ramnit | ca53766dd065aa758fef3431cce4a983b8a7cc334d94a26c49fdbfb95462e6c4

Analysis

max time kernel
151s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca53766dd065aa758fef3431cce4a983b8a7cc334d94a26c49fdbfb95462e6c4.dll
Size

476KB
MD5

5c60bf0ee0e32352dfa296e7e5adf012
SHA1

505c15cffb2243eb8209e5524f7691f24fd5afd8
SHA256

ca53766dd065aa758fef3431cce4a983b8a7cc334d94a26c49fdbfb95462e6c4
SHA512

485eacd18b80dac3b8b491239a90d7a8dfd411680c47e02bdf749cdc96afc1f848c5e3a492e39496883eeb83cf12667760f76a09222a4c832ba68d634920cc19
SSDEEP

12288:c3ZlSTSCgUXqyGS8x/Fu0zLWO612HxEj/E+:cpkTSCgtyiRzaXqi8+

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
1256	regsvr32mgr.exe
2088	WaterMark.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1256-140-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1256-141-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1256-142-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/memory/1256-143-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/memory/1256-145-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/memory/1256-144-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/memory/1256-149-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2088-158-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/memory/2088-159-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/memory/2088-160-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/memory/2088-161-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/memory/2088-162-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/memory/2088-163-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/memory/2088-164-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/memory/2088-165-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1256	regsvr32mgr.exe
2088	WaterMark.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxBCF7.tmp	regsvr32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	regsvr32mgr.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Wplugin.dll	regsvr32mgr.exe
File opened for modification	C:\Windows\Wplugin.dll	regsvr32mgr.exe
File created	C:\Windows\explorer.exe.local	regsvr32mgr.exe
File created	C:\Windows\ws2help.dll	regsvr32mgr.exe
File opened for modification	C:\Windows\ws2help.dll	regsvr32mgr.exe
File created	C:\Windows\Wplugin.dll	WaterMark.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1948	2992	WerFault.exe	89

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001619"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A93669C3-7806-11ED-BF5F-5EDCA19B148A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2374667180"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2374667180"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001619"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IPW.ScriptEngine.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{777C89DE-5C36-11D5-ABAF-00B0D02332EB}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{777C89DE-5C36-11D5-ABAF-00B0D02332EB}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{777C89DE-5C36-11D5-ABAF-00B0D02332EB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777C89E1-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IPW.ScriptEngine.1\ = "InstallShield Script Engine"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777C89E1-5C36-11D5-ABAF-00B0D02332EB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E3-5C36-11D5-ABAF-00B0D02332EB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777C89E2-5C36-11D5-ABAF-00B0D02332EB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777C89E2-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E2-5C36-11D5-ABAF-00B0D02332EB}\ = "ISetupScriptEngine2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E2-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E8-5C36-11D5-ABAF-00B0D02332EB}\ = "ISetupScriptError"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{777C89DE-5C36-11D5-ABAF-00B0D02332EB}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E8-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{777C89DF-5C36-11D5-ABAF-00B0D02332EB}\ = "InstallShield Script Engine"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{777C89DF-5C36-11D5-ABAF-00B0D02332EB}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E1-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777C89E2-5C36-11D5-ABAF-00B0D02332EB}\ = "ISetupScriptEngine2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777C89E8-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777C89E8-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IPW.ScriptEngine	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{777C89DF-5C36-11D5-ABAF-00B0D02332EB}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{777C89DF-5C36-11D5-ABAF-00B0D02332EB}\VersionIndependentProgID\ = "IPW.ScriptEngine"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{777C89DE-5C36-11D5-ABAF-00B0D02332EB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ca53766dd065aa758fef3431cce4a983b8a7cc334d94a26c49fdbfb95462e6c4.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E1-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777C89E3-5C36-11D5-ABAF-00B0D02332EB}\ = "ISetupScriptController"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777C89E3-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E3-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IPW.ScriptEngine\CLSID\ = "{777C89DF-5C36-11D5-ABAF-00B0D02332EB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E1-5C36-11D5-ABAF-00B0D02332EB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E1-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777C89E3-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E2-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{777C89DE-5C36-11D5-ABAF-00B0D02332EB}\1.0\ = "InstallShield Script 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777C89E1-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E3-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E3-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\ = "{777C89DE-5C36-11D5-ABAF-00B0D02332EB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777C89E2-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E8-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{777C89DE-5C36-11D5-ABAF-00B0D02332EB}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{777C89DF-5C36-11D5-ABAF-00B0D02332EB}\ProgID\ = "IPW.ScriptEngine.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{777C89DF-5C36-11D5-ABAF-00B0D02332EB}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E1-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777C89E2-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E2-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\ = "{777C89DE-5C36-11D5-ABAF-00B0D02332EB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777C89E8-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777C89E8-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IPW.ScriptEngine\ = "InstallShield Script Engine"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E8-5C36-11D5-ABAF-00B0D02332EB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E8-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777C89E2-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E2-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{777C89DF-5C36-11D5-ABAF-00B0D02332EB}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777C89E1-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\ = "{777C89DE-5C36-11D5-ABAF-00B0D02332EB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777C89E3-5C36-11D5-ABAF-00B0D02332EB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IPW.ScriptEngine.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777C89E1-5C36-11D5-ABAF-00B0D02332EB}\ = "ISetupScriptEngine"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E1-5C36-11D5-ABAF-00B0D02332EB}\ = "ISetupScriptEngine"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E1-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\ = "{777C89DE-5C36-11D5-ABAF-00B0D02332EB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777C89E3-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E3-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89E8-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IPW.ScriptEngine\CLSID	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1256	regsvr32mgr.exe
1256	regsvr32mgr.exe
2088	WaterMark.exe
2088	WaterMark.exe
2088	WaterMark.exe
2088	WaterMark.exe
2088	WaterMark.exe
2088	WaterMark.exe
2088	WaterMark.exe
2088	WaterMark.exe
2088	WaterMark.exe
2088	WaterMark.exe
2088	WaterMark.exe
2088	WaterMark.exe
2088	WaterMark.exe
2088	WaterMark.exe
2088	WaterMark.exe
2088	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	WaterMark.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1548	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1548	iexplore.exe
1548	iexplore.exe
3340	IEXPLORE.EXE
3340	IEXPLORE.EXE
3340	IEXPLORE.EXE
3340	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1256	regsvr32mgr.exe
2088	WaterMark.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 4604	2040	regsvr32.exe	84
PID 2040 wrote to memory of 4604	2040	regsvr32.exe	84
PID 2040 wrote to memory of 4604	2040	regsvr32.exe	84
PID 4604 wrote to memory of 1256	4604	regsvr32.exe	87
PID 4604 wrote to memory of 1256	4604	regsvr32.exe	87
PID 4604 wrote to memory of 1256	4604	regsvr32.exe	87
PID 1256 wrote to memory of 2088	1256	regsvr32mgr.exe	88
PID 1256 wrote to memory of 2088	1256	regsvr32mgr.exe	88
PID 1256 wrote to memory of 2088	1256	regsvr32mgr.exe	88
PID 2088 wrote to memory of 2992	2088	WaterMark.exe	89
PID 2088 wrote to memory of 2992	2088	WaterMark.exe	89
PID 2088 wrote to memory of 2992	2088	WaterMark.exe	89
PID 2088 wrote to memory of 2992	2088	WaterMark.exe	89
PID 2088 wrote to memory of 2992	2088	WaterMark.exe	89
PID 2088 wrote to memory of 2992	2088	WaterMark.exe	89
PID 2088 wrote to memory of 2992	2088	WaterMark.exe	89
PID 2088 wrote to memory of 2992	2088	WaterMark.exe	89
PID 2088 wrote to memory of 2992	2088	WaterMark.exe	89
PID 2088 wrote to memory of 1548	2088	WaterMark.exe	94
PID 2088 wrote to memory of 1548	2088	WaterMark.exe	94
PID 2088 wrote to memory of 1900	2088	WaterMark.exe	95
PID 2088 wrote to memory of 1900	2088	WaterMark.exe	95
PID 1548 wrote to memory of 3340	1548	iexplore.exe	96
PID 1548 wrote to memory of 3340	1548	iexplore.exe	96
PID 1548 wrote to memory of 3340	1548	iexplore.exe	96

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ca53766dd065aa758fef3431cce4a983b8a7cc334d94a26c49fdbfb95462e6c4.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\ca53766dd065aa758fef3431cce4a983b8a7cc334d94a26c49fdbfb95462e6c4.dll
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:2992
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 208
        6⤵
        Program crash
        
        PID:1948
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1548
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1548 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3340
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        
        PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2992 -ip 2992
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
243KB

MD5
b9883f7a99992312ed2104f4eaa5da95

SHA1
6465eaf29c0c531364413f1200ec0c60385d36e0

SHA256
5640ad2bfce43f94cc94c313918a1fdd45d2e6f905025c50c1446e2bf7fdf50f

SHA512
44f83e240d5e0904e0b9d4ae6021af76e44a8bbe16a84dd11a02fc390c33ff0d07af11adce3b964cb63744abd118b3b5a32a146442a041ccfa9478edb395ea5f

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
243KB

MD5
b9883f7a99992312ed2104f4eaa5da95

SHA1
6465eaf29c0c531364413f1200ec0c60385d36e0

SHA256
5640ad2bfce43f94cc94c313918a1fdd45d2e6f905025c50c1446e2bf7fdf50f

SHA512
44f83e240d5e0904e0b9d4ae6021af76e44a8bbe16a84dd11a02fc390c33ff0d07af11adce3b964cb63744abd118b3b5a32a146442a041ccfa9478edb395ea5f

Download Submit
C:\Users\Admin\AppData\Roaming\Wplugin.dll

Filesize
108KB

MD5
8847a8302dacc1d6fca61f125c8fe8e0

SHA1
f399142bbf03660bee1df555ebbf3acc8f658cf0

SHA256
9c2726defa122089f8251fa104f76d66830f448774ab9bd634adbb6e492e3943

SHA512
2b028bb4139c352b80db1509d1a3f479a8ef7e9b3b73ddbf62e2d83d4e59adf4a0bd6b9d68409bc0b6fafb7a5f56844fbfed6d00b824a6b370689801ce1c837f

Download Submit
C:\Users\Admin\AppData\Roaming\Wplugin.dll

Filesize
108KB

MD5
8847a8302dacc1d6fca61f125c8fe8e0

SHA1
f399142bbf03660bee1df555ebbf3acc8f658cf0

SHA256
9c2726defa122089f8251fa104f76d66830f448774ab9bd634adbb6e492e3943

SHA512
2b028bb4139c352b80db1509d1a3f479a8ef7e9b3b73ddbf62e2d83d4e59adf4a0bd6b9d68409bc0b6fafb7a5f56844fbfed6d00b824a6b370689801ce1c837f

Download Submit
C:\Users\Admin\AppData\Roaming\Wplugin.dll

Filesize
108KB

MD5
8847a8302dacc1d6fca61f125c8fe8e0

SHA1
f399142bbf03660bee1df555ebbf3acc8f658cf0

SHA256
9c2726defa122089f8251fa104f76d66830f448774ab9bd634adbb6e492e3943

SHA512
2b028bb4139c352b80db1509d1a3f479a8ef7e9b3b73ddbf62e2d83d4e59adf4a0bd6b9d68409bc0b6fafb7a5f56844fbfed6d00b824a6b370689801ce1c837f

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
243KB

MD5
b9883f7a99992312ed2104f4eaa5da95

SHA1
6465eaf29c0c531364413f1200ec0c60385d36e0

SHA256
5640ad2bfce43f94cc94c313918a1fdd45d2e6f905025c50c1446e2bf7fdf50f

SHA512
44f83e240d5e0904e0b9d4ae6021af76e44a8bbe16a84dd11a02fc390c33ff0d07af11adce3b964cb63744abd118b3b5a32a146442a041ccfa9478edb395ea5f

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
243KB

MD5
b9883f7a99992312ed2104f4eaa5da95

SHA1
6465eaf29c0c531364413f1200ec0c60385d36e0

SHA256
5640ad2bfce43f94cc94c313918a1fdd45d2e6f905025c50c1446e2bf7fdf50f

SHA512
44f83e240d5e0904e0b9d4ae6021af76e44a8bbe16a84dd11a02fc390c33ff0d07af11adce3b964cb63744abd118b3b5a32a146442a041ccfa9478edb395ea5f

Download Submit
memory/1256-140-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1256-142-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1256-143-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1256-145-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1256-144-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1256-141-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1256-134-0x0000000000000000-mapping.dmp

Download
memory/1256-149-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2088-146-0x0000000000000000-mapping.dmp

Download
memory/2088-158-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2088-159-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2088-160-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2088-161-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2088-162-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2088-163-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2088-164-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2088-165-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2992-157-0x0000000000000000-mapping.dmp

Download
memory/4604-132-0x0000000000000000-mapping.dmp

Download
memory/4604-133-0x0000000010000000-0x0000000010078000-memory.dmp

Filesize
480KB

Download