Analysis
-
max time kernel
93s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2024 01:08
Static task
static1
Behavioral task
behavioral1
Sample
984c8e7ac695f9968bcc99bbee6bc344_JaffaCakes118.dll
Resource
win7-20241023-en
General
-
Target
984c8e7ac695f9968bcc99bbee6bc344_JaffaCakes118.dll
-
Size
272KB
-
MD5
984c8e7ac695f9968bcc99bbee6bc344
-
SHA1
08d56c10e70bdf6c2c88b50a76c281ea141b56c3
-
SHA256
a862ceb0054409b5bdd7dce8ee74a98b4d81d1c3d910596ddb8eeb06922724a8
-
SHA512
04cb464cfa10f96cd62701c7a054ca657ecc1839cf580f99164342d2b6a95a80c136b7e91af9b5e7216146cb1feea627855071065a6aae6a710ba1f8bcc196f2
-
SSDEEP
3072:Z3BWcSZ2ShqnTTHQ+4+lB66EdOuqzsi/I14FI+fbeNUJRQ:Z3BWc7nb436EdOzsi/ZI+KNb
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 6 IoCs
pid Process 1784 regsvr32mgr.exe 4580 regsvr32mgrmgr.exe 2652 WaterMark.exe 1936 WaterMark.exe 4596 WaterMarkmgr.exe 216 WaterMark.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe File created C:\Windows\SysWOW64\regsvr32mgrmgr.exe regsvr32mgr.exe -
resource yara_rule behavioral2/memory/1784-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1784-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1784-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1784-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4580-29-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4596-68-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1936-67-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4596-59-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1936-56-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/2652-51-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/2652-61-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1784-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1784-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1784-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1936-88-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2652-87-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2652-89-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\WaterMark.exe regsvr32mgrmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe WaterMarkmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File opened for modification C:\Program Files (x86)\Microsoft\px7C54.tmp WaterMarkmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px7BF6.tmp regsvr32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe regsvr32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe regsvr32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px7BF6.tmp regsvr32mgrmgr.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 2776 2292 WerFault.exe 90 1492 4404 WerFault.exe 93 2344 2760 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32mgrmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32mgr.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2831133409" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31145686" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31145686" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2834258000" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31145686" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31145686" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D4430CE4-AAC9-11EF-B9B6-6AACA39217E0} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D43E47E9-AAC9-11EF-B9B6-6AACA39217E0} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2834258000" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31145686" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2831133409" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2831133409" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D440AA5B-AAC9-11EF-B9B6-6AACA39217E0} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2831289309" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31145686" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D43C0C87-AAC9-11EF-B9B6-6AACA39217E0} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31145686" iexplore.exe -
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\NumMethods\ = "5" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ProxyStubClsid32\ = "{F4817E4B-04B6-11D3-8862-00C04F72F303}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ = "ISetupObjectClass" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\984c8e7ac695f9968bcc99bbee6bc344_JaffaCakes118.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ = "PSFactoryBuffer" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\WOW6432Node\Interface regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\NumMethods\ = "6" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\NumMethods regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\WOW6432Node\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ProxyStubClsid32\ = "{F4817E4B-04B6-11D3-8862-00C04F72F303}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ = "ISetupServiceProvider" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 1936 WaterMark.exe 1936 WaterMark.exe 1936 WaterMark.exe 1936 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 216 WaterMark.exe 216 WaterMark.exe 216 WaterMark.exe 216 WaterMark.exe 2652 WaterMark.exe 1936 WaterMark.exe 1936 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 1936 WaterMark.exe 2652 WaterMark.exe 1936 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 1936 WaterMark.exe 1936 WaterMark.exe 1936 WaterMark.exe 1936 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 1936 WaterMark.exe 1936 WaterMark.exe 1936 WaterMark.exe 1936 WaterMark.exe 216 WaterMark.exe 216 WaterMark.exe 216 WaterMark.exe 216 WaterMark.exe 216 WaterMark.exe 216 WaterMark.exe 216 WaterMark.exe 216 WaterMark.exe 216 WaterMark.exe 216 WaterMark.exe 216 WaterMark.exe 216 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1936 WaterMark.exe Token: SeDebugPrivilege 2652 WaterMark.exe Token: SeDebugPrivilege 216 WaterMark.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 5012 iexplore.exe 4172 iexplore.exe 3168 iexplore.exe 5112 iexplore.exe 3424 iexplore.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
pid Process 5012 iexplore.exe 5012 iexplore.exe 3168 iexplore.exe 3168 iexplore.exe 5112 iexplore.exe 5112 iexplore.exe 3424 iexplore.exe 3424 iexplore.exe 4172 iexplore.exe 4172 iexplore.exe 3008 IEXPLORE.EXE 3008 IEXPLORE.EXE 376 IEXPLORE.EXE 376 IEXPLORE.EXE 464 IEXPLORE.EXE 464 IEXPLORE.EXE 4088 IEXPLORE.EXE 4088 IEXPLORE.EXE 3524 IEXPLORE.EXE 3524 IEXPLORE.EXE 376 IEXPLORE.EXE 376 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 6 IoCs
pid Process 1784 regsvr32mgr.exe 4580 regsvr32mgrmgr.exe 2652 WaterMark.exe 1936 WaterMark.exe 4596 WaterMarkmgr.exe 216 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4012 wrote to memory of 4564 4012 regsvr32.exe 83 PID 4012 wrote to memory of 4564 4012 regsvr32.exe 83 PID 4012 wrote to memory of 4564 4012 regsvr32.exe 83 PID 4564 wrote to memory of 1784 4564 regsvr32.exe 84 PID 4564 wrote to memory of 1784 4564 regsvr32.exe 84 PID 4564 wrote to memory of 1784 4564 regsvr32.exe 84 PID 1784 wrote to memory of 4580 1784 regsvr32mgr.exe 85 PID 1784 wrote to memory of 4580 1784 regsvr32mgr.exe 85 PID 1784 wrote to memory of 4580 1784 regsvr32mgr.exe 85 PID 4580 wrote to memory of 2652 4580 regsvr32mgrmgr.exe 87 PID 4580 wrote to memory of 2652 4580 regsvr32mgrmgr.exe 87 PID 4580 wrote to memory of 2652 4580 regsvr32mgrmgr.exe 87 PID 1784 wrote to memory of 1936 1784 regsvr32mgr.exe 86 PID 1784 wrote to memory of 1936 1784 regsvr32mgr.exe 86 PID 1784 wrote to memory of 1936 1784 regsvr32mgr.exe 86 PID 2652 wrote to memory of 4596 2652 WaterMark.exe 88 PID 2652 wrote to memory of 4596 2652 WaterMark.exe 88 PID 2652 wrote to memory of 4596 2652 WaterMark.exe 88 PID 4596 wrote to memory of 216 4596 WaterMarkmgr.exe 89 PID 4596 wrote to memory of 216 4596 WaterMarkmgr.exe 89 PID 4596 wrote to memory of 216 4596 WaterMarkmgr.exe 89 PID 1936 wrote to memory of 2292 1936 WaterMark.exe 90 PID 1936 wrote to memory of 2292 1936 WaterMark.exe 90 PID 1936 wrote to memory of 2292 1936 WaterMark.exe 90 PID 1936 wrote to memory of 2292 1936 WaterMark.exe 90 PID 1936 wrote to memory of 2292 1936 WaterMark.exe 90 PID 1936 wrote to memory of 2292 1936 WaterMark.exe 90 PID 1936 wrote to memory of 2292 1936 WaterMark.exe 90 PID 1936 wrote to memory of 2292 1936 WaterMark.exe 90 PID 1936 wrote to memory of 2292 1936 WaterMark.exe 90 PID 2652 wrote to memory of 2760 2652 WaterMark.exe 91 PID 2652 wrote to memory of 2760 2652 WaterMark.exe 91 PID 2652 wrote to memory of 2760 2652 WaterMark.exe 91 PID 2652 wrote to memory of 2760 2652 WaterMark.exe 91 PID 2652 wrote to memory of 2760 2652 WaterMark.exe 91 PID 2652 wrote to memory of 2760 2652 WaterMark.exe 91 PID 2652 wrote to memory of 2760 2652 WaterMark.exe 91 PID 2652 wrote to memory of 2760 2652 WaterMark.exe 91 PID 2652 wrote to memory of 2760 2652 WaterMark.exe 91 PID 216 wrote to memory of 4404 216 WaterMark.exe 93 PID 216 wrote to memory of 4404 216 WaterMark.exe 93 PID 216 wrote to memory of 4404 216 WaterMark.exe 93 PID 216 wrote to memory of 4404 216 WaterMark.exe 93 PID 216 wrote to memory of 4404 216 WaterMark.exe 93 PID 216 wrote to memory of 4404 216 WaterMark.exe 93 PID 216 wrote to memory of 4404 216 WaterMark.exe 93 PID 216 wrote to memory of 4404 216 WaterMark.exe 93 PID 216 wrote to memory of 4404 216 WaterMark.exe 93 PID 2652 wrote to memory of 4172 2652 WaterMark.exe 103 PID 2652 wrote to memory of 4172 2652 WaterMark.exe 103 PID 1936 wrote to memory of 3168 1936 WaterMark.exe 104 PID 1936 wrote to memory of 3168 1936 WaterMark.exe 104 PID 2652 wrote to memory of 3424 2652 WaterMark.exe 105 PID 2652 wrote to memory of 3424 2652 WaterMark.exe 105 PID 1936 wrote to memory of 5112 1936 WaterMark.exe 106 PID 1936 wrote to memory of 5112 1936 WaterMark.exe 106 PID 216 wrote to memory of 5012 216 WaterMark.exe 107 PID 216 wrote to memory of 5012 216 WaterMark.exe 107 PID 216 wrote to memory of 4656 216 WaterMark.exe 108 PID 216 wrote to memory of 4656 216 WaterMark.exe 108 PID 5012 wrote to memory of 3008 5012 iexplore.exe 110 PID 5012 wrote to memory of 3008 5012 iexplore.exe 110 PID 5012 wrote to memory of 3008 5012 iexplore.exe 110 PID 3168 wrote to memory of 464 3168 iexplore.exe 111
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\984c8e7ac695f9968bcc99bbee6bc344_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\984c8e7ac695f9968bcc99bbee6bc344_JaffaCakes118.dll2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\regsvr32mgr.exeC:\Windows\SysWOW64\regsvr32mgr.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\regsvr32mgrmgr.exeC:\Windows\SysWOW64\regsvr32mgrmgr.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe8⤵PID:4404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 2049⤵
- Program crash
PID:1492
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5012 CREDAT:17410 /prefetch:29⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3008
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵
- Modifies Internet Explorer settings
PID:4656
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵PID:2760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 2047⤵
- Program crash
PID:2344
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4172 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4172 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:376
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3424 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3424 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4088
-
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:2292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 2046⤵
- Program crash
PID:2776
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3168 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:464
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5112 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5112 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3524
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4404 -ip 44041⤵PID:2164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2292 -ip 22921⤵PID:2300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2760 -ip 27601⤵PID:760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5539399c9f7153f78b67cde1bcdea163f
