ramnit | 964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

Modify Existing Service

T1031

Processes:

964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Processes:

964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe

Windows security bypass 2 TTPs 6 IoCs

Disabling Security Tools

Modify Registry

Processes:

964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe

Executes dropped EXE 3 IoCs

Processes:

964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exeWaterMark.exeWaterMark.exe

pid process

1172 964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe
2020 WaterMark.exe
580 WaterMark.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1184-61-0x0000000002700000-0x000000000378E000-memory.dmp	upx
behavioral1/memory/1172-63-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1172-64-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1172-69-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/1172-74-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1184-77-0x0000000002700000-0x000000000378E000-memory.dmp	upx
behavioral1/memory/1184-89-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1184-95-0x0000000002700000-0x000000000378E000-memory.dmp	upx
behavioral1/memory/580-104-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/580-106-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/2020-108-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/580-182-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Loads dropped DLL 5 IoCs

Processes:

964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe

pid	process
1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
1172	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe
1172	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe
1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe

Windows security modification 2 TTPs 7 IoCs

Disabling Security Tools

Modify Registry

Processes:

964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

Processes:

964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe
File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 6 IoCs

Processes:

964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exesvchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4E31.tmp	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px49CD.tmp	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe

Drops file in Windows directory 1 IoCs

Processes:

964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI 964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exeWaterMark.exeWaterMark.exesvchost.exe

pid	process
1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
2020	WaterMark.exe
2020	WaterMark.exe
580	WaterMark.exe
580	WaterMark.exe
580	WaterMark.exe
580	WaterMark.exe
580	WaterMark.exe
580	WaterMark.exe
580	WaterMark.exe
580	WaterMark.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exeWaterMark.exeWaterMark.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Token: SeDebugPrivilege	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Token: SeDebugPrivilege	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Token: SeDebugPrivilege	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Token: SeDebugPrivilege	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Token: SeDebugPrivilege	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Token: SeDebugPrivilege	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Token: SeDebugPrivilege	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Token: SeDebugPrivilege	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Token: SeDebugPrivilege	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Token: SeDebugPrivilege	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Token: SeDebugPrivilege	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Token: SeDebugPrivilege	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Token: SeDebugPrivilege	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Token: SeDebugPrivilege	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Token: SeDebugPrivilege	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Token: SeDebugPrivilege	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Token: SeDebugPrivilege	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Token: SeDebugPrivilege	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
Token: SeDebugPrivilege	2020	WaterMark.exe
Token: SeDebugPrivilege	580	WaterMark.exe
Token: SeDebugPrivilege	1984	svchost.exe
Token: SeDebugPrivilege	2020	WaterMark.exe
Token: SeDebugPrivilege	580	WaterMark.exe
Token: SeDebugPrivilege	1640	svchost.exe

Suspicious use of UnmapMainImage 4 IoCs

Processes:

964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exeWaterMark.exeWaterMark.exe

pid	process
1172	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe
1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
2020	WaterMark.exe
580	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exeWaterMark.exeWaterMark.exesvchost.exe

description	pid	process	target process
PID 1184 wrote to memory of 1172	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe
PID 1184 wrote to memory of 1172	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe
PID 1184 wrote to memory of 1172	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe
PID 1184 wrote to memory of 1172	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe
PID 1172 wrote to memory of 2020	1172	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe	WaterMark.exe
PID 1172 wrote to memory of 2020	1172	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe	WaterMark.exe
PID 1172 wrote to memory of 2020	1172	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe	WaterMark.exe
PID 1172 wrote to memory of 2020	1172	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe	WaterMark.exe
PID 1184 wrote to memory of 1256	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe	taskhost.exe
PID 1184 wrote to memory of 1340	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe	Dwm.exe
PID 1184 wrote to memory of 1412	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe	Explorer.EXE
PID 1184 wrote to memory of 1172	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe
PID 1184 wrote to memory of 1172	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe
PID 1184 wrote to memory of 580	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe	WaterMark.exe
PID 1184 wrote to memory of 580	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe	WaterMark.exe
PID 1184 wrote to memory of 580	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe	WaterMark.exe
PID 1184 wrote to memory of 580	1184	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe	WaterMark.exe
PID 580 wrote to memory of 2004	580	WaterMark.exe	svchost.exe
PID 2020 wrote to memory of 1640	2020	WaterMark.exe	svchost.exe
PID 580 wrote to memory of 2004	580	WaterMark.exe	svchost.exe
PID 580 wrote to memory of 2004	580	WaterMark.exe	svchost.exe
PID 580 wrote to memory of 2004	580	WaterMark.exe	svchost.exe
PID 580 wrote to memory of 2004	580	WaterMark.exe	svchost.exe
PID 580 wrote to memory of 2004	580	WaterMark.exe	svchost.exe
PID 580 wrote to memory of 2004	580	WaterMark.exe	svchost.exe
PID 580 wrote to memory of 2004	580	WaterMark.exe	svchost.exe
PID 580 wrote to memory of 2004	580	WaterMark.exe	svchost.exe
PID 580 wrote to memory of 2004	580	WaterMark.exe	svchost.exe
PID 580 wrote to memory of 1984	580	WaterMark.exe	svchost.exe
PID 580 wrote to memory of 1984	580	WaterMark.exe	svchost.exe
PID 580 wrote to memory of 1984	580	WaterMark.exe	svchost.exe
PID 580 wrote to memory of 1984	580	WaterMark.exe	svchost.exe
PID 580 wrote to memory of 1984	580	WaterMark.exe	svchost.exe
PID 580 wrote to memory of 1984	580	WaterMark.exe	svchost.exe
PID 580 wrote to memory of 1984	580	WaterMark.exe	svchost.exe
PID 580 wrote to memory of 1984	580	WaterMark.exe	svchost.exe
PID 580 wrote to memory of 1984	580	WaterMark.exe	svchost.exe
PID 580 wrote to memory of 1984	580	WaterMark.exe	svchost.exe
PID 1984 wrote to memory of 260	1984	svchost.exe	smss.exe
PID 1984 wrote to memory of 260	1984	svchost.exe	smss.exe
PID 1984 wrote to memory of 260	1984	svchost.exe	smss.exe
PID 1984 wrote to memory of 260	1984	svchost.exe	smss.exe
PID 1984 wrote to memory of 260	1984	svchost.exe	smss.exe
PID 1984 wrote to memory of 332	1984	svchost.exe	csrss.exe
PID 1984 wrote to memory of 332	1984	svchost.exe	csrss.exe
PID 1984 wrote to memory of 332	1984	svchost.exe	csrss.exe
PID 1984 wrote to memory of 332	1984	svchost.exe	csrss.exe
PID 1984 wrote to memory of 332	1984	svchost.exe	csrss.exe
PID 1984 wrote to memory of 368	1984	svchost.exe	wininit.exe
PID 1984 wrote to memory of 368	1984	svchost.exe	wininit.exe
PID 1984 wrote to memory of 368	1984	svchost.exe	wininit.exe
PID 1984 wrote to memory of 368	1984	svchost.exe	wininit.exe
PID 1984 wrote to memory of 368	1984	svchost.exe	wininit.exe
PID 1984 wrote to memory of 376	1984	svchost.exe	csrss.exe
PID 1984 wrote to memory of 376	1984	svchost.exe	csrss.exe
PID 1984 wrote to memory of 376	1984	svchost.exe	csrss.exe
PID 1984 wrote to memory of 376	1984	svchost.exe	csrss.exe
PID 1984 wrote to memory of 376	1984	svchost.exe	csrss.exe
PID 1984 wrote to memory of 416	1984	svchost.exe	winlogon.exe
PID 1984 wrote to memory of 416	1984	svchost.exe	winlogon.exe
PID 1984 wrote to memory of 416	1984	svchost.exe	winlogon.exe
PID 1984 wrote to memory of 416	1984	svchost.exe	winlogon.exe
PID 1984 wrote to memory of 416	1984	svchost.exe	winlogon.exe
PID 1984 wrote to memory of 460	1984	svchost.exe	services.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:584
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1812
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1756
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1256
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1036
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:300
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:328
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:872
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:832
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:804
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:732
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:664

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:376

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1412
- C:\Users\Admin\AppData\Local\Temp\964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
  "C:\Users\Admin\AppData\Local\Temp\964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Loads dropped DLL
  - Windows security modification
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1184
- - C:\Users\Admin\AppData\Local\Temp\964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe
    C:\Users\Admin\AppData\Local\Temp\964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in System32 directory
      Drops file in Program Files directory
      PID:2004
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1984

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry