37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac

General

Target

37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe
Size

1.3MB
MD5

4c6aa8c110669a6662c06c7d6b38ba35
SHA1

4dd07af4c8402364e079ee09c1b067a88ffbb799
SHA256

37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac
SHA512

a5c33bc0c55cd1429898f42b12ed4b10e21652129c445ac021533f0bcd653dc90c1686d7a71b2a70edd971f7826d5ea0e74fd7f5affb287518c17a4a8bae458e

Score

10^/10

persistence suricata upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

suricata: ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain
suricata: ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain
suricata
suricata: ET MALWARE Win32/Ramnit Checkin
suricata: ET MALWARE Win32/Ramnit Checkin
suricata
Executes dropped EXE 2 IoCs

Processes:

37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exeWaterMark.exe

pid process

1796 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe
1540 WaterMark.exe

pid	process
1796	37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe
1540	WaterMark.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1796-61-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1796-62-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1796-67-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1540-86-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/1540-156-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe

pid	process
1852	37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe
1852	37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe
1796	37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe
1796	37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe
File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\OmdBase.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\libGLESv2.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfr.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2iexp.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\OmdProject.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\F12.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\perfcore.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\deploy.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsoundds.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\F12Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\sqmapi.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\j2pcsc.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\DirectDB.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\w2k_lsa_auth.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\glass.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jaas_nt.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\pdm.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fxplugins.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\net.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sawindbg.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxFB22.tmp	37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	svchost.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\F12Tools.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WaterMark.exesvchost.exe

pid	process
1540	WaterMark.exe
1540	WaterMark.exe
1540	WaterMark.exe
1540	WaterMark.exe
1540	WaterMark.exe
1540	WaterMark.exe
1540	WaterMark.exe
1540	WaterMark.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WaterMark.exesvchost.exe37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe

description	pid	process
Token: SeDebugPrivilege	1540	WaterMark.exe
Token: SeDebugPrivilege	828	svchost.exe
Token: SeDebugPrivilege	1852	37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe
Token: SeDebugPrivilege	1540	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exeWaterMark.exe

pid process

1796 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe
1540 WaterMark.exe

pid	process
1796	37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe
1540	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exeWaterMark.exesvchost.exe

description	pid	process	target process
PID 1852 wrote to memory of 1796	1852	37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe	37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe
PID 1852 wrote to memory of 1796	1852	37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe	37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe
PID 1852 wrote to memory of 1796	1852	37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe	37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe
PID 1852 wrote to memory of 1796	1852	37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe	37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe
PID 1796 wrote to memory of 1540	1796	37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe	WaterMark.exe
PID 1796 wrote to memory of 1540	1796	37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe	WaterMark.exe
PID 1796 wrote to memory of 1540	1796	37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe	WaterMark.exe
PID 1796 wrote to memory of 1540	1796	37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe	WaterMark.exe
PID 1540 wrote to memory of 1116	1540	WaterMark.exe	svchost.exe
PID 1540 wrote to memory of 1116	1540	WaterMark.exe	svchost.exe
PID 1540 wrote to memory of 1116	1540	WaterMark.exe	svchost.exe
PID 1540 wrote to memory of 1116	1540	WaterMark.exe	svchost.exe
PID 1540 wrote to memory of 1116	1540	WaterMark.exe	svchost.exe
PID 1540 wrote to memory of 1116	1540	WaterMark.exe	svchost.exe
PID 1540 wrote to memory of 1116	1540	WaterMark.exe	svchost.exe
PID 1540 wrote to memory of 1116	1540	WaterMark.exe	svchost.exe
PID 1540 wrote to memory of 1116	1540	WaterMark.exe	svchost.exe
PID 1540 wrote to memory of 1116	1540	WaterMark.exe	svchost.exe
PID 1540 wrote to memory of 828	1540	WaterMark.exe	svchost.exe
PID 1540 wrote to memory of 828	1540	WaterMark.exe	svchost.exe
PID 1540 wrote to memory of 828	1540	WaterMark.exe	svchost.exe
PID 1540 wrote to memory of 828	1540	WaterMark.exe	svchost.exe
PID 1540 wrote to memory of 828	1540	WaterMark.exe	svchost.exe
PID 1540 wrote to memory of 828	1540	WaterMark.exe	svchost.exe
PID 1540 wrote to memory of 828	1540	WaterMark.exe	svchost.exe
PID 1540 wrote to memory of 828	1540	WaterMark.exe	svchost.exe
PID 1540 wrote to memory of 828	1540	WaterMark.exe	svchost.exe
PID 1540 wrote to memory of 828	1540	WaterMark.exe	svchost.exe
PID 828 wrote to memory of 260	828	svchost.exe	smss.exe
PID 828 wrote to memory of 260	828	svchost.exe	smss.exe
PID 828 wrote to memory of 260	828	svchost.exe	smss.exe
PID 828 wrote to memory of 260	828	svchost.exe	smss.exe
PID 828 wrote to memory of 260	828	svchost.exe	smss.exe
PID 828 wrote to memory of 332	828	svchost.exe	csrss.exe
PID 828 wrote to memory of 332	828	svchost.exe	csrss.exe
PID 828 wrote to memory of 332	828	svchost.exe	csrss.exe
PID 828 wrote to memory of 332	828	svchost.exe	csrss.exe
PID 828 wrote to memory of 332	828	svchost.exe	csrss.exe
PID 828 wrote to memory of 368	828	svchost.exe	wininit.exe
PID 828 wrote to memory of 368	828	svchost.exe	wininit.exe
PID 828 wrote to memory of 368	828	svchost.exe	wininit.exe
PID 828 wrote to memory of 368	828	svchost.exe	wininit.exe
PID 828 wrote to memory of 368	828	svchost.exe	wininit.exe
PID 828 wrote to memory of 384	828	svchost.exe	csrss.exe
PID 828 wrote to memory of 384	828	svchost.exe	csrss.exe
PID 828 wrote to memory of 384	828	svchost.exe	csrss.exe
PID 828 wrote to memory of 384	828	svchost.exe	csrss.exe
PID 828 wrote to memory of 384	828	svchost.exe	csrss.exe
PID 828 wrote to memory of 420	828	svchost.exe	winlogon.exe
PID 828 wrote to memory of 420	828	svchost.exe	winlogon.exe
PID 828 wrote to memory of 420	828	svchost.exe	winlogon.exe
PID 828 wrote to memory of 420	828	svchost.exe	winlogon.exe
PID 828 wrote to memory of 420	828	svchost.exe	winlogon.exe
PID 828 wrote to memory of 464	828	svchost.exe	services.exe
PID 828 wrote to memory of 464	828	svchost.exe	services.exe
PID 828 wrote to memory of 464	828	svchost.exe	services.exe
PID 828 wrote to memory of 464	828	svchost.exe	services.exe
PID 828 wrote to memory of 464	828	svchost.exe	services.exe
PID 828 wrote to memory of 480	828	svchost.exe	lsass.exe
PID 828 wrote to memory of 480	828	svchost.exe	lsass.exe
PID 828 wrote to memory of 480	828	svchost.exe	lsass.exe
PID 828 wrote to memory of 480	828	svchost.exe	lsass.exe
PID 828 wrote to memory of 480	828	svchost.exe	lsass.exe
PID 828 wrote to memory of 488	828	svchost.exe	lsm.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1104

