote to memory of 392	1324	svchost.exe	csrss.exe
PID 1324 wrote to memory of 392	1324	svchost.exe	csrss.exe
PID 1324 wrote to memory of 392	1324	svchost.exe	csrss.exe
PID 1324 wrote to memory of 432	1324	svchost.exe	winlogon.exe
PID 1324 wrote to memory of 432	1324	svchost.exe	winlogon.exe
PID 1324 wrote to memory of 432	1324	svchost.exe	winlogon.exe
PID 1324 wrote to memory of 432	1324	svchost.exe	winlogon.exe
PID 1324 wrote to memory of 432	1324	svchost.exe	winlogon.exe
PID 1324 wrote to memory of 476	1324	svchost.exe	services.exe
PID 1324 wrote to memory of 476	1324	svchost.exe	services.exe
PID 1324 wrote to memory of 476	1324	svchost.exe	services.exe
PID 1324 wrote to memory of 476	1324	svchost.exe	services.exe

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:1828

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
4⤵
PID:2156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:808

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:856

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
4⤵
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:112

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:348

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:2312

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:3016

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1bc1ec8789758ea996e78b7be429ee06_JaffaCakes118.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\1bc1ec8789758ea996e78b7be429ee06_JaffaCakes118.dll
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\regsvr32mgr.exe
C:\Windows\SysWOW64\regsvr32mgr.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2768

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2848

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize
206KB

MD5
4a77e73c0c39f66296355fc46a79d491

SHA1
8d3814497b576194eb9e35618196ef29928ddd6e

SHA256
332327ce8bda33dca03d75e55c63e0b63484e13ef849bb4102abebf0e29b4635

SHA512
f689e8950eca3e50d7dee6db28eee61e43d56fb775978bff0f9878b6d3391e254d387743d8331233b5e071d9068e39acdd333d484d7ec3b83bb48836a8e9507a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize
202KB

MD5
d185e67c25439fede8977cd891d4d6bf

SHA1
6652ac24810420faddefb1b73cf46ad8d88fbb2a

SHA256
37f17761c4c5824ab42b64c32c4b8641f502e8485ec32f27fd6da8cf7228e110

SHA512
e7b35dc5209c0fce37b0f91bc85b2f5ce9d1325af9564a565da21f15b264cf0cfd09a1b2cd96911e2babd38e7c74531733118bf199484f178ee20f4ccc33dbfb

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe
Filesize
96KB

MD5
8c51fd9d6daa7b6137634de19a49452c

SHA1
db2a11cca434bacad2bf42adeecae38e99cf64f8

SHA256
528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3

SHA512
b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837

Download Submit
memory/1324-71-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1324-81-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1324-84-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1324-85-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1324-86-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1324-88-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1324-89-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1324-87-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2056-4-0x0000000000180000-0x00000000001B5000-memory.dmp

Filesize
212KB

Download
memory/2056-3-0x0000000000150000-0x0000000000174000-memory.dmp

Filesize
144KB

Download
memory/2056-11-0x0000000000180000-0x00000000001B5000-memory.dmp

Filesize
212KB

Download
memory/2056-0-0x0000000000150000-0x0000000000174000-memory.dmp

Filesize
144KB

Download
memory/2644-69-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2644-42-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2644-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2644-35-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2644-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2644-564-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2644-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2644-43-0x0000000076F7F000-0x0000000076F80000-memory.dmp

Filesize
4KB

Download
memory/2768-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2768-20-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2768-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2768-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2768-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2768-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2768-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2768-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2848-52-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2848-64-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2848-65-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2848-66-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2848-62-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2848-57-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2848-47-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2848-45-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download