SHA16cb6e4936d546c17549aec9431a2af7c31bb3c3a
SHA25627b9528028887b2d852cae2cb55efb965fc13dfa0882f85d6236814f7eb0ad65
SHA51211836ba1429de7d15b9eb33b4852b0c71872149e9d448959c366aca1db75796446a86ee5c40b274ac3102d5395c7197d4dc2cd11b32754538aa6883e0ebdbf17
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD501ddd00ddcc06fb82b72dab40b3fe245
SHA1ee61f4d3327b5701fb6a041bf8ca21d527213a69
SHA2563bd8dcec16f343790c88f02906cb8f739a221319cd1f1772dc5ff300ee930d90
SHA512f623e0f30f0ce16eccb201cb8e74a0226e7f44440d2b9a5ac1e9767e5a0d25b598a2231f7f84dfac9cefb9f6506b9c7cf94726327d597756f28e1c341695c63f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5a9db78e68679fff39782446648d8803a
SHA1f8c383cb2e1334b1e6f0fe94b01d318523632567
SHA256daa4f6a5457a5e73f197004efa040ac7fb454dda8317d19fb8198a06f50a3d62
SHA512f3f0ea35723b23f70fc1cf32e4a312b512a3c5810ad36c7f0c3456f109ae2114f67730fc352781cd667e7cee21e14567836ea505f2cd4f6fec0fc3e81aa767f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5742d5fa87f92aa241fd81c2ed8a223cb
SHA1c8606d441ca219ca66f1c9e3cddff6aab15041b7
SHA256b0386309139f352401f200c1cc993e8c6b494859fd9e5eff78b4fdcb0fae9673
SHA51257d06eaf41d790fb372271e6e2d876186d40029400c3990e14c62011c71adb1f501390f1c74730328083ec667a584c1bbf8f6388b1ffc42437548b295f120443
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D43BE577-AAC9-11EF-B9B6-6AACA39217E0}.dat
Filesize4KB
MD5899e487f11be7a4f48dda8c43ed2c84b
SHA18e3f4713e6ae817f8026ca5cc453bc04276fa7fa
SHA2560068c711711a965bf133cf8d76ef5828f92b172f7852b4483029f89916528902
SHA5128a48ff3e041a842d42dd590f5f1188d63e82bb9a351054586595e8babb948c4505cf478837dcc2ad3b9787e12512941e3e4e6defa026e9e1627da43738e06c37
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D43BE577-AAC9-11EF-B9B6-6AACA39217E0}.dat
Filesize5KB
MD530f69a7f338254e8281093fef0490616
SHA1c97e2eb11f6795dd9f603ba34f5aeef649a71863
SHA256715038ee183b522e2bd9e29f5b5ff121e7a5889677017a4231eae0847f771cc1
SHA51215af38701479d678809aee04f8da89f133c39d173ed855641f8ab0f2308743ac48c22eb79c89f0588f41ba72a872f7fa9681a50200212602895e033a8a3870d0
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D43C0C87-AAC9-11EF-B9B6-6AACA39217E0}.dat
Filesize5KB
MD5b9a299bf4eff0288ea365553f4a24fbe
SHA1d86b97cc00155142c0691d0c606e757afa1c4e5d
SHA25651d81c024cb13213ea422f2486c6e45d19e92a0fb2bc7cb5c428f240892265e1
SHA512fc9c76063af87c279de319c4bb336af2b60f7fe78beadd3135adedf7e57cba97f4f2a4fdb6f40459331f5eacaa458775f025e55960ddf86a175debc7f6df55c3
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D43E47E9-AAC9-11EF-B9B6-6AACA39217E0}.dat
Filesize3KB
MD5953409ef856c5c18c24d92267d2c680b
SHA10749ea663f09b01749bcaad87700c49ea9571c2b
SHA256cc8000c9eda4c51aa804930011e23508844b13f1f6b89587ca305f4843787bbb
SHA512f8ca4f22bef400542b17e1d0bacb4cb5b26b019bde10dc61f77f4fae9f3b7a1e3e2ea43d8c5c2c7a2af66e651207c19d2779623e344dc17abb13bd92f064556a
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D440AA5B-AAC9-11EF-B9B6-6AACA39217E0}.dat
Filesize5KB
MD5c1d860b3166a613c4c92bf8eeba11dc9
SHA1b83a6131195271b25a39dbb22e4d844caef57bd4
SHA256eab64db2d2a305fa76bc2fcdc6af6566c9d4e6bef58feb0e1bd18cf9300e2ced
SHA5125ace60fe29a15223c05a42d9dfab65860cf2381d83cf6d9272e228b7dfd781141cc7474e4fdcac6d21e73ea2880e5c310006ea7e783d8f1afa006801d2136d72
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
234KB
MD5c3a6eaa4a1cbbe625a1f4ed4f486ce15
SHA1c7810ef979cf5242d99ad79b29849604c7508b99
SHA256e898c9afe93f94d2b0183582a583386aa33a3765fd40caf82ea37c01832e12e6
SHA512461ba410a006f47760c0f8368955b5c66f1789ba33546e3d9b704f9197b86b465f3328dd704e1c1904efdf8d460bb74a1190d0c69cfb2d4adcf1982a5c286942
-
Filesize
116KB
MD5fd6899e36fcc5f26903dea1c0519a8fd
SHA1af249681be87eed2b680baa7d9b514c051d6d4a7
SHA256b9d75d71f61d31de963a29114d370d6495a18c81e78c78ce89c77ef134f8e6e8
SHA51278980b599fe5cd62fdaf6165a38e16c629cf0e7864f45bbdbc8c95b1ed1967f1cfdfdecaa879a5b5656f57ced55919082c4bd5fcd7a4a7f4fa6ac64fca58a16d