ramnit | e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Processes:

e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

Windows security bypass 2 TTPs 6 IoCs

Disabling Security Tools

Modify Registry

Processes:

e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 3 IoCs

Processes:

e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exeWaterMark.exeWaterMark.exe

pid process

2004 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
4844 WaterMark.exe
4908 WaterMark.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4888 netsh.exe

pid	process
2004	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
4844	WaterMark.exe
4908	WaterMark.exe

pid	process
4888	netsh.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/928-139-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/928-136-0x0000000003490000-0x00000000044C1000-memory.dmp	upx
behavioral2/memory/2004-143-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/928-144-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/928-151-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4844-145-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/928-154-0x0000000003490000-0x00000000044C1000-memory.dmp	upx
behavioral2/memory/4908-158-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4844-163-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4908-164-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4844-165-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

Disabling Security Tools

Modify Registry

Processes:

e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

Processes:

e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

Drops file in Program Files directory 5 IoCs

Processes:

e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exee32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxCCDA.tmp	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCE70.tmp	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

Drops file in Windows directory 1 IoCs

Processes:

e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4224 4860 WerFault.exe svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

pid	pid_target	process	target process
4224	4860	WerFault.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DA62295B-6B5A-11ED-AECB-5E3721E937B7} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2950397484"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2950554196"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3122117556"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998375"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998375"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DA62777B-6B5A-11ED-AECB-5E3721E937B7} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2950554196"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2950554196"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998375"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998375"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DA62506B-6B5A-11ED-AECB-5E3721E937B7} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998375"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2950554196"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998375"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2950554196"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2950554196"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998375"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998375"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998375"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375389241"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DA629E8B-6B5A-11ED-AECB-5E3721E937B7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998375"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3122117556"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

WaterMark.exee32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exeWaterMark.exe

pid	process
4844	WaterMark.exe
4844	WaterMark.exe
4844	WaterMark.exe
4844	WaterMark.exe
928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
4908	WaterMark.exe
4908	WaterMark.exe
4908	WaterMark.exe
4908	WaterMark.exe
4844	WaterMark.exe
4844	WaterMark.exe
4908	WaterMark.exe
4908	WaterMark.exe
4844	WaterMark.exe
4844	WaterMark.exe
4844	WaterMark.exe
4844	WaterMark.exe
4908	WaterMark.exe
4908	WaterMark.exe
4844	WaterMark.exe
4844	WaterMark.exe
4908	WaterMark.exe
4908	WaterMark.exe
4844	WaterMark.exe
4844	WaterMark.exe
4844	WaterMark.exe
4844	WaterMark.exe
4908	WaterMark.exe
4908	WaterMark.exe
4908	WaterMark.exe
4908	WaterMark.exe
4908	WaterMark.exe
4908	WaterMark.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2904 iexplore.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

WaterMark.exee32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exeWaterMark.exe

description	pid	process
Token: SeDebugPrivilege	4844	WaterMark.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	4908	WaterMark.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

2708 iexplore.exe
4776 iexplore.exe
2904 iexplore.exe
1468 iexplore.exe

pid	process
2708	iexplore.exe
4776	iexplore.exe
2904	iexplore.exe
1468	iexplore.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2904	iexplore.exe
1468	iexplore.exe
2904	iexplore.exe
1468	iexplore.exe
4776	iexplore.exe
4776	iexplore.exe
2708	iexplore.exe
2708	iexplore.exe
2392	IEXPLORE.EXE
2212	IEXPLORE.EXE
2044	IEXPLORE.EXE
2392	IEXPLORE.EXE
3776	IEXPLORE.EXE
2212	IEXPLORE.EXE
2044	IEXPLORE.EXE
3776	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

pid process

928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

pid	process
928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exee32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exeWaterMark.exeWaterMark.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 928 wrote to memory of 2004	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
PID 928 wrote to memory of 2004	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
PID 928 wrote to memory of 2004	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
PID 2004 wrote to memory of 4844	2004	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe	WaterMark.exe
PID 2004 wrote to memory of 4844	2004	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe	WaterMark.exe
PID 2004 wrote to memory of 4844	2004	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe	WaterMark.exe
PID 928 wrote to memory of 4908	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe	WaterMark.exe
PID 928 wrote to memory of 4908	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe	WaterMark.exe
PID 928 wrote to memory of 4908	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe	WaterMark.exe
PID 928 wrote to memory of 792	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe	fontdrvhost.exe
PID 928 wrote to memory of 800	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe	fontdrvhost.exe
PID 928 wrote to memory of 376	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe	dwm.exe
PID 928 wrote to memory of 4888	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe	netsh.exe
PID 928 wrote to memory of 4888	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe	netsh.exe
PID 928 wrote to memory of 4888	928	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe	netsh.exe
PID 4844 wrote to memory of 4860	4844	WaterMark.exe	svchost.exe
PID 4844 wrote to memory of 4860	4844	WaterMark.exe	svchost.exe
PID 4844 wrote to memory of 4860	4844	WaterMark.exe	svchost.exe
PID 4844 wrote to memory of 4860	4844	WaterMark.exe	svchost.exe
PID 4844 wrote to memory of 4860	4844	WaterMark.exe	svchost.exe
PID 4844 wrote to memory of 4860	4844	WaterMark.exe	svchost.exe
PID 4844 wrote to memory of 4860	4844	WaterMark.exe	svchost.exe
PID 4844 wrote to memory of 4860	4844	WaterMark.exe	svchost.exe
PID 4844 wrote to memory of 4860	4844	WaterMark.exe	svchost.exe
PID 4908 wrote to memory of 4856	4908	WaterMark.exe	svchost.exe
PID 4908 wrote to memory of 4856	4908	WaterMark.exe	svchost.exe
PID 4908 wrote to memory of 4856	4908	WaterMark.exe	svchost.exe
PID 4908 wrote to memory of 4856	4908	WaterMark.exe	svchost.exe
PID 4908 wrote to memory of 4856	4908	WaterMark.exe	svchost.exe
PID 4908 wrote to memory of 4856	4908	WaterMark.exe	svchost.exe
PID 4908 wrote to memory of 4856	4908	WaterMark.exe	svchost.exe
PID 4908 wrote to memory of 4856	4908	WaterMark.exe	svchost.exe
PID 4908 wrote to memory of 4856	4908	WaterMark.exe	svchost.exe
PID 4844 wrote to memory of 2904	4844	WaterMark.exe	iexplore.exe
PID 4844 wrote to memory of 2904	4844	WaterMark.exe	iexplore.exe
PID 4908 wrote to memory of 2708	4908	WaterMark.exe	iexplore.exe
PID 4908 wrote to memory of 2708	4908	WaterMark.exe	iexplore.exe
PID 4844 wrote to memory of 4776	4844	WaterMark.exe	iexplore.exe
PID 4844 wrote to memory of 4776	4844	WaterMark.exe	iexplore.exe
PID 4908 wrote to memory of 1468	4908	WaterMark.exe	iexplore.exe
PID 4908 wrote to memory of 1468	4908	WaterMark.exe	iexplore.exe
PID 2904 wrote to memory of 2044	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 2044	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 2044	2904	iexplore.exe	IEXPLORE.EXE
PID 1468 wrote to memory of 3776	1468	iexplore.exe	IEXPLORE.EXE
PID 1468 wrote to memory of 3776	1468	iexplore.exe	IEXPLORE.EXE
PID 1468 wrote to memory of 3776	1468	iexplore.exe	IEXPLORE.EXE
PID 4776 wrote to memory of 2392	4776	iexplore.exe	IEXPLORE.EXE
PID 4776 wrote to memory of 2392	4776	iexplore.exe	IEXPLORE.EXE
PID 4776 wrote to memory of 2392	4776	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 2212	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 2212	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 2212	2708	iexplore.exe	IEXPLORE.EXE

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:376

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
"C:\Users\Admin\AppData\Local\Temp\e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe"
1⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:928

C:\Users\Admin\AppData\Local\Temp\e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
C:\Users\Admin\AppData\Local\Temp\e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2004

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 204
5⤵
- Program crash
PID:4224

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4776

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4776 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
2⤵
- Modifies Windows Firewall
PID:4888

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4856

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:17410 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2212

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1468 CREDAT:17410 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4860 -ip 4860
1⤵
PID:5116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry