ramnit | 71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe

Windows security bypass 2 TTPs 6 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe

Executes dropped EXE 1 IoCs

pid	Process
1760	WaterMark.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/960-55-0x0000000002490000-0x000000000354A000-memory.dmp	upx
behavioral1/memory/960-57-0x0000000002490000-0x000000000354A000-memory.dmp	upx
behavioral1/memory/960-60-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/960-61-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/960-65-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1760-82-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/1760-144-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
960	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe
960	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe

Windows security modification 2 TTPs 7 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxFE5C.tmp	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\6bfc5a	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1760	WaterMark.exe
1760	WaterMark.exe
1760	WaterMark.exe
1760	WaterMark.exe
1760	WaterMark.exe
1760	WaterMark.exe
1760	WaterMark.exe
1760	WaterMark.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1760	WaterMark.exe
Token: SeDebugPrivilege	2032	svchost.exe
Token: SeDebugPrivilege	1760	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
960	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe
1760	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1760	960	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe	27
PID 960 wrote to memory of 1760	960	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe	27
PID 960 wrote to memory of 1760	960	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe	27
PID 960 wrote to memory of 1760	960	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe	27
PID 1760 wrote to memory of 576	1760	WaterMark.exe	28
PID 1760 wrote to memory of 576	1760	WaterMark.exe	28
PID 1760 wrote to memory of 576	1760	WaterMark.exe	28
PID 1760 wrote to memory of 576	1760	WaterMark.exe	28
PID 1760 wrote to memory of 576	1760	WaterMark.exe	28
PID 1760 wrote to memory of 576	1760	WaterMark.exe	28
PID 1760 wrote to memory of 576	1760	WaterMark.exe	28
PID 1760 wrote to memory of 576	1760	WaterMark.exe	28
PID 1760 wrote to memory of 576	1760	WaterMark.exe	28
PID 1760 wrote to memory of 576	1760	WaterMark.exe	28
PID 1760 wrote to memory of 2032	1760	WaterMark.exe	29
PID 1760 wrote to memory of 2032	1760	WaterMark.exe	29
PID 1760 wrote to memory of 2032	1760	WaterMark.exe	29
PID 1760 wrote to memory of 2032	1760	WaterMark.exe	29
PID 1760 wrote to memory of 2032	1760	WaterMark.exe	29
PID 1760 wrote to memory of 2032	1760	WaterMark.exe	29
PID 1760 wrote to memory of 2032	1760	WaterMark.exe	29
PID 1760 wrote to memory of 2032	1760	WaterMark.exe	29
PID 1760 wrote to memory of 2032	1760	WaterMark.exe	29
PID 1760 wrote to memory of 2032	1760	WaterMark.exe	29
PID 2032 wrote to memory of 260	2032	svchost.exe	25
PID 2032 wrote to memory of 260	2032	svchost.exe	25
PID 2032 wrote to memory of 260	2032	svchost.exe	25
PID 2032 wrote to memory of 260	2032	svchost.exe	25
PID 2032 wrote to memory of 260	2032	svchost.exe	25
PID 2032 wrote to memory of 332	2032	svchost.exe	24
PID 2032 wrote to memory of 332	2032	svchost.exe	24
PID 2032 wrote to memory of 332	2032	svchost.exe	24
PID 2032 wrote to memory of 332	2032	svchost.exe	24
PID 2032 wrote to memory of 332	2032	svchost.exe	24
PID 2032 wrote to memory of 368	2032	svchost.exe	5
PID 2032 wrote to memory of 368	2032	svchost.exe	5
PID 2032 wrote to memory of 368	2032	svchost.exe	5
PID 2032 wrote to memory of 368	2032	svchost.exe	5
PID 2032 wrote to memory of 368	2032	svchost.exe	5
PID 2032 wrote to memory of 380	2032	svchost.exe	4
PID 2032 wrote to memory of 380	2032	svchost.exe	4
PID 2032 wrote to memory of 380	2032	svchost.exe	4
PID 2032 wrote to memory of 380	2032	svchost.exe	4
PID 2032 wrote to memory of 380	2032	svchost.exe	4
PID 2032 wrote to memory of 416	2032	svchost.exe	3
PID 2032 wrote to memory of 416	2032	svchost.exe	3
PID 2032 wrote to memory of 416	2032	svchost.exe	3
PID 2032 wrote to memory of 416	2032	svchost.exe	3
PID 2032 wrote to memory of 416	2032	svchost.exe	3
PID 2032 wrote to memory of 460	2032	svchost.exe	2
PID 2032 wrote to memory of 460	2032	svchost.exe	2
PID 2032 wrote to memory of 460	2032	svchost.exe	2
PID 2032 wrote to memory of 460	2032	svchost.exe	2
PID 2032 wrote to memory of 460	2032	svchost.exe	2
PID 2032 wrote to memory of 476	2032	svchost.exe	1
PID 2032 wrote to memory of 476	2032	svchost.exe	1
PID 2032 wrote to memory of 476	2032	svchost.exe	1
PID 2032 wrote to memory of 476	2032	svchost.exe	1
PID 2032 wrote to memory of 476	2032	svchost.exe	1
PID 2032 wrote to memory of 484	2032	svchost.exe	23
PID 2032 wrote to memory of 484	2032	svchost.exe	23
PID 2032 wrote to memory of 484	2032	svchost.exe	23
PID 2032 wrote to memory of 484	2032	svchost.exe	23
PID 2032 wrote to memory of 484	2032	svchost.exe	23

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:676
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:336
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:972
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:984
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1116
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1088
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1028
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:888
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:852
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:812
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:764
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:600

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1820

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe
  "C:\Users\Admin\AppData\Local\Temp\71fff933aa11ad791e84c11aaefcaad765caa5f4caac8113fe55a7ee8da1fff6.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Loads dropped DLL
  - Windows security modification
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:960
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in System32 directory
      Drops file in Program Files directory
      PID:576
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2032

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry