ramnit | deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b

Modify Existing Service

T1031

Processes:

deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Processes:

deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe

Windows security bypass 2 TTPs 6 IoCs

Disabling Security Tools

Modify Registry

Processes:

deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe

Executes dropped EXE 1 IoCs

Processes:

WaterMark.exe

pid process

1100 WaterMark.exe

pid	process
1100	WaterMark.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4356-134-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4356-137-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4356-132-0x0000000002530000-0x00000000035BE000-memory.dmp	upx
behavioral2/memory/4356-136-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4356-138-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4356-143-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4356-146-0x0000000002530000-0x00000000035BE000-memory.dmp	upx
behavioral2/memory/1100-151-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/1100-152-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/1100-153-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/1100-156-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

Disabling Security Tools

Modify Registry

Processes:

deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

Processes:

deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe

Drops file in Program Files directory 3 IoCs

Processes:

deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5DE4.tmp	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe

Drops file in Windows directory 1 IoCs

Processes:

deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31011941"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1660969715"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1660969715"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1523314653"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31011941"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31011941"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1660969715"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{84B79CA9-A058-11ED-919F-7218A89707DE} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{84C385DD-A058-11ED-919F-7218A89707DE} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31011941"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1523157666"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31011941"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31011941"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "381818732"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1660969715"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exeWaterMark.exe

pid	process
4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
1100	WaterMark.exe
1100	WaterMark.exe
1100	WaterMark.exe
1100	WaterMark.exe
1100	WaterMark.exe
1100	WaterMark.exe
1100	WaterMark.exe
1100	WaterMark.exe
1100	WaterMark.exe
1100	WaterMark.exe
1100	WaterMark.exe
1100	WaterMark.exe
1100	WaterMark.exe
1100	WaterMark.exe
1100	WaterMark.exe
1100	WaterMark.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2584 iexplore.exe

pid	process
2584	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe

description	pid	process
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
Token: SeDebugPrivilege	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

2584 iexplore.exe
2436 iexplore.exe

pid	process
2584	iexplore.exe
2436	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2436	iexplore.exe
2436	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
4536	IEXPLORE.EXE
4536	IEXPLORE.EXE
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE
4536	IEXPLORE.EXE
4536	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

Processes:

deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exeWaterMark.exe

pid process

4356 deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
1100 WaterMark.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exeWaterMark.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 4356 wrote to memory of 776	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe	fontdrvhost.exe
PID 4356 wrote to memory of 784	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe	fontdrvhost.exe
PID 4356 wrote to memory of 1008	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe	dwm.exe
PID 4356 wrote to memory of 2628	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe	sihost.exe
PID 4356 wrote to memory of 2696	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe	svchost.exe
PID 4356 wrote to memory of 2888	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe	taskhostw.exe
PID 4356 wrote to memory of 2680	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe	Explorer.EXE
PID 4356 wrote to memory of 3080	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe	svchost.exe
PID 4356 wrote to memory of 3280	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe	DllHost.exe
PID 4356 wrote to memory of 3368	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe	StartMenuExperienceHost.exe
PID 4356 wrote to memory of 1100	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe	WaterMark.exe
PID 4356 wrote to memory of 1100	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe	WaterMark.exe
PID 4356 wrote to memory of 1100	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe	WaterMark.exe
PID 4356 wrote to memory of 3440	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe	RuntimeBroker.exe
PID 4356 wrote to memory of 3528	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe	SearchApp.exe
PID 4356 wrote to memory of 3784	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe	RuntimeBroker.exe
PID 4356 wrote to memory of 4672	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe	RuntimeBroker.exe
PID 4356 wrote to memory of 3292	4356	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe	RuntimeBroker.exe
PID 1100 wrote to memory of 4268	1100	WaterMark.exe	svchost.exe
PID 1100 wrote to memory of 4268	1100	WaterMark.exe	svchost.exe
PID 1100 wrote to memory of 4268	1100	WaterMark.exe	svchost.exe
PID 1100 wrote to memory of 4268	1100	WaterMark.exe	svchost.exe
PID 1100 wrote to memory of 4268	1100	WaterMark.exe	svchost.exe
PID 1100 wrote to memory of 4268	1100	WaterMark.exe	svchost.exe
PID 1100 wrote to memory of 4268	1100	WaterMark.exe	svchost.exe
PID 1100 wrote to memory of 4268	1100	WaterMark.exe	svchost.exe
PID 1100 wrote to memory of 4268	1100	WaterMark.exe	svchost.exe
PID 1100 wrote to memory of 2584	1100	WaterMark.exe	iexplore.exe
PID 1100 wrote to memory of 2584	1100	WaterMark.exe	iexplore.exe
PID 1100 wrote to memory of 2436	1100	WaterMark.exe	iexplore.exe
PID 1100 wrote to memory of 2436	1100	WaterMark.exe	iexplore.exe
PID 2584 wrote to memory of 4536	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 4536	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 4536	2584	iexplore.exe	IEXPLORE.EXE
PID 2436 wrote to memory of 2608	2436	iexplore.exe	IEXPLORE.EXE
PID 2436 wrote to memory of 2608	2436	iexplore.exe	IEXPLORE.EXE
PID 2436 wrote to memory of 2608	2436	iexplore.exe	IEXPLORE.EXE

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1008

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2888

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe
"C:\Users\Admin\AppData\Local\Temp\deb5deb65b397c80f01ebb40633d3da7d5994bfcf5b2c3095904477c3e1b166b.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4356

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
PID:4268

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4536

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2436 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2608

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3280

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3440

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4672

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3784

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3528

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2696

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3292

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

Bypass User Account Control

T1088

Disabling Security Tools