ramnit | dbcabbc2c3ec02cfde5ded1632f5ee84d8826892fe704c95f3d13bd064fde035

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef69ab91cc813564558969edeef06668_JaffaCakes118.dll
Size

200KB
MD5

ef69ab91cc813564558969edeef06668
SHA1

aa764b74f5e05086ad8e84f28f71a3ce57a1a508
SHA256

dbcabbc2c3ec02cfde5ded1632f5ee84d8826892fe704c95f3d13bd064fde035
SHA512

ecacaf035bfe8a122a4e43509b3fbb8c95ba8fd6137ffd7e6eee5cc8f7261e3141e27323de39a22e86851af2e98533633e4fe37c87df98d44e477e803b955ed8
SSDEEP

3072:20q0LA67ygN3R3zsc3rM7FNQZK6IuFsqxhwmsYB06R8vzIZwIapw24X6o:Rq0LX/3w2/IuFsqx5sET8vzIhAw24l

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
4456	regsvr32mgr.exe
3852	WaterMark.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4456-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3852-30-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4456-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4456-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4456-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4456-10-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4456-8-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3852-34-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4456-7-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3852-38-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3852-41-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3852-44-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxA151.tmp	regsvr32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	regsvr32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	regsvr32mgr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4936	4580	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31149627"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31149627"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0B492692-BA2F-11EF-B319-4A034D48373C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440954644"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0B4DEBE8-BA2F-11EF-B319-4A034D48373C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31149627"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31149627"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3753811508"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31149627"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3753811508"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31149627"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3756623844"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3753967447"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3756780281"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3753967447"	iexplore.exe

Modifies registry class 43 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\ = "{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\ = "WMPDeskBand 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand\CLSID\ = "{0A4286EA-E355-44FB-8086-AF3DF7645BD9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ef69ab91cc813564558969edeef06668_JaffaCakes118.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ = "IWMPDeskBand"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\ = "Windows Media Player"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ = "IWMPDeskBand"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand\ = "Windows Media Player"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ef69ab91cc813564558969edeef06668_JaffaCakes118.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\ = "{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ = "Windows Media Player"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID\ = "WMP.DeskBand.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\CLSID\ = "{0A4286EA-E355-44FB-8086-AF3DF7645BD9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID\ = "WMP.DeskBand"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3852	WaterMark.exe
3852	WaterMark.exe
3852	WaterMark.exe
3852	WaterMark.exe
3852	WaterMark.exe
3852	WaterMark.exe
3852	WaterMark.exe
3852	WaterMark.exe
3852	WaterMark.exe
3852	WaterMark.exe
3852	WaterMark.exe
3852	WaterMark.exe
3852	WaterMark.exe
3852	WaterMark.exe
3852	WaterMark.exe
3852	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3852	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3872	iexplore.exe
3788	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3872	iexplore.exe
3872	iexplore.exe
3788	iexplore.exe
3788	iexplore.exe
4672	IEXPLORE.EXE
4672	IEXPLORE.EXE
3628	IEXPLORE.EXE
3628	IEXPLORE.EXE
4672	IEXPLORE.EXE
4672	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4456	regsvr32mgr.exe
3852	WaterMark.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1568	2084	regsvr32.exe	83
PID 2084 wrote to memory of 1568	2084	regsvr32.exe	83
PID 2084 wrote to memory of 1568	2084	regsvr32.exe	83
PID 1568 wrote to memory of 4456	1568	regsvr32.exe	84
PID 1568 wrote to memory of 4456	1568	regsvr32.exe	84
PID 1568 wrote to memory of 4456	1568	regsvr32.exe	84
PID 4456 wrote to memory of 3852	4456	regsvr32mgr.exe	85
PID 4456 wrote to memory of 3852	4456	regsvr32mgr.exe	85
PID 4456 wrote to memory of 3852	4456	regsvr32mgr.exe	85
PID 3852 wrote to memory of 4580	3852	WaterMark.exe	86
PID 3852 wrote to memory of 4580	3852	WaterMark.exe	86
PID 3852 wrote to memory of 4580	3852	WaterMark.exe	86
PID 3852 wrote to memory of 4580	3852	WaterMark.exe	86
PID 3852 wrote to memory of 4580	3852	WaterMark.exe	86
PID 3852 wrote to memory of 4580	3852	WaterMark.exe	86
PID 3852 wrote to memory of 4580	3852	WaterMark.exe	86
PID 3852 wrote to memory of 4580	3852	WaterMark.exe	86
PID 3852 wrote to memory of 4580	3852	WaterMark.exe	86
PID 3852 wrote to memory of 3872	3852	WaterMark.exe	91
PID 3852 wrote to memory of 3872	3852	WaterMark.exe	91
PID 3852 wrote to memory of 3788	3852	WaterMark.exe	92
PID 3852 wrote to memory of 3788	3852	WaterMark.exe	92
PID 3872 wrote to memory of 4672	3872	iexplore.exe	95
PID 3872 wrote to memory of 4672	3872	iexplore.exe	95
PID 3872 wrote to memory of 4672	3872	iexplore.exe	95
PID 3788 wrote to memory of 3628	3788	iexplore.exe	94
PID 3788 wrote to memory of 3628	3788	iexplore.exe	94
PID 3788 wrote to memory of 3628	3788	iexplore.exe	94

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ef69ab91cc813564558969edeef06668_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\ef69ab91cc813564558969edeef06668_JaffaCakes118.dll
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:3852
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:4580
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 204
        6⤵
        Program crash
        
        PID:4936
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3872
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3872 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4672
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3788
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3788 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4580 -ip 4580
1⤵
PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
07e369ebdbb322a72367beb15fea66c2

SHA1
7772c54598e1862ebffe373b494651ec745f6c9f

SHA256
b50e533aec8439f67cd49f1119099293c18626136694d72fc4c5b00f950e8e0c

SHA512
65f401db96f0e2c1a1ae79528087ff3e2e24bb5353425ecf93c884519aaf950422a6599f2e3afe6839070071d033ea8d19c546d5493aa511beb97c6fea5ba0f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
1b8f8f55381fb5ddcc49cd5f62bf841e

SHA1
2402633354f65fed436af009437d0f6ff25967b9

SHA256
4d10255e40f15e95f070b343d69d32e5886c43af3dd8de9edc73948138b99e32

SHA512
a62b7f1ee85dafb7ac9645c1e4aacce89f675bff13ae599fc21db86fa8ac0bad02d9ba3c6ed24ca66a04e680592b3427a72763ce06d1f52abd732cb4d4dafb8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
514322901529689951e26e163916e06d

SHA1
76458345f09870644bbd7980477bc5dc6b9617a6

SHA256
d791167f7f6da16f29c8b2c80416377e86520f1bcda1a7614c221ac304262f0a

SHA512
b7d99111a98eb9e0ac76cf9c63ea65cc079ce7e8ae845f43ab63fcdc8372e5d7441d9667d591e8c90d58f82ce05c40c3d631e381602d333cd6863335ca77e315

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0B492692-BA2F-11EF-B319-4A034D48373C}.dat

Filesize
5KB

MD5
0a7f9f6ac969f972a2ce6bd4e6811035

SHA1
8a04f07226bdafaa1d1d8697b4a4afd70ceb0ba7

SHA256
b03ba4a389ef22b7cb5f4350c2cecc2b5d0f0509072612a114d98f8c56f0ad3c

SHA512
20e931e65fd26b890ef90136cc279196d1d9a8ea53cdfd42252b0a291cbdb76e9395b9264e58c6c024ff0574742a147d8af6174a829c727e1a19a90ae7a1efad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0B4DEBE8-BA2F-11EF-B319-4A034D48373C}.dat

Filesize
3KB

MD5
ab1836e6c571bb7124d39c6ddd6c7600

SHA1
b25fcdff8eaaed9002e64fe3669c3374d828be8d

SHA256
31ea3523d8b9f58f8e08f2ae090f145889e7af8731211aaf2c5b79cbacdae56c

SHA512
a9ae5cc3ef149c3c6199d8c1d95a81fc34f549a5979ac226d2a852548ea141a6d774be018e72e3856a08b406ff6e7de73a98bb1c606961a1417fed22b9368bce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver246B.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
119KB

MD5
9d5d609dc8e2554054733d19eed45c5c

SHA1
ce72453fca9f477940a9def32bd8463549c6e1e4

SHA256
7a85b3db04beb0c4b6a8929fdf79726bcf1084efab0a9f04a8ebaa0a2bc9e0b1

SHA512
012cabde17ed1c1d1a48b5bc136591ff9c8e261e5da8bc7f67d0bd235a32150f63274362cdeef2376d2d5a38dfb0c9acc7cd3aa5244c1858b88b183f8cbe550b

Download Submit
memory/1568-0-0x00000000074A0000-0x00000000074D2000-memory.dmp

Filesize
200KB

Download
memory/3852-39-0x0000000076F02000-0x0000000076F03000-memory.dmp

Filesize
4KB

Download
memory/3852-44-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3852-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3852-31-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/3852-30-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3852-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3852-32-0x0000000076F02000-0x0000000076F03000-memory.dmp

Filesize
4KB

Download
memory/3852-33-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/3852-34-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3852-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3852-37-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/4456-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4456-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4456-6-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/4456-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4456-8-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4456-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4456-4-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4456-11-0x0000000000403000-0x0000000000405000-memory.dmp

Filesize
8KB

Download
memory/4456-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4456-22-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/4456-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4456-12-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/4580-36-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4580-35-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download