ramnit | 6db87102d00ab090b552675b0a6a46d51f83d214d1a52ab27db392bb6208edf0

Analysis

max time kernel
95s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2024, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6db87102d00ab090b552675b0a6a46d51f83d214d1a52ab27db392bb6208edf0N.dll
Size

439KB
MD5

afca455fdde4658e22c9bbbb75c124f0
SHA1

3bb347d1f42ba804c920ef5e43f226eddb8796a6
SHA256

6db87102d00ab090b552675b0a6a46d51f83d214d1a52ab27db392bb6208edf0
SHA512

48c67bfaf755b4fcd36ff89ef55bbdc61e289e0da8a0f5330e825e1ef0dbb12ef5c5d03c65f62c79992b90cbf1427114cd7a72126326e6622fca00f04150acac
SSDEEP

6144:yOp8HpzdQOStK+XsAWxnuTNo3+wO90oi8T:yOp8Hpz7+XsBJ+SXO9g8T

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 4 IoCs

pid	Process
1648	rundll32mgr.exe
1372	rundll32mgrmgr.exe
1276	WaterMark.exe
3864	WaterMark.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1372-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1372-23-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1648-27-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3864-47-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/3864-55-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1276-54-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1276-46-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/1372-25-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1372-22-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1372-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1372-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1372-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1276-65-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3864-66-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1276-68-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3864-72-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px83E5.tmp	rundll32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px83D6.tmp	rundll32mgrmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgrmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgrmgr.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2568	2768	WerFault.exe	89
3128	4552	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgrmgr.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "289405846"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31152076"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "292843200"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "289249505"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "292999530"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31152076"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442006135"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3CDD9789-C3BF-11EF-A7EA-4E8E92B54298} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3CDDBE99-C3BF-11EF-A7EA-4E8E92B54298} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "289249505"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "289405846"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "292843200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31152076"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31152076"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31152076"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "289249505"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31152076"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3CDDE5A9-C3BF-11EF-A7EA-4E8E92B54298} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31152076"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31152076"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3864	WaterMark.exe
3864	WaterMark.exe
1276	WaterMark.exe
1276	WaterMark.exe
3864	WaterMark.exe
3864	WaterMark.exe
1276	WaterMark.exe
1276	WaterMark.exe
1276	WaterMark.exe
3864	WaterMark.exe
1276	WaterMark.exe
3864	WaterMark.exe
3864	WaterMark.exe
3864	WaterMark.exe
1276	WaterMark.exe
1276	WaterMark.exe
1276	WaterMark.exe
1276	WaterMark.exe
3864	WaterMark.exe
3864	WaterMark.exe
1276	WaterMark.exe
1276	WaterMark.exe
3864	WaterMark.exe
3864	WaterMark.exe
1276	WaterMark.exe
1276	WaterMark.exe
3864	WaterMark.exe
1276	WaterMark.exe
1276	WaterMark.exe
3864	WaterMark.exe
3864	WaterMark.exe
3864	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3864	WaterMark.exe
Token: SeDebugPrivilege	1276	WaterMark.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4728	iexplore.exe
4984	iexplore.exe
4816	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4816	iexplore.exe
4816	iexplore.exe
4728	iexplore.exe
4728	iexplore.exe
4984	iexplore.exe
4984	iexplore.exe
396	IEXPLORE.EXE
396	IEXPLORE.EXE
4152	IEXPLORE.EXE
4152	IEXPLORE.EXE
5096	IEXPLORE.EXE
5096	IEXPLORE.EXE
396	IEXPLORE.EXE
396	IEXPLORE.EXE

Suspicious use of UnmapMainImage 4 IoCs

pid	Process
1372	rundll32mgrmgr.exe
1648	rundll32mgr.exe
1276	WaterMark.exe
3864	WaterMark.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4272	4528	rundll32.exe	83
PID 4528 wrote to memory of 4272	4528	rundll32.exe	83
PID 4528 wrote to memory of 4272	4528	rundll32.exe	83
PID 4272 wrote to memory of 1648	4272	rundll32.exe	84
PID 4272 wrote to memory of 1648	4272	rundll32.exe	84
PID 4272 wrote to memory of 1648	4272	rundll32.exe	84
PID 1648 wrote to memory of 1372	1648	rundll32mgr.exe	85
PID 1648 wrote to memory of 1372	1648	rundll32mgr.exe	85
PID 1648 wrote to memory of 1372	1648	rundll32mgr.exe	85
PID 1372 wrote to memory of 1276	1372	rundll32mgrmgr.exe	86
PID 1372 wrote to memory of 1276	1372	rundll32mgrmgr.exe	86
PID 1372 wrote to memory of 1276	1372	rundll32mgrmgr.exe	86
PID 1648 wrote to memory of 3864	1648	rundll32mgr.exe	87
PID 1648 wrote to memory of 3864	1648	rundll32mgr.exe	87
PID 1648 wrote to memory of 3864	1648	rundll32mgr.exe	87
PID 3864 wrote to memory of 4552	3864	WaterMark.exe	88
PID 3864 wrote to memory of 4552	3864	WaterMark.exe	88
PID 3864 wrote to memory of 4552	3864	WaterMark.exe	88
PID 3864 wrote to memory of 4552	3864	WaterMark.exe	88
PID 3864 wrote to memory of 4552	3864	WaterMark.exe	88
PID 3864 wrote to memory of 4552	3864	WaterMark.exe	88
PID 3864 wrote to memory of 4552	3864	WaterMark.exe	88
PID 3864 wrote to memory of 4552	3864	WaterMark.exe	88
PID 3864 wrote to memory of 4552	3864	WaterMark.exe	88
PID 1276 wrote to memory of 2768	1276	WaterMark.exe	89
PID 1276 wrote to memory of 2768	1276	WaterMark.exe	89
PID 1276 wrote to memory of 2768	1276	WaterMark.exe	89
PID 1276 wrote to memory of 2768	1276	WaterMark.exe	89
PID 1276 wrote to memory of 2768	1276	WaterMark.exe	89
PID 1276 wrote to memory of 2768	1276	WaterMark.exe	89
PID 1276 wrote to memory of 2768	1276	WaterMark.exe	89
PID 1276 wrote to memory of 2768	1276	WaterMark.exe	89
PID 1276 wrote to memory of 2768	1276	WaterMark.exe	89
PID 1276 wrote to memory of 4728	1276	WaterMark.exe	97
PID 1276 wrote to memory of 4728	1276	WaterMark.exe	97
PID 3864 wrote to memory of 4984	3864	WaterMark.exe	96
PID 3864 wrote to memory of 4984	3864	WaterMark.exe	96
PID 1276 wrote to memory of 4664	1276	WaterMark.exe	98
PID 1276 wrote to memory of 4664	1276	WaterMark.exe	98
PID 3864 wrote to memory of 4816	3864	WaterMark.exe	99
PID 3864 wrote to memory of 4816	3864	WaterMark.exe	99
PID 4816 wrote to memory of 4152	4816	iexplore.exe	100
PID 4816 wrote to memory of 4152	4816	iexplore.exe	100
PID 4816 wrote to memory of 4152	4816	iexplore.exe	100
PID 4728 wrote to memory of 396	4728	iexplore.exe	102
PID 4728 wrote to memory of 396	4728	iexplore.exe	102
PID 4728 wrote to memory of 396	4728	iexplore.exe	102
PID 4984 wrote to memory of 5096	4984	iexplore.exe	101
PID 4984 wrote to memory of 5096	4984	iexplore.exe	101
PID 4984 wrote to memory of 5096	4984	iexplore.exe	101

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6db87102d00ab090b552675b0a6a46d51f83d214d1a52ab27db392bb6208edf0N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6db87102d00ab090b552675b0a6a46d51f83d214d1a52ab27db392bb6208edf0N.dll,#1
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
      C:\Windows\SysWOW64\rundll32mgrmgr.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:1372
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:1276
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 204
        7⤵
        Program crash
        
        PID:2568
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4728 CREDAT:17410 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:396
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        
        PID:4664
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:3864
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:4552
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 204
        6⤵
        Program crash
        
        PID:3128
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4984
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4984 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:5096
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4816
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2768 -ip 2768
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4552 -ip 4552
1⤵
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
863881560832be6db3d7e95507b796d8

SHA1
bab29c682b73454cb94d1a0edfaae5fd64d076f6

SHA256
1b8c898d463e9947656d97610caa6068a39c17fae72baa9168113364b7f70063

SHA512
0556ac3e08e23d12ba2558e3e1320f8c7591359a003c6b98e3d93208361000c3fc25dc13e9f4a3575ef854bd903b32f62a36e541ba10de67f38663d8d8debbcb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
426757aae726ebfc0345c1f8a1bcc120

SHA1
6e45ccbe903631725ee7b37c5877d8f9cd75a89d

SHA256
09773da07fd595f65f21569cf35d8535feaa26c04dbac3ce394c43e3ae67155d

SHA512
a11223ce454027373e4413b381e18c092a1ea442e755c8644b43940aa5f4f8795a1c470020858cba4b23c040618a300da2f2f47f2672ac427c03b8b6eaefa8c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3CDDBE99-C3BF-11EF-A7EA-4E8E92B54298}.dat

Filesize
3KB

MD5
f091946712892ac12bb1c0c980ef2831

SHA1
6e47e4151b3292f762721d87ec2a62173524971c

SHA256
8ab5cce2dcb2bf1a5b2abaad69f1dc33389696d5b35818304139159056d597c3

SHA512
fe2f674b711fd2bba14285113df0969125b3a055a82e6b5240ff81abf057e01aa60a70f1adf474370c59ba858d2f97ea695c8a99a7bf7b1b5282df274404d053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3CDDE5A9-C3BF-11EF-A7EA-4E8E92B54298}.dat

Filesize
3KB

MD5
d81b469c0c1adb769d687042590d839e

SHA1
30b748586c340a54587a9e3d514bb66f5406113a

SHA256
c2d9de77f09569acc5f8bd263743a066a9524527fbbddf4213cd961dad2d93d0

SHA512
60415a2495c7f5caea0cbe3fcc4abe1767bcf7983ff47e3a7f8e0223b8f06437e06908062788d276baa82d24ebfa64e1810a2b389b9ef15097b9217caccd05af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3CDDE5A9-C3BF-11EF-A7EA-4E8E92B54298}.dat

Filesize
5KB

MD5
9af65c20c50130b5124bddf10f163275

SHA1
1fcb64fd8c0e3c55379686cebe582f5419ff3327

SHA256
7799fd2935eca03bf0897a18c5fdf5cf96b8d11fad0c077f6447dcb2df6409a7

SHA512
3adbd3b0153557bebee35360255df3243393a60ad8f6d2a5abaa6a2b00f9b6c966e43766814c732cc93b45921ec276c80797c8c373e6759292424d36dca37dee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver6C1.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
339KB

MD5
7385f723cdfd6a19523b29e19fe63e39

SHA1
6eb6694a76aab6587eb45575f380cc7a80c66bc5

SHA256
a50f5786e2dd07cfbc89f72484e3af5dcccc31d476713bd7b433c6f74ebc4e37

SHA512
858c17a06aec78976775cd9df4f2652cfb97e35c14aa863e88f27cd332c6b6ecdb0c062d0cfdb53436981b50ba4681ebe04d00128df8be67398d021aa6d83632

Download Submit
C:\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
168KB

MD5
0943b815c588255874985439061ba474

SHA1
31ad4cdb76003b35f553cb96c78d887e7c960eba

SHA256
7b1559c2f8d511f7be152a22809b358088048fc3e00d9963b92ad0ecb384bf51

SHA512
fce7596624b5c224cbaaae55c4b224ff995eea33ed0ca9d40c33cfb5ffaa98f387f267175788f5431ca7209c2c69ef1024b9541f7b53a1a3c6412b09a19bd601

Download Submit
memory/1276-46-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1276-68-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1276-54-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1276-63-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/1276-65-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1372-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1372-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1372-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1372-25-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1372-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1372-16-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1372-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1372-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1372-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1648-15-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1648-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1648-4-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2768-61-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2768-62-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/3864-67-0x0000000077B52000-0x0000000077B53000-memory.dmp

Filesize
4KB

Download
memory/3864-66-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3864-56-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/3864-55-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3864-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3864-72-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3864-60-0x0000000077B52000-0x0000000077B53000-memory.dmp

Filesize
4KB

Download
memory/4272-0-0x0000000007000000-0x0000000007070000-memory.dmp

Filesize
448KB

Download