ramnit | e6ed3cecfb6b68358bb98c24cf2af4b76e3d9965f5b4a66235ba75bb1c35a765

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e88c95fd3adff10c0b222fbf4eb0948_JaffaCakes118.exe
Size

93KB
MD5

1e88c95fd3adff10c0b222fbf4eb0948
SHA1

792fba645755b28b4a99c5a8e82ed796a0116dae
SHA256

e6ed3cecfb6b68358bb98c24cf2af4b76e3d9965f5b4a66235ba75bb1c35a765
SHA512

e1d8e14f8a1102804236a11a20bad2246b45960b89d5caa05c748358f64facefe79853326913cf26ec6b9b4df7ab6f7dd74849d2b42192a2ada819f199606e0e
SSDEEP

1536:zZnxm6MG9xgfrvEaoiT/GyphjXDYjKwttoswRmhApEc:NnxwgxgfR/DVG7wBpEc

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 1 IoCs

Processes:

WaterMark.exe

pid process

3036 WaterMark.exe
Loads dropped DLL 2 IoCs

Processes:

1e88c95fd3adff10c0b222fbf4eb0948_JaffaCakes118.exe

pid process

2848 1e88c95fd3adff10c0b222fbf4eb0948_JaffaCakes118.exe
2848 1e88c95fd3adff10c0b222fbf4eb0948_JaffaCakes118.exe

pid	process
2848	1e88c95fd3adff10c0b222fbf4eb0948_JaffaCakes118.exe
2848	1e88c95fd3adff10c0b222fbf4eb0948_JaffaCakes118.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2848-2-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2848-1-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2848-7-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2848-6-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2848-4-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2848-3-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2848-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3036-28-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3036-537-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3036-540-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe
File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdasql.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcr100.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libx265_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libdeinterlace_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_chromecast_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsdt.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.RunTime.Serialization.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\pdm.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\cpu.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_dummy_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libhqdn3d_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\hprof.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libnetsync_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libfingerprinter_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libvmem_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libstl_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_asf_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.ServiceModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Management.Instrumentation.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libudp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmicrodns_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\hprof.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Speech.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\picturePuzzle.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\Microsoft.Ink.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationTypes.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libgestures_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_mmx_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libinvert_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pencht.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\InkDiv.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ACERECR.DLL	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\mojo_core.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\IEShims.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\verify.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Client.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\cpu.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODEXL.DLL	svchost.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll	svchost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

WaterMark.exesvchost.exe

pid	process
3036	WaterMark.exe
3036	WaterMark.exe
3036	WaterMark.exe
3036	WaterMark.exe
3036	WaterMark.exe
3036	WaterMark.exe
3036	WaterMark.exe
3036	WaterMark.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe
2484	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WaterMark.exesvchost.exe

description pid process

Token: SeDebugPrivilege 3036 WaterMark.exe
Token: SeDebugPrivilege 2484 svchost.exe
Token: SeDebugPrivilege 3036 WaterMark.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

1e88c95fd3adff10c0b222fbf4eb0948_JaffaCakes118.exeWaterMark.exe

pid process

2848 1e88c95fd3adff10c0b222fbf4eb0948_JaffaCakes118.exe
3036 WaterMark.exe

description	pid	process
Token: SeDebugPrivilege	3036	WaterMark.exe
Token: SeDebugPrivilege	2484	svchost.exe
Token: SeDebugPrivilege	3036	WaterMark.exe

pid	process
2848	1e88c95fd3adff10c0b222fbf4eb0948_JaffaCakes118.exe
3036	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1e88c95fd3adff10c0b222fbf4eb0948_JaffaCakes118.exeWaterMark.exesvchost.exe

description	pid	process	target process
PID 2848 wrote to memory of 3036	2848	1e88c95fd3adff10c0b222fbf4eb0948_JaffaCakes118.exe	WaterMark.exe
PID 2848 wrote to memory of 3036	2848	1e88c95fd3adff10c0b222fbf4eb0948_JaffaCakes118.exe	WaterMark.exe
PID 2848 wrote to memory of 3036	2848	1e88c95fd3adff10c0b222fbf4eb0948_JaffaCakes118.exe	WaterMark.exe
PID 2848 wrote to memory of 3036	2848	1e88c95fd3adff10c0b222fbf4eb0948_JaffaCakes118.exe	WaterMark.exe
PID 3036 wrote to memory of 2700	3036	WaterMark.exe	svchost.exe
PID 3036 wrote to memory of 2700	3036	WaterMark.exe	svchost.exe
PID 3036 wrote to memory of 2700	3036	WaterMark.exe	svchost.exe
PID 3036 wrote to memory of 2700	3036	WaterMark.exe	svchost.exe
PID 3036 wrote to memory of 2700	3036	WaterMark.exe	svchost.exe
PID 3036 wrote to memory of 2700	3036	WaterMark.exe	svchost.exe
PID 3036 wrote to memory of 2700	3036	WaterMark.exe	svchost.exe
PID 3036 wrote to memory of 2700	3036	WaterMark.exe	svchost.exe
PID 3036 wrote to memory of 2700	3036	WaterMark.exe	svchost.exe
PID 3036 wrote to memory of 2700	3036	WaterMark.exe	svchost.exe
PID 3036 wrote to memory of 2484	3036	WaterMark.exe	svchost.exe
PID 3036 wrote to memory of 2484	3036	WaterMark.exe	svchost.exe
PID 3036 wrote to memory of 2484	3036	WaterMark.exe	svchost.exe
PID 3036 wrote to memory of 2484	3036	WaterMark.exe	svchost.exe
PID 3036 wrote to memory of 2484	3036	WaterMark.exe	svchost.exe
PID 3036 wrote to memory of 2484	3036	WaterMark.exe	svchost.exe
PID 3036 wrote to memory of 2484	3036	WaterMark.exe	svchost.exe
PID 3036 wrote to memory of 2484	3036	WaterMark.exe	svchost.exe
PID 3036 wrote to memory of 2484	3036	WaterMark.exe	svchost.exe
PID 3036 wrote to memory of 2484	3036	WaterMark.exe	svchost.exe
PID 2484 wrote to memory of 260	2484	svchost.exe	smss.exe
PID 2484 wrote to memory of 260	2484	svchost.exe	smss.exe
PID 2484 wrote to memory of 260	2484	svchost.exe	smss.exe
PID 2484 wrote to memory of 260	2484	svchost.exe	smss.exe
PID 2484 wrote to memory of 260	2484	svchost.exe	smss.exe
PID 2484 wrote to memory of 340	2484	svchost.exe	csrss.exe
PID 2484 wrote to memory of 340	2484	svchost.exe	csrss.exe
PID 2484 wrote to memory of 340	2484	svchost.exe	csrss.exe
PID 2484 wrote to memory of 340	2484	svchost.exe	csrss.exe
PID 2484 wrote to memory of 340	2484	svchost.exe	csrss.exe
PID 2484 wrote to memory of 388	2484	svchost.exe	wininit.exe
PID 2484 wrote to memory of 388	2484	svchost.exe	wininit.exe
PID 2484 wrote to memory of 388	2484	svchost.exe	wininit.exe
PID 2484 wrote to memory of 388	2484	svchost.exe	wininit.exe
PID 2484 wrote to memory of 388	2484	svchost.exe	wininit.exe
PID 2484 wrote to memory of 400	2484	svchost.exe	csrss.exe
PID 2484 wrote to memory of 400	2484	svchost.exe	csrss.exe
PID 2484 wrote to memory of 400	2484	svchost.exe	csrss.exe
PID 2484 wrote to memory of 400	2484	svchost.exe	csrss.exe
PID 2484 wrote to memory of 400	2484	svchost.exe	csrss.exe
PID 2484 wrote to memory of 436	2484	svchost.exe	winlogon.exe
PID 2484 wrote to memory of 436	2484	svchost.exe	winlogon.exe
PID 2484 wrote to memory of 436	2484	svchost.exe	winlogon.exe
PID 2484 wrote to memory of 436	2484	svchost.exe	winlogon.exe
PID 2484 wrote to memory of 436	2484	svchost.exe	winlogon.exe
PID 2484 wrote to memory of 484	2484	svchost.exe	services.exe
PID 2484 wrote to memory of 484	2484	svchost.exe	services.exe
PID 2484 wrote to memory of 484	2484	svchost.exe	services.exe
PID 2484 wrote to memory of 484	2484	svchost.exe	services.exe
PID 2484 wrote to memory of 484	2484	svchost.exe	services.exe
PID 2484 wrote to memory of 492	2484	svchost.exe	lsass.exe
PID 2484 wrote to memory of 492	2484	svchost.exe	lsass.exe
PID 2484 wrote to memory of 492	2484	svchost.exe	lsass.exe
PID 2484 wrote to memory of 492	2484	svchost.exe	lsass.exe
PID 2484 wrote to memory of 492	2484	svchost.exe	lsass.exe
PID 2484 wrote to memory of 500	2484	svchost.exe	lsm.exe
PID 2484 wrote to memory of 500	2484	svchost.exe	lsm.exe
PID 2484 wrote to memory of 500	2484	svchost.exe	lsm.exe
PID 2484 wrote to memory of 500	2484	svchost.exe	lsm.exe
PID 2484 wrote to memory of 500	2484	svchost.exe	lsm.exe

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:340

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:388

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:612

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:1840

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
4⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:828

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:868

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
4⤵
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:356

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1040

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:2324

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:3024

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:400

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\1e88c95fd3adff10c0b222fbf4eb0948_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e88c95fd3adff10c0b222fbf4eb0948_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2848

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2700

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize
199KB

MD5
8e6a627cc9a8fe82fe74907395c13e36

SHA1
05239f68fcc84d6d11597c3e6fd89ab12cadf3fe

SHA256
27157dbe9b3a256dca47f3c8d8b44ab10ac2a1c4f8d4567425dacf69428c3e99

SHA512
3160310e8ff837550eb582a09d04d5de64402bd216d11bc845f0f8ff912e613f783782da4df30a327ecfdf334c1a29d67c4edf943d8609d5b6b446aa81b9c1a1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize
195KB

MD5
1dfaa93c1fffc1a54176f78476b52210

SHA1
e84643408298f11594f8cda6cd3044a4b51a89c6

SHA256
dc5a8fadeb4c29691b33a632bf111008ccd53dc6bd6a3c81e7f503eed7f9d532

SHA512
638b71e68b7dd61d3a21f17181f7945e07318c45d60b6057f56636c343f1d4fa03ca344caabbadc2b45d4443447072319b66cdaa3f214f14fc466c0d4fdd3325

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
93KB

MD5
1e88c95fd3adff10c0b222fbf4eb0948

SHA1
792fba645755b28b4a99c5a8e82ed796a0116dae

SHA256
e6ed3cecfb6b68358bb98c24cf2af4b76e3d9965f5b4a66235ba75bb1c35a765

SHA512
e1d8e14f8a1102804236a11a20bad2246b45960b89d5caa05c748358f64facefe79853326913cf26ec6b9b4df7ab6f7dd74849d2b42192a2ada819f199606e0e

Download Submit
memory/2484-75-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2484-77-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2484-61-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2484-71-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2484-76-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2484-181-0x00000000777A0000-0x00000000777A1000-memory.dmp

Filesize
4KB

Download
memory/2484-78-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2484-79-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2484-80-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2700-55-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2700-761-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2700-32-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2700-34-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2700-42-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2700-41-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2700-43-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2700-47-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2700-50-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2700-48-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2848-3-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2848-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2848-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2848-1-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2848-4-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2848-2-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2848-5-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2848-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2848-0-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3036-24-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3036-59-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3036-28-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3036-537-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3036-540-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3036-29-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3036-30-0x000000007779F000-0x00000000777A0000-memory.dmp

Filesize
4KB

Download
memory/3036-70-0x000000007779F000-0x00000000777A0000-memory.dmp

Filesize
4KB

Download