a1193aa90084ed1bbc88de8ed4d44c35a0727520e77f79ebd575ea2875826e6f

Analysis

max time kernel
175s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2022, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1193aa90084ed1bbc88de8ed4d44c35a0727520e77f79ebd575ea2875826e6f.exe
Size

194KB
MD5

6673aa915e167fe63f48058d46ca7700
SHA1

78ace7f8dcfd7dbfd770c9f5ecb80ec2c7b3286a
SHA256

a1193aa90084ed1bbc88de8ed4d44c35a0727520e77f79ebd575ea2875826e6f
SHA512

2676f040cf7867e4f0cd42e9547a68fcc04aaa3dedd7623b99585a77fa94e45e2465a6640f788f2ba1ac5aac0275281794ae8b9c4ac26a04c493686baeb61cac
SSDEEP

1536:8VZnxm6MG9xgfrvEaoiT/GyphjXDYjKwttoswRmhApEnlElwpYxnrBfy:snxwgxgfR/DVG7wBpEn+ts

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4840	WaterMark.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/728-134-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/728-135-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/728-139-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4840-146-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4840-147-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4840-148-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4840-149-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4840-151-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4840-152-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4840-153-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4840-154-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxF801.tmp	a1193aa90084ed1bbc88de8ed4d44c35a0727520e77f79ebd575ea2875826e6f.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	a1193aa90084ed1bbc88de8ed4d44c35a0727520e77f79ebd575ea2875826e6f.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	a1193aa90084ed1bbc88de8ed4d44c35a0727520e77f79ebd575ea2875826e6f.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2624	2032	WerFault.exe	82

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30987769"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3201341169"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D842A1C7-41EC-11ED-89AC-F639923F7CA1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987769"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3201341169"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371437089"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D83BA541-41EC-11ED-89AC-F639923F7CA1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4840	WaterMark.exe
4840	WaterMark.exe
4840	WaterMark.exe
4840	WaterMark.exe
4840	WaterMark.exe
4840	WaterMark.exe
4840	WaterMark.exe
4840	WaterMark.exe
4840	WaterMark.exe
4840	WaterMark.exe
4840	WaterMark.exe
4840	WaterMark.exe
4840	WaterMark.exe
4840	WaterMark.exe
4840	WaterMark.exe
4840	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4840	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3420	iexplore.exe
3828	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3420	iexplore.exe
3420	iexplore.exe
3828	iexplore.exe
3828	iexplore.exe
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
3552	IEXPLORE.EXE
3552	IEXPLORE.EXE
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
728	a1193aa90084ed1bbc88de8ed4d44c35a0727520e77f79ebd575ea2875826e6f.exe
4840	WaterMark.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 4840	728	a1193aa90084ed1bbc88de8ed4d44c35a0727520e77f79ebd575ea2875826e6f.exe	81
PID 728 wrote to memory of 4840	728	a1193aa90084ed1bbc88de8ed4d44c35a0727520e77f79ebd575ea2875826e6f.exe	81
PID 728 wrote to memory of 4840	728	a1193aa90084ed1bbc88de8ed4d44c35a0727520e77f79ebd575ea2875826e6f.exe	81
PID 4840 wrote to memory of 2032	4840	WaterMark.exe	82
PID 4840 wrote to memory of 2032	4840	WaterMark.exe	82
PID 4840 wrote to memory of 2032	4840	WaterMark.exe	82
PID 4840 wrote to memory of 2032	4840	WaterMark.exe	82
PID 4840 wrote to memory of 2032	4840	WaterMark.exe	82
PID 4840 wrote to memory of 2032	4840	WaterMark.exe	82
PID 4840 wrote to memory of 2032	4840	WaterMark.exe	82
PID 4840 wrote to memory of 2032	4840	WaterMark.exe	82
PID 4840 wrote to memory of 2032	4840	WaterMark.exe	82
PID 4840 wrote to memory of 3828	4840	WaterMark.exe	86
PID 4840 wrote to memory of 3828	4840	WaterMark.exe	86
PID 4840 wrote to memory of 3420	4840	WaterMark.exe	87
PID 4840 wrote to memory of 3420	4840	WaterMark.exe	87
PID 3420 wrote to memory of 3552	3420	iexplore.exe	88
PID 3420 wrote to memory of 3552	3420	iexplore.exe	88
PID 3420 wrote to memory of 3552	3420	iexplore.exe	88
PID 3828 wrote to memory of 2024	3828	iexplore.exe	89
PID 3828 wrote to memory of 2024	3828	iexplore.exe	89
PID 3828 wrote to memory of 2024	3828	iexplore.exe	89

C:\Users\Admin\AppData\Local\Temp\a1193aa90084ed1bbc88de8ed4d44c35a0727520e77f79ebd575ea2875826e6f.exe
"C:\Users\Admin\AppData\Local\Temp\a1193aa90084ed1bbc88de8ed4d44c35a0727520e77f79ebd575ea2875826e6f.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:728
- C:\Program Files (x86)\Microsoft\WaterMark.exe
  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 204
      4⤵
      Program crash
      PID:2624
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3828
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3828 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2024
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3420 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2032 -ip 2032
1⤵
PID:3472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
194KB

MD5
6673aa915e167fe63f48058d46ca7700

SHA1
78ace7f8dcfd7dbfd770c9f5ecb80ec2c7b3286a

SHA256
a1193aa90084ed1bbc88de8ed4d44c35a0727520e77f79ebd575ea2875826e6f

SHA512
2676f040cf7867e4f0cd42e9547a68fcc04aaa3dedd7623b99585a77fa94e45e2465a6640f788f2ba1ac5aac0275281794ae8b9c4ac26a04c493686baeb61cac

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
194KB

MD5
6673aa915e167fe63f48058d46ca7700

SHA1
78ace7f8dcfd7dbfd770c9f5ecb80ec2c7b3286a

SHA256
a1193aa90084ed1bbc88de8ed4d44c35a0727520e77f79ebd575ea2875826e6f

SHA512
2676f040cf7867e4f0cd42e9547a68fcc04aaa3dedd7623b99585a77fa94e45e2465a6640f788f2ba1ac5aac0275281794ae8b9c4ac26a04c493686baeb61cac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D83BA541-41EC-11ED-89AC-F639923F7CA1}.dat

Filesize
5KB

MD5
e7264cfcb960665a207ad95a827f07fe

SHA1
ca4f89346623ee8848947fce047554d7d3a30864

SHA256
28154c93d58fa6ea0cfc89b43a33e25f05d3b41a6e5a417fddda0b839efceec7

SHA512
c5706020e8f8a788863166f4c3474206973f8eb0fbc30fff3263d68bb97d7de057aee88e8c0fdd2c3c75b2b235dc345bac8f677a421ab1c42f615d2d7126485f

Download Submit
memory/728-134-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/728-135-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/728-139-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4840-147-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4840-146-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4840-148-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4840-149-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4840-151-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4840-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4840-153-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4840-154-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download