ramnit | 559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059

Analysis

max time kernel
153s
max time network
125s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-10-2022 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Size

1.2MB
MD5

0b0abebcf52608a0a662c17f3bd316d0
SHA1

107c457ae440d137e5735244871f8e8f3998e6e1
SHA256

559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059
SHA512

0f96fbbf4b502f7e5dfb187091a070d0acca5c182ef741210eaf3dbd9e24388fbeb0f9be0e80270eb8fdb71f48d23137771b6ef95d1f3ebf20d640f5ec13b7db
SSDEEP

24576:EdsuNOCN8loXWfgLYeuQaTjCdsyYPDsseHtHwKlK7MMMMMMRxAyTSiU:nuY28SUgLYosT1MMMMMMhTSd

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
960	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe
544	WaterMark.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/960-61-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/960-62-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/960-67-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/544-76-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/544-203-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
836	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
836	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
960	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe
960	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe
836	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4451.tmp	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\WinRAR32	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR32	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe\" \"%1\""	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe\" \"%1\""	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,1"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,0"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe\" \"%1\""	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,0"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
544	WaterMark.exe
544	WaterMark.exe
544	WaterMark.exe
544	WaterMark.exe
544	WaterMark.exe
544	WaterMark.exe
544	WaterMark.exe
544	WaterMark.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
836	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	544	WaterMark.exe
Token: SeDebugPrivilege	1984	svchost.exe
Token: SeDebugPrivilege	836	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Token: SeDebugPrivilege	544	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
960	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe
544	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 960	836	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe	27
PID 836 wrote to memory of 960	836	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe	27
PID 836 wrote to memory of 960	836	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe	27
PID 836 wrote to memory of 960	836	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe	27
PID 960 wrote to memory of 544	960	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe	28
PID 960 wrote to memory of 544	960	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe	28
PID 960 wrote to memory of 544	960	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe	28
PID 960 wrote to memory of 544	960	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe	28
PID 544 wrote to memory of 1708	544	WaterMark.exe	29
PID 544 wrote to memory of 1708	544	WaterMark.exe	29
PID 544 wrote to memory of 1708	544	WaterMark.exe	29
PID 544 wrote to memory of 1708	544	WaterMark.exe	29
PID 544 wrote to memory of 1708	544	WaterMark.exe	29
PID 544 wrote to memory of 1708	544	WaterMark.exe	29
PID 544 wrote to memory of 1708	544	WaterMark.exe	29
PID 544 wrote to memory of 1708	544	WaterMark.exe	29
PID 544 wrote to memory of 1708	544	WaterMark.exe	29
PID 544 wrote to memory of 1708	544	WaterMark.exe	29
PID 544 wrote to memory of 1984	544	WaterMark.exe	30
PID 544 wrote to memory of 1984	544	WaterMark.exe	30
PID 544 wrote to memory of 1984	544	WaterMark.exe	30
PID 544 wrote to memory of 1984	544	WaterMark.exe	30
PID 544 wrote to memory of 1984	544	WaterMark.exe	30
PID 544 wrote to memory of 1984	544	WaterMark.exe	30
PID 544 wrote to memory of 1984	544	WaterMark.exe	30
PID 544 wrote to memory of 1984	544	WaterMark.exe	30
PID 544 wrote to memory of 1984	544	WaterMark.exe	30
PID 544 wrote to memory of 1984	544	WaterMark.exe	30
PID 1984 wrote to memory of 260	1984	svchost.exe	7
PID 1984 wrote to memory of 260	1984	svchost.exe	7
PID 1984 wrote to memory of 260	1984	svchost.exe	7
PID 1984 wrote to memory of 260	1984	svchost.exe	7
PID 1984 wrote to memory of 260	1984	svchost.exe	7
PID 1984 wrote to memory of 332	1984	svchost.exe	6
PID 1984 wrote to memory of 332	1984	svchost.exe	6
PID 1984 wrote to memory of 332	1984	svchost.exe	6
PID 1984 wrote to memory of 332	1984	svchost.exe	6
PID 1984 wrote to memory of 332	1984	svchost.exe	6
PID 1984 wrote to memory of 368	1984	svchost.exe	5
PID 1984 wrote to memory of 368	1984	svchost.exe	5
PID 1984 wrote to memory of 368	1984	svchost.exe	5
PID 1984 wrote to memory of 368	1984	svchost.exe	5
PID 1984 wrote to memory of 368	1984	svchost.exe	5
PID 1984 wrote to memory of 376	1984	svchost.exe	4
PID 1984 wrote to memory of 376	1984	svchost.exe	4
PID 1984 wrote to memory of 376	1984	svchost.exe	4
PID 1984 wrote to memory of 376	1984	svchost.exe	4
PID 1984 wrote to memory of 376	1984	svchost.exe	4
PID 1984 wrote to memory of 416	1984	svchost.exe	3
PID 1984 wrote to memory of 416	1984	svchost.exe	3
PID 1984 wrote to memory of 416	1984	svchost.exe	3
PID 1984 wrote to memory of 416	1984	svchost.exe	3
PID 1984 wrote to memory of 416	1984	svchost.exe	3
PID 1984 wrote to memory of 460	1984	svchost.exe	2
PID 1984 wrote to memory of 460	1984	svchost.exe	2
PID 1984 wrote to memory of 460	1984	svchost.exe	2
PID 1984 wrote to memory of 460	1984	svchost.exe	2
PID 1984 wrote to memory of 460	1984	svchost.exe	2
PID 1984 wrote to memory of 476	1984	svchost.exe	1
PID 1984 wrote to memory of 476	1984	svchost.exe	1
PID 1984 wrote to memory of 476	1984	svchost.exe	1
PID 1984 wrote to memory of 476	1984	svchost.exe	1
PID 1984 wrote to memory of 476	1984	svchost.exe	1
PID 1984 wrote to memory of 484	1984	svchost.exe	8

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:868
- - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    PID:2000
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:272
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1228
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1028
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:300
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:844
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:792
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:744
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1816
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:656
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:580
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    3⤵
    PID:1960
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1128

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:376

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1316

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1352
- C:\Users\Admin\AppData\Local\Temp\559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
  "C:\Users\Admin\AppData\Local\Temp\559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe"
  2⤵
  - Modifies system executable filetype association
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Users\Admin\AppData\Local\Temp\559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe
    C:\Users\Admin\AppData\Local\Temp\559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:544
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:1708
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
112KB

MD5
b5d2cd911f8159258420e865fbcfb130

SHA1
e2a1ddc84e7a66259ab0d7b2bebb8b7091b55766

SHA256
ce9192cb9d26236169b2a0379d1bbf82e8ad21a0e0cc3ada5b17858aec6ebbb0

SHA512
812e026ddafa4e519e9ee6e11301004065038b74717bc6a90683669393b6cbf7845d1bafde80929645c0184062583df7f52ac782537ed0d5d7b970eb2581fd48

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
112KB

MD5
b5d2cd911f8159258420e865fbcfb130

SHA1
e2a1ddc84e7a66259ab0d7b2bebb8b7091b55766

SHA256
ce9192cb9d26236169b2a0379d1bbf82e8ad21a0e0cc3ada5b17858aec6ebbb0

SHA512
812e026ddafa4e519e9ee6e11301004065038b74717bc6a90683669393b6cbf7845d1bafde80929645c0184062583df7f52ac782537ed0d5d7b970eb2581fd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe

Filesize
112KB

MD5
b5d2cd911f8159258420e865fbcfb130

SHA1
e2a1ddc84e7a66259ab0d7b2bebb8b7091b55766

SHA256
ce9192cb9d26236169b2a0379d1bbf82e8ad21a0e0cc3ada5b17858aec6ebbb0

SHA512
812e026ddafa4e519e9ee6e11301004065038b74717bc6a90683669393b6cbf7845d1bafde80929645c0184062583df7f52ac782537ed0d5d7b970eb2581fd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe

Filesize
112KB

MD5
b5d2cd911f8159258420e865fbcfb130

SHA1
e2a1ddc84e7a66259ab0d7b2bebb8b7091b55766

SHA256
ce9192cb9d26236169b2a0379d1bbf82e8ad21a0e0cc3ada5b17858aec6ebbb0

SHA512
812e026ddafa4e519e9ee6e11301004065038b74717bc6a90683669393b6cbf7845d1bafde80929645c0184062583df7f52ac782537ed0d5d7b970eb2581fd48

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
112KB

MD5
b5d2cd911f8159258420e865fbcfb130

SHA1
e2a1ddc84e7a66259ab0d7b2bebb8b7091b55766

SHA256
ce9192cb9d26236169b2a0379d1bbf82e8ad21a0e0cc3ada5b17858aec6ebbb0

SHA512
812e026ddafa4e519e9ee6e11301004065038b74717bc6a90683669393b6cbf7845d1bafde80929645c0184062583df7f52ac782537ed0d5d7b970eb2581fd48

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
112KB

MD5
b5d2cd911f8159258420e865fbcfb130

SHA1
e2a1ddc84e7a66259ab0d7b2bebb8b7091b55766

SHA256
ce9192cb9d26236169b2a0379d1bbf82e8ad21a0e0cc3ada5b17858aec6ebbb0

SHA512
812e026ddafa4e519e9ee6e11301004065038b74717bc6a90683669393b6cbf7845d1bafde80929645c0184062583df7f52ac782537ed0d5d7b970eb2581fd48

Download Submit
\Users\Admin\AppData\Local\Temp\559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe

Filesize
112KB

MD5
b5d2cd911f8159258420e865fbcfb130

SHA1
e2a1ddc84e7a66259ab0d7b2bebb8b7091b55766

SHA256
ce9192cb9d26236169b2a0379d1bbf82e8ad21a0e0cc3ada5b17858aec6ebbb0

SHA512
812e026ddafa4e519e9ee6e11301004065038b74717bc6a90683669393b6cbf7845d1bafde80929645c0184062583df7f52ac782537ed0d5d7b970eb2581fd48

Download Submit
\Users\Admin\AppData\Local\Temp\559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe

Filesize
112KB

MD5
b5d2cd911f8159258420e865fbcfb130

SHA1
e2a1ddc84e7a66259ab0d7b2bebb8b7091b55766

SHA256
ce9192cb9d26236169b2a0379d1bbf82e8ad21a0e0cc3ada5b17858aec6ebbb0

SHA512
812e026ddafa4e519e9ee6e11301004065038b74717bc6a90683669393b6cbf7845d1bafde80929645c0184062583df7f52ac782537ed0d5d7b970eb2581fd48

Download Submit
\Users\Admin\AppData\Local\Temp\559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe

Filesize
112KB

MD5
b5d2cd911f8159258420e865fbcfb130

SHA1
e2a1ddc84e7a66259ab0d7b2bebb8b7091b55766

SHA256
ce9192cb9d26236169b2a0379d1bbf82e8ad21a0e0cc3ada5b17858aec6ebbb0

SHA512
812e026ddafa4e519e9ee6e11301004065038b74717bc6a90683669393b6cbf7845d1bafde80929645c0184062583df7f52ac782537ed0d5d7b970eb2581fd48

Download Submit
memory/544-203-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/544-76-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/836-74-0x0000000000E40000-0x0000000000FBC000-memory.dmp

Filesize
1.5MB

Download
memory/836-54-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/836-75-0x0000000000170000-0x0000000000196000-memory.dmp

Filesize
152KB

Download
memory/836-849-0x0000000000E40000-0x0000000000FBC000-memory.dmp

Filesize
1.5MB

Download
memory/836-154-0x00000000029A0000-0x00000000029C6000-memory.dmp

Filesize
152KB

Download
memory/960-61-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/960-62-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/960-67-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1708-78-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1708-86-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1708-82-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1708-204-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1984-91-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1984-88-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download