ramnit | c39a02d65e046ab3f46ee1f2315e17b8bf3b748af294d68d0d1a7d8c2f3252d8

General

Target

c39a02d65e046ab3f46ee1f2315e17b8bf3b748af294d68d0d1a7d8c2f3252d8.dll
Size

157KB
MD5

5d5bed54a20709d639a8cccb47b87c47
SHA1

e98c5f4d7139731abf1ec3ad305c991af6eebb15
SHA256

c39a02d65e046ab3f46ee1f2315e17b8bf3b748af294d68d0d1a7d8c2f3252d8
SHA512

7193a0ec1bfa0f6f1d72fd57a2be46cb6d2e14aacce1e45c6069bacb82ef5ed8d385acd63f48ff08179dacca6a6a8cd96cb1e67a2e4153dbaf6b059099dcccd6
SSDEEP

3072:IMr6N9WfdNAbxBk69VyZhDsHYZ3rDINcQR0n6ecZdGU1QLaLNmYqhPzxm1p:IMqWfdNANG6yEYZ7DVQgsQLPzo1p

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

UPX dump on OEP (original entry point) 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4132-27-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral2/memory/1544-24-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral2/memory/4132-28-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral2/memory/1544-22-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral2/memory/1544-16-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral2/memory/1544-15-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral2/memory/1544-14-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral2/memory/4940-53-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral2/memory/1692-60-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral2/memory/4940-95-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral2/memory/4940-97-0x0000000000400000-0x0000000000421000-memory.dmp	UPX

Executes dropped EXE 7 IoCs

Processes:

rundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exe

pid process

1544 rundll32mgr.exe
4132 rundll32mgrmgr.exe
4940 WaterMark.exe
1692 WaterMarkmgr.exe
3688 WaterMark.exe
3076 WaterMarkmgr.exe
1252 WaterMark.exe

pid	process
1544	rundll32mgr.exe
4132	rundll32mgrmgr.exe
4940	WaterMark.exe
1692	WaterMarkmgr.exe
3688	WaterMark.exe
3076	WaterMarkmgr.exe
1252	WaterMark.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4132-27-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1544-24-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4132-28-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1544-22-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1544-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1544-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1544-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1544-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4940-53-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3076-78-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1692-60-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4940-95-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4940-97-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

rundll32.exerundll32mgr.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe
File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe

Drops file in Program Files directory 12 IoCs

Processes:

rundll32mgr.exeWaterMarkmgr.exeWaterMark.exeWaterMarkmgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px46AE.tmp	rundll32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4759.tmp	WaterMarkmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	WaterMarkmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px47A8.tmp	WaterMarkmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	WaterMarkmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px46BD.tmp	rundll32mgrmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgrmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3656 3952 WerFault.exe svchost.exe
1552 2112 WerFault.exe svchost.exe
4592 1804 WerFault.exe svchost.exe

pid	pid_target	process	target process
3656	3952	WerFault.exe	svchost.exe
1552	2112	WerFault.exe	svchost.exe
4592	1804	WerFault.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8F5FFF12-1B09-11EF-A084-FE55E2F65CCF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423456309"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1673684038"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1676496559"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108886"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108886"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1673684038"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108886"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

WaterMark.exeWaterMark.exeWaterMark.exe

pid	process
4940	WaterMark.exe
4940	WaterMark.exe
4940	WaterMark.exe
4940	WaterMark.exe
3688	WaterMark.exe
3688	WaterMark.exe
3688	WaterMark.exe
3688	WaterMark.exe
1252	WaterMark.exe
1252	WaterMark.exe
1252	WaterMark.exe
1252	WaterMark.exe
4940	WaterMark.exe
4940	WaterMark.exe
4940	WaterMark.exe
4940	WaterMark.exe
4940	WaterMark.exe
4940	WaterMark.exe
4940	WaterMark.exe
4940	WaterMark.exe
4940	WaterMark.exe
4940	WaterMark.exe
4940	WaterMark.exe
4940	WaterMark.exe
3688	WaterMark.exe
3688	WaterMark.exe
3688	WaterMark.exe
3688	WaterMark.exe
3688	WaterMark.exe
3688	WaterMark.exe
3688	WaterMark.exe
3688	WaterMark.exe
3688	WaterMark.exe
3688	WaterMark.exe
3688	WaterMark.exe
3688	WaterMark.exe
1252	WaterMark.exe
1252	WaterMark.exe
1252	WaterMark.exe
1252	WaterMark.exe
1252	WaterMark.exe
1252	WaterMark.exe
1252	WaterMark.exe
1252	WaterMark.exe
1252	WaterMark.exe
1252	WaterMark.exe
1252	WaterMark.exe
1252	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeWaterMark.exeWaterMark.exeWaterMark.exe

description	pid	process
Token: SeDebugPrivilege	4816	rundll32.exe
Token: SeDebugPrivilege	4940	WaterMark.exe
Token: SeDebugPrivilege	3688	WaterMark.exe
Token: SeDebugPrivilege	1252	WaterMark.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4092 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4092 iexplore.exe
4092 iexplore.exe
2148 IEXPLORE.EXE
2148 IEXPLORE.EXE
2148 IEXPLORE.EXE
2148 IEXPLORE.EXE
Suspicious use of UnmapMainImage 7 IoCs

Processes:

rundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exe

pid process

1544 rundll32mgr.exe
4132 rundll32mgrmgr.exe
4940 WaterMark.exe
1692 WaterMarkmgr.exe
3688 WaterMark.exe
3076 WaterMarkmgr.exe
1252 WaterMark.exe

pid	process
4092	iexplore.exe

pid	process
4092	iexplore.exe
4092	iexplore.exe
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE

pid	process
1544	rundll32mgr.exe
4132	rundll32mgrmgr.exe
4940	WaterMark.exe
1692	WaterMarkmgr.exe
3688	WaterMark.exe
3076	WaterMarkmgr.exe
1252	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exerundll32mgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exeiexplore.exe

description	pid	process	target process
PID 4468 wrote to memory of 4816	4468	rundll32.exe	rundll32.exe
PID 4468 wrote to memory of 4816	4468	rundll32.exe	rundll32.exe
PID 4468 wrote to memory of 4816	4468	rundll32.exe	rundll32.exe
PID 4816 wrote to memory of 1544	4816	rundll32.exe	rundll32mgr.exe
PID 4816 wrote to memory of 1544	4816	rundll32.exe	rundll32mgr.exe
PID 4816 wrote to memory of 1544	4816	rundll32.exe	rundll32mgr.exe
PID 1544 wrote to memory of 4132	1544	rundll32mgr.exe	rundll32mgrmgr.exe
PID 1544 wrote to memory of 4132	1544	rundll32mgr.exe	rundll32mgrmgr.exe
PID 1544 wrote to memory of 4132	1544	rundll32mgr.exe	rundll32mgrmgr.exe
PID 1544 wrote to memory of 4940	1544	rundll32mgr.exe	WaterMark.exe
PID 1544 wrote to memory of 4940	1544	rundll32mgr.exe	WaterMark.exe
PID 1544 wrote to memory of 4940	1544	rundll32mgr.exe	WaterMark.exe
PID 4940 wrote to memory of 1692	4940	WaterMark.exe	WaterMarkmgr.exe
PID 4940 wrote to memory of 1692	4940	WaterMark.exe	WaterMarkmgr.exe
PID 4940 wrote to memory of 1692	4940	WaterMark.exe	WaterMarkmgr.exe
PID 1692 wrote to memory of 3688	1692	WaterMarkmgr.exe	WaterMark.exe
PID 1692 wrote to memory of 3688	1692	WaterMarkmgr.exe	WaterMark.exe
PID 1692 wrote to memory of 3688	1692	WaterMarkmgr.exe	WaterMark.exe
PID 4940 wrote to memory of 3952	4940	WaterMark.exe	svchost.exe
PID 4940 wrote to memory of 3952	4940	WaterMark.exe	svchost.exe
PID 4940 wrote to memory of 3952	4940	WaterMark.exe	svchost.exe
PID 4940 wrote to memory of 3952	4940	WaterMark.exe	svchost.exe
PID 4940 wrote to memory of 3952	4940	WaterMark.exe	svchost.exe
PID 4940 wrote to memory of 3952	4940	WaterMark.exe	svchost.exe
PID 4940 wrote to memory of 3952	4940	WaterMark.exe	svchost.exe
PID 4940 wrote to memory of 3952	4940	WaterMark.exe	svchost.exe
PID 4940 wrote to memory of 3952	4940	WaterMark.exe	svchost.exe
PID 3688 wrote to memory of 3076	3688	WaterMark.exe	WaterMarkmgr.exe
PID 3688 wrote to memory of 3076	3688	WaterMark.exe	WaterMarkmgr.exe
PID 3688 wrote to memory of 3076	3688	WaterMark.exe	WaterMarkmgr.exe
PID 3076 wrote to memory of 1252	3076	WaterMarkmgr.exe	WaterMark.exe
PID 3076 wrote to memory of 1252	3076	WaterMarkmgr.exe	WaterMark.exe
PID 3076 wrote to memory of 1252	3076	WaterMarkmgr.exe	WaterMark.exe
PID 3688 wrote to memory of 2112	3688	WaterMark.exe	svchost.exe
PID 3688 wrote to memory of 2112	3688	WaterMark.exe	svchost.exe
PID 3688 wrote to memory of 2112	3688	WaterMark.exe	svchost.exe
PID 3688 wrote to memory of 2112	3688	WaterMark.exe	svchost.exe
PID 3688 wrote to memory of 2112	3688	WaterMark.exe	svchost.exe
PID 3688 wrote to memory of 2112	3688	WaterMark.exe	svchost.exe
PID 3688 wrote to memory of 2112	3688	WaterMark.exe	svchost.exe
PID 3688 wrote to memory of 2112	3688	WaterMark.exe	svchost.exe
PID 3688 wrote to memory of 2112	3688	WaterMark.exe	svchost.exe
PID 1252 wrote to memory of 1804	1252	WaterMark.exe	svchost.exe
PID 1252 wrote to memory of 1804	1252	WaterMark.exe	svchost.exe
PID 1252 wrote to memory of 1804	1252	WaterMark.exe	svchost.exe
PID 1252 wrote to memory of 1804	1252	WaterMark.exe	svchost.exe
PID 1252 wrote to memory of 1804	1252	WaterMark.exe	svchost.exe
PID 1252 wrote to memory of 1804	1252	WaterMark.exe	svchost.exe
PID 1252 wrote to memory of 1804	1252	WaterMark.exe	svchost.exe
PID 1252 wrote to memory of 1804	1252	WaterMark.exe	svchost.exe
PID 1252 wrote to memory of 1804	1252	WaterMark.exe	svchost.exe
PID 4940 wrote to memory of 4092	4940	WaterMark.exe	iexplore.exe
PID 4940 wrote to memory of 4092	4940	WaterMark.exe	iexplore.exe
PID 4940 wrote to memory of 3992	4940	WaterMark.exe	iexplore.exe
PID 4940 wrote to memory of 3992	4940	WaterMark.exe	iexplore.exe
PID 3688 wrote to memory of 4800	3688	WaterMark.exe	iexplore.exe
PID 3688 wrote to memory of 4800	3688	WaterMark.exe	iexplore.exe
PID 3688 wrote to memory of 2484	3688	WaterMark.exe	iexplore.exe
PID 3688 wrote to memory of 2484	3688	WaterMark.exe	iexplore.exe
PID 1252 wrote to memory of 4960	1252	WaterMark.exe	iexplore.exe
PID 1252 wrote to memory of 4960	1252	WaterMark.exe	iexplore.exe
PID 4092 wrote to memory of 2148	4092	iexplore.exe	IEXPLORE.EXE
PID 4092 wrote to memory of 2148	4092	iexplore.exe	IEXPLORE.EXE
PID 4092 wrote to memory of 2148	4092	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c39a02d65e046ab3f46ee1f2315e17b8bf3b748af294d68d0d1a7d8c2f3252d8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c39a02d65e046ab3f46ee1f2315e17b8bf3b748af294d68d0d1a7d8c2f3252d8.dll,#1
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\rundll32mgrmgr.exe
C:\Windows\SysWOW64\rundll32mgrmgr.exe
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:4132

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4940

C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1692

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3688

C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3076

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
9⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 204
10⤵
- Program crash
PID:4592

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
- Modifies Internet Explorer settings
PID:4960

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
- Modifies Internet Explorer settings
PID:1384

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 204
8⤵
- Program crash
PID:1552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
- Modifies Internet Explorer settings
PID:4800

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
- Modifies Internet Explorer settings
PID:2484

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 204
6⤵
- Program crash
PID:3656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4092

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4092 CREDAT:17410 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2148

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2112 -ip 2112
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1804 -ip 1804
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3952 -ip 3952
1⤵
PID:4844

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
c41ab5352ba79baac9ac093dd7eb2500

SHA1
1ffb0e70f86845daba211aeda43cad539d34ffd3

SHA256
558e13bb7aa293569457e9703d2db37e8365e2ab670b2c3484ada9336ed24895

SHA512
ccebe3f11039e14d39d4102652669fd372d179778bf73fae0659dd01da569bbf850b273cd3a4e13dc77b3fd4fb4d84d01525ac3a0dcb23b297c733da10bc2ff0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
c43fcd026151e6262e3faa8b26461505

SHA1
0477bd98ed8575997735d2f5347fdce1dadacdf4

SHA256
d759c80c98a16a4d48a4268e440766869a8cf28ea3a2327e1d17c197e9dc95d1

SHA512
4a8b7f0f92ac30d28b1f547b8bf3af190b359126b946c0adc9e8fb30dd938ecdd5cb72d6481b5548f57dcc941f2c3a377603ea2c81fe0efac6cc203acfdb2866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe
Filesize
122KB

MD5
c5255edf109342e3e1d1eb0990b2d094

SHA1
ba029b47b9b3a5ccccae3038d90382ec68a1dd44

SHA256
ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5

SHA512
6b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3

Download Submit
C:\Windows\SysWOW64\rundll32mgrmgr.exe
Filesize
59KB

MD5
f2c8b7e238a07cce22920efb1c8645a6

SHA1
cd2af4b30add747e222f938206b78d7730fdf346

SHA256
6b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e

SHA512
c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699

Download Submit
memory/1252-90-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1544-10-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1544-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1544-25-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1544-24-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1544-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1544-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1544-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1692-60-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3076-78-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3688-71-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/3952-76-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/3952-77-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/4132-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4132-32-0x0000000000401000-0x0000000000416000-memory.dmp

Filesize
84KB

Download
memory/4132-12-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4132-31-0x0000000000416000-0x0000000000420000-memory.dmp

Filesize
40KB

Download
memory/4132-28-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4816-6-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/4816-11-0x0000000077B12000-0x0000000077B13000-memory.dmp

Filesize
4KB

Download
memory/4816-5-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/4816-1-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/4940-53-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4940-48-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4940-92-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/4940-95-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4940-96-0x0000000000401000-0x0000000000416000-memory.dmp

Filesize
84KB

Download
memory/4940-97-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4940-98-0x0000000000401000-0x0000000000416000-memory.dmp

Filesize
84KB

Download
memory/4940-59-0x0000000000401000-0x0000000000416000-memory.dmp

Filesize
84KB

Download
memory/4940-61-0x0000000077B12000-0x0000000077B13000-memory.dmp

Filesize
4KB

Download
memory/4940-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads