ramnit | 54ca0786d43bab6d703663c08a1cd05af8a44898f1a1b2a8884ea6b65284b880

Analysis

max time kernel
134s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dd679cfde3da100f00bb847f8f14b00_NeikiAnalytics.dll
Size

157KB
MD5

2dd679cfde3da100f00bb847f8f14b00
SHA1

2c38960b235d278311536ed7d023cbf30e022117
SHA256

54ca0786d43bab6d703663c08a1cd05af8a44898f1a1b2a8884ea6b65284b880
SHA512

797680843853477faef775f9d82505d15ff17987f23526b6c7495aca17062dae46a1f7e68af3cb625bb2daa21878ef19632e87b40bbba4bfd1c05bae2e1c82b0
SSDEEP

3072:IMr6N9WfdNAbxBk69VyZhDsHYZ3rDINcQR0n6ecZdGU1QLaLNmYqhPzxm1G:IMqWfdNANG6yEYZ7DVQgsQLPzo1G

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 6 IoCs

pid	Process
3148	rundll32mgr.exe
4540	rundll32mgrmgr.exe
3860	WaterMark.exe
384	WaterMarkmgr.exe
1580	WaterMark.exe
1664	WaterMark.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3148-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3148-18-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4540-54-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1664-69-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/384-68-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3860-57-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/384-53-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4540-31-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3148-20-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3148-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3148-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3148-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3148-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3860-87-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3860-88-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgrmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4C3B.tmp	WaterMarkmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4BBE.tmp	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4BFD.tmp	rundll32mgrmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	WaterMarkmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4024	4624	WerFault.exe	94
3728	2484	WerFault.exe	91
836	1180	WerFault.exe	93

Modifies Internet Explorer settings 1 TTPs 50 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1807956129"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31109286"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109286"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1810924903"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{975C0F56-1C99-11EF-BCA5-FE55E2F65CCF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1810924903"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109286"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9759ADA0-1C99-11EF-BCA5-FE55E2F65CCF} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109286"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423628122"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1807956129"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3860	WaterMark.exe
3860	WaterMark.exe
3860	WaterMark.exe
3860	WaterMark.exe
1664	WaterMark.exe
1664	WaterMark.exe
1664	WaterMark.exe
1664	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
3860	WaterMark.exe
3860	WaterMark.exe
3860	WaterMark.exe
3860	WaterMark.exe
3860	WaterMark.exe
3860	WaterMark.exe
3860	WaterMark.exe
3860	WaterMark.exe
3860	WaterMark.exe
3860	WaterMark.exe
3860	WaterMark.exe
3860	WaterMark.exe
1664	WaterMark.exe
1664	WaterMark.exe
1664	WaterMark.exe
1664	WaterMark.exe
1664	WaterMark.exe
1664	WaterMark.exe
1664	WaterMark.exe
1664	WaterMark.exe
1664	WaterMark.exe
1664	WaterMark.exe
1664	WaterMark.exe
1664	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4636	rundll32.exe
Token: SeDebugPrivilege	3860	WaterMark.exe
Token: SeDebugPrivilege	1664	WaterMark.exe
Token: SeDebugPrivilege	1580	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
184	iexplore.exe
1164	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
184	iexplore.exe
184	iexplore.exe
1164	iexplore.exe
1164	iexplore.exe
3148	IEXPLORE.EXE
3148	IEXPLORE.EXE
1840	IEXPLORE.EXE
1840	IEXPLORE.EXE
3148	IEXPLORE.EXE
3148	IEXPLORE.EXE

Suspicious use of UnmapMainImage 6 IoCs

pid	Process
3148	rundll32mgr.exe
4540	rundll32mgrmgr.exe
3860	WaterMark.exe
384	WaterMarkmgr.exe
1664	WaterMark.exe
1580	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 4636	4952	rundll32.exe	84
PID 4952 wrote to memory of 4636	4952	rundll32.exe	84
PID 4952 wrote to memory of 4636	4952	rundll32.exe	84
PID 4636 wrote to memory of 3148	4636	rundll32.exe	85
PID 4636 wrote to memory of 3148	4636	rundll32.exe	85
PID 4636 wrote to memory of 3148	4636	rundll32.exe	85
PID 3148 wrote to memory of 4540	3148	rundll32mgr.exe	86
PID 3148 wrote to memory of 4540	3148	rundll32mgr.exe	86
PID 3148 wrote to memory of 4540	3148	rundll32mgr.exe	86
PID 3148 wrote to memory of 3860	3148	rundll32mgr.exe	87
PID 3148 wrote to memory of 3860	3148	rundll32mgr.exe	87
PID 3148 wrote to memory of 3860	3148	rundll32mgr.exe	87
PID 3860 wrote to memory of 384	3860	WaterMark.exe	88
PID 3860 wrote to memory of 384	3860	WaterMark.exe	88
PID 3860 wrote to memory of 384	3860	WaterMark.exe	88
PID 4540 wrote to memory of 1580	4540	rundll32mgrmgr.exe	89
PID 4540 wrote to memory of 1580	4540	rundll32mgrmgr.exe	89
PID 4540 wrote to memory of 1580	4540	rundll32mgrmgr.exe	89
PID 384 wrote to memory of 1664	384	WaterMarkmgr.exe	90
PID 384 wrote to memory of 1664	384	WaterMarkmgr.exe	90
PID 384 wrote to memory of 1664	384	WaterMarkmgr.exe	90
PID 3860 wrote to memory of 2484	3860	WaterMark.exe	91
PID 3860 wrote to memory of 2484	3860	WaterMark.exe	91
PID 3860 wrote to memory of 2484	3860	WaterMark.exe	91
PID 3860 wrote to memory of 2484	3860	WaterMark.exe	91
PID 3860 wrote to memory of 2484	3860	WaterMark.exe	91
PID 3860 wrote to memory of 2484	3860	WaterMark.exe	91
PID 3860 wrote to memory of 2484	3860	WaterMark.exe	91
PID 3860 wrote to memory of 2484	3860	WaterMark.exe	91
PID 3860 wrote to memory of 2484	3860	WaterMark.exe	91
PID 1664 wrote to memory of 1180	1664	WaterMark.exe	93
PID 1664 wrote to memory of 1180	1664	WaterMark.exe	93
PID 1664 wrote to memory of 1180	1664	WaterMark.exe	93
PID 1664 wrote to memory of 1180	1664	WaterMark.exe	93
PID 1664 wrote to memory of 1180	1664	WaterMark.exe	93
PID 1664 wrote to memory of 1180	1664	WaterMark.exe	93
PID 1664 wrote to memory of 1180	1664	WaterMark.exe	93
PID 1664 wrote to memory of 1180	1664	WaterMark.exe	93
PID 1664 wrote to memory of 1180	1664	WaterMark.exe	93
PID 1580 wrote to memory of 4624	1580	WaterMark.exe	94
PID 1580 wrote to memory of 4624	1580	WaterMark.exe	94
PID 1580 wrote to memory of 4624	1580	WaterMark.exe	94
PID 1580 wrote to memory of 4624	1580	WaterMark.exe	94
PID 1580 wrote to memory of 4624	1580	WaterMark.exe	94
PID 1580 wrote to memory of 4624	1580	WaterMark.exe	94
PID 1580 wrote to memory of 4624	1580	WaterMark.exe	94
PID 1580 wrote to memory of 4624	1580	WaterMark.exe	94
PID 1580 wrote to memory of 4624	1580	WaterMark.exe	94
PID 3860 wrote to memory of 184	3860	WaterMark.exe	111
PID 3860 wrote to memory of 184	3860	WaterMark.exe	111
PID 3860 wrote to memory of 1164	3860	WaterMark.exe	112
PID 3860 wrote to memory of 1164	3860	WaterMark.exe	112
PID 1664 wrote to memory of 4320	1664	WaterMark.exe	113
PID 1664 wrote to memory of 4320	1664	WaterMark.exe	113
PID 1664 wrote to memory of 952	1664	WaterMark.exe	114
PID 1664 wrote to memory of 952	1664	WaterMark.exe	114
PID 1580 wrote to memory of 440	1580	WaterMark.exe	115
PID 1580 wrote to memory of 440	1580	WaterMark.exe	115
PID 1580 wrote to memory of 2192	1580	WaterMark.exe	116
PID 1580 wrote to memory of 2192	1580	WaterMark.exe	116
PID 1164 wrote to memory of 1840	1164	iexplore.exe	117
PID 1164 wrote to memory of 1840	1164	iexplore.exe	117
PID 1164 wrote to memory of 1840	1164	iexplore.exe	117
PID 184 wrote to memory of 3148	184	iexplore.exe	118

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2dd679cfde3da100f00bb847f8f14b00_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2dd679cfde3da100f00bb847f8f14b00_NeikiAnalytics.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
      C:\Windows\SysWOW64\rundll32mgrmgr.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:4540
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 204
        7⤵
        Program crash
        
        PID:4024
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        
        PID:440
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        
        PID:2192
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:3860
    - - C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:384
      - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 204
        8⤵
        Program crash
        
        PID:836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        Modifies Internet Explorer settings
        
        PID:4320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        Modifies Internet Explorer settings
        
        PID:952
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:2484
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 204
        6⤵
        Program crash
        
        PID:3728
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:184
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:184 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3148
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1164
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4624 -ip 4624
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1180 -ip 1180
1⤵
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2484 -ip 2484
1⤵
PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe

Filesize
59KB

MD5
f2c8b7e238a07cce22920efb1c8645a6

SHA1
cd2af4b30add747e222f938206b78d7730fdf346

SHA256
6b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e

SHA512
c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
39f991f6e6aecffbe2db5dcecf1f226f

SHA1
b512ccfff1d83f102d75aa8f78df0c7051bd2df0

SHA256
6911a1c252519f8cb3db2a3eead8863ae288e14c699866b2bc580cfc0f3f42a7

SHA512
3d7954ad14d8361a0f9a5939c0b0290bb42fa32ac2da1a809d3985195347898f4f0b1d0c1e33d87a6d14d61c48fe3258d7820a0bece6723b0f6e18eb60307e71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
4dc5bacd560cf82ea23fda3cc3075e56

SHA1
e12a6f56b66854bda1e0543cc37eea2395f5bc46

SHA256
1a5d5775f834aa6f595db038d84e71f2f6d550d732dace93d805db4f6224a68e

SHA512
17fe26ed4cbc57d0b76516367ce3673f05d2cc630761d15fdbf951f793cf558468194278826db9715fac115b473fd55ddd62b257f878370f2e71db2875aa43e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
37ac76161e26f61091754cf341c2ea21

SHA1
e13c9231b4a0c13dd76d94bbbf33bb5fd76a256e

SHA256
e809235da649b0a8e29219b7170ab48b88580abbc75fb79aa6cb00cbc7b1d6c7

SHA512
36542b863e2738c9b547c47b3683e846c8f220dc432c8592df967737a0f3e3cfaa4a66b367fe686276615d0d7cce3a722875209a372c55c0b6ff2bf6b181a6b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9759ADA0-1C99-11EF-BCA5-FE55E2F65CCF}.dat

Filesize
5KB

MD5
75e741e247c891d20ef79b5cef7cac7c

SHA1
584011759673b3634956de779cfa373d607ed97c

SHA256
95babf7776c41d429a1111d0f20ef602776c5c8d40c70e3e7bcaf64642544879

SHA512
c746a23e783922105b2a4027f32dbcbf2968f7155a4f27a4047d3f6b97c46d9a1f2888fc31d16d65830ea01df7282cc1e970a422896529f8bb53494bfd699e1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{975C0F56-1C99-11EF-BCA5-FE55E2F65CCF}.dat

Filesize
3KB

MD5
9ffacb397f9d458029f2ba44593bc857

SHA1
b12b515bf4944d9be71844e5f43bb589204ecdea

SHA256
87bac58ac0a041f99187f4c68077494ccd6a2979af537dfeb6def16bd3782c53

SHA512
83843260f1fc16e302e47a88b2668071c04c670e9514298408d04c2ec2a1461b4b2e98de734d0d73157a5f30008cdf8088521c5b4413e23232f7d4a641c480f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOWSKSPC\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
122KB

MD5
c5255edf109342e3e1d1eb0990b2d094

SHA1
ba029b47b9b3a5ccccae3038d90382ec68a1dd44

SHA256
ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5

SHA512
6b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3

Download Submit
memory/384-68-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/384-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1664-71-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1664-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-73-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/2484-72-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/3148-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3148-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3148-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3148-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3148-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3148-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3148-32-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/3148-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3860-87-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3860-58-0x0000000077592000-0x0000000077593000-memory.dmp

Filesize
4KB

Download
memory/3860-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-57-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3860-50-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/3860-82-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/3860-88-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4540-55-0x0000000000416000-0x0000000000420000-memory.dmp

Filesize
40KB

Download
memory/4540-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4540-54-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4540-56-0x0000000000401000-0x0000000000416000-memory.dmp

Filesize
84KB

Download
memory/4636-2-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/4636-6-0x0000000077592000-0x0000000077593000-memory.dmp

Filesize
4KB

Download
memory/4636-3-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/4636-4-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download