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1172

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1048

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:592

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe
"C:\Users\Admin\AppData\Local\Temp\37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Local\Temp\37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe
C:\Users\Admin\AppData\Local\Temp\37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1796

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1116

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:2044

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2000

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
184KB

MD5
d059e448bae51f521010cbce8f23643a

SHA1
74925d1dc5b0da8ffa87c694a1fef4e8a9697ec0

SHA256
c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655

SHA512
7e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
184KB

MD5
d059e448bae51f521010cbce8f23643a

SHA1
74925d1dc5b0da8ffa87c694a1fef4e8a9697ec0

SHA256
c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655

SHA512
7e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe
Filesize
184KB

MD5
d059e448bae51f521010cbce8f23643a

SHA1
74925d1dc5b0da8ffa87c694a1fef4e8a9697ec0

SHA256
c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655

SHA512
7e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe
Filesize
184KB

MD5
d059e448bae51f521010cbce8f23643a

SHA1
74925d1dc5b0da8ffa87c694a1fef4e8a9697ec0

SHA256
c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655

SHA512
7e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
184KB

MD5
d059e448bae51f521010cbce8f23643a

SHA1
74925d1dc5b0da8ffa87c694a1fef4e8a9697ec0

SHA256
c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655

SHA512
7e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
184KB

MD5
d059e448bae51f521010cbce8f23643a

SHA1
74925d1dc5b0da8ffa87c694a1fef4e8a9697ec0

SHA256
c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655

SHA512
7e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e

Download Submit
\Users\Admin\AppData\Local\Temp\37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe
Filesize
184KB

MD5
d059e448bae51f521010cbce8f23643a

SHA1
74925d1dc5b0da8ffa87c694a1fef4e8a9697ec0

SHA256
c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655

SHA512
7e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e

Download Submit
\Users\Admin\AppData\Local\Temp\37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe
Filesize
184KB

MD5
d059e448bae51f521010cbce8f23643a

SHA1
74925d1dc5b0da8ffa87c694a1fef4e8a9697ec0

SHA256
c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655

SHA512
7e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e

Download Submit
memory/828-92-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/828-91-0x0000000000000000-mapping.dmp

Download
memory/828-89-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1116-75-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1116-79-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1116-205-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1116-87-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1116-77-0x0000000000000000-mapping.dmp

Download
memory/1540-86-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1540-156-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1540-66-0x0000000000000000-mapping.dmp

Download
memory/1796-67-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1796-62-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1796-61-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1796-57-0x0000000000000000-mapping.dmp

Download
memory/1852-83-0x00000000106B0000-0x00000000107FE000-memory.dmp

Filesize
1.3MB

Download
memory/1852-84-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1852-85-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1852-54-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1852-734-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads