ramnit | d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Modifies firewall policy service 2 TTPs 9 IoCs

evasion

Modify Registry

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	WaterMark.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 3 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 18 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WaterMark.exe

Disables RegEdit via registry modification 3 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	WaterMark.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	svchost.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 3 IoCs

pid	Process
1180	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe
1452	WaterMark.exe
1284	WaterMark.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1180-62-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1180-63-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1160-65-0x0000000002790000-0x000000000381E000-memory.dmp	upx
behavioral1/memory/1180-71-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1160-84-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1160-87-0x0000000002790000-0x000000000381E000-memory.dmp	upx
behavioral1/memory/1452-91-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1452-88-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1284-93-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1284-113-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1452-199-0x00000000032C0000-0x000000000434E000-memory.dmp	upx
behavioral1/memory/1452-255-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1284-254-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1452-256-0x00000000032C0000-0x000000000434E000-memory.dmp	upx
behavioral1/memory/1636-307-0x0000000002C40000-0x0000000003CCE000-memory.dmp	upx
behavioral1/memory/1636-357-0x0000000002C40000-0x0000000003CCE000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1636	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
1180	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe
1180	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe
1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe

Windows security modification 2 TTPs 14 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WaterMark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	WaterMark.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WaterMark.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\BCSSYNC.EXE	svchost.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	svchost.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxEE0.tmp	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px11DC.tmp	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
1452	WaterMark.exe
1452	WaterMark.exe
1284	WaterMark.exe
1284	WaterMark.exe
1452	WaterMark.exe
1284	WaterMark.exe
1284	WaterMark.exe
1452	WaterMark.exe
1452	WaterMark.exe
1284	WaterMark.exe
1452	WaterMark.exe
1284	WaterMark.exe
1452	WaterMark.exe
1452	WaterMark.exe
1284	WaterMark.exe
1284	WaterMark.exe
284	svchost.exe
1452	WaterMark.exe
284	svchost.exe
1636	svchost.exe
284	svchost.exe
284	svchost.exe
1636	svchost.exe
1636	svchost.exe
284	svchost.exe
1636	svchost.exe
284	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
284	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Token: SeDebugPrivilege	1452	WaterMark.exe
Token: SeDebugPrivilege	1284	WaterMark.exe
Token: SeDebugPrivilege	284	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1452	WaterMark.exe
Token: SeDebugPrivilege	1284	WaterMark.exe
Token: SeDebugPrivilege	1696	svchost.exe

Suspicious use of UnmapMainImage 4 IoCs

pid	Process
1180	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe
1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
1452	WaterMark.exe
1284	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1180	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe	28
PID 1160 wrote to memory of 1180	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe	28
PID 1160 wrote to memory of 1180	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe	28
PID 1160 wrote to memory of 1180	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe	28
PID 1180 wrote to memory of 1452	1180	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe	29
PID 1180 wrote to memory of 1452	1180	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe	29
PID 1180 wrote to memory of 1452	1180	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe	29
PID 1180 wrote to memory of 1452	1180	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe	29
PID 1160 wrote to memory of 1132	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe	17
PID 1160 wrote to memory of 1228	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe	16
PID 1160 wrote to memory of 1296	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe	15
PID 1160 wrote to memory of 1180	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe	28
PID 1160 wrote to memory of 1452	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe	29
PID 1160 wrote to memory of 1452	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe	29
PID 1160 wrote to memory of 1284	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe	30
PID 1160 wrote to memory of 1284	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe	30
PID 1160 wrote to memory of 1284	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe	30
PID 1160 wrote to memory of 1284	1160	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe	30
PID 1284 wrote to memory of 1696	1284	WaterMark.exe	32
PID 1452 wrote to memory of 1636	1452	WaterMark.exe	31
PID 1452 wrote to memory of 1636	1452	WaterMark.exe	31
PID 1452 wrote to memory of 1636	1452	WaterMark.exe	31
PID 1452 wrote to memory of 1636	1452	WaterMark.exe	31
PID 1452 wrote to memory of 1636	1452	WaterMark.exe	31
PID 1452 wrote to memory of 1636	1452	WaterMark.exe	31
PID 1452 wrote to memory of 1636	1452	WaterMark.exe	31
PID 1452 wrote to memory of 1636	1452	WaterMark.exe	31
PID 1452 wrote to memory of 1636	1452	WaterMark.exe	31
PID 1452 wrote to memory of 1636	1452	WaterMark.exe	31
PID 1284 wrote to memory of 1696	1284	WaterMark.exe	32
PID 1284 wrote to memory of 1696	1284	WaterMark.exe	32
PID 1284 wrote to memory of 1696	1284	WaterMark.exe	32
PID 1284 wrote to memory of 1696	1284	WaterMark.exe	32
PID 1284 wrote to memory of 1696	1284	WaterMark.exe	32
PID 1284 wrote to memory of 1696	1284	WaterMark.exe	32
PID 1284 wrote to memory of 1696	1284	WaterMark.exe	32
PID 1284 wrote to memory of 1696	1284	WaterMark.exe	32
PID 1284 wrote to memory of 1696	1284	WaterMark.exe	32
PID 1452 wrote to memory of 1764	1452	WaterMark.exe	33
PID 1284 wrote to memory of 284	1284	WaterMark.exe	34
PID 1284 wrote to memory of 284	1284	WaterMark.exe	34
PID 1452 wrote to memory of 1764	1452	WaterMark.exe	33
PID 1452 wrote to memory of 1764	1452	WaterMark.exe	33
PID 1452 wrote to memory of 1764	1452	WaterMark.exe	33
PID 1452 wrote to memory of 1764	1452	WaterMark.exe	33
PID 1452 wrote to memory of 1764	1452	WaterMark.exe	33
PID 1452 wrote to memory of 1764	1452	WaterMark.exe	33
PID 1452 wrote to memory of 1764	1452	WaterMark.exe	33
PID 1452 wrote to memory of 1764	1452	WaterMark.exe	33
PID 1452 wrote to memory of 1764	1452	WaterMark.exe	33
PID 1284 wrote to memory of 284	1284	WaterMark.exe	34
PID 1284 wrote to memory of 284	1284	WaterMark.exe	34
PID 1284 wrote to memory of 284	1284	WaterMark.exe	34
PID 1284 wrote to memory of 284	1284	WaterMark.exe	34
PID 1284 wrote to memory of 284	1284	WaterMark.exe	34
PID 1284 wrote to memory of 284	1284	WaterMark.exe	34
PID 1284 wrote to memory of 284	1284	WaterMark.exe	34
PID 1284 wrote to memory of 284	1284	WaterMark.exe	34
PID 284 wrote to memory of 260	284	svchost.exe	5
PID 284 wrote to memory of 260	284	svchost.exe	5
PID 284 wrote to memory of 260	284	svchost.exe	5
PID 284 wrote to memory of 260	284	svchost.exe	5
PID 284 wrote to memory of 260	284	svchost.exe	5
PID 284 wrote to memory of 332	284	svchost.exe	4

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WaterMark.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:460
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:1092
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:364
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1132
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1044
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:340
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:108
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:868
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:844
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:800
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:744
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:656
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:580
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:476
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:2024

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1972

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1296
- C:\Users\Admin\AppData\Local\Temp\d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
  "C:\Users\Admin\AppData\Local\Temp\d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Loads dropped DLL
  - Windows security modification
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1160
- - C:\Users\Admin\AppData\Local\Temp\d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe
    C:\Users\Admin\AppData\Local\Temp\d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Windows security modification
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1452
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies firewall policy service
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Deletes itself
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1636
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1696
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:284

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry