Analysis
-
max time kernel
151s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
03/10/2022, 19:20
General
-
Target
ab68196b717049f6302da1f9692da1f8384545433c0e72b86e36925af6d59d4d.exe
-
Size
346KB
-
MD5
37a622e1d2a97d7f68526ef777a7c258
-
SHA1
22f676f7024b2b3e6fc9af5f88611956de7855e4
-
SHA256
ab68196b717049f6302da1f9692da1f8384545433c0e72b86e36925af6d59d4d
-
SHA512
c0011490b51b5c08e06a2a60f4b749afc7942c24dd64eb58e3421da7f72a1eda8c899a1ef14bfd2dded6ebcd2d9326518ac33c2ae85a0bdfa4782be7876a6dac
-
SSDEEP
3072:HR2xn3k0CdM1vabyzJYWqOCz4EwevAHjmVep+23FlJ45:HR2J0LS6Vdz4ElAH5LR2
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Executes dropped EXE 5 IoCs
-
UPX packed file 17 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 8 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 11 IoCs
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of UnmapMainImage 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Users\Admin\AppData\Local\Temp\ab68196b717049f6302da1f9692da1f8384545433c0e72b86e36925af6d59d4d.exe"C:\Users\Admin\AppData\Local\Temp\ab68196b717049f6302da1f9692da1f8384545433c0e72b86e36925af6d59d4d.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ab68196b717049f6302da1f9692da1f8384545433c0e72b86e36925af6d59d4dmgr.exeC:\Users\Admin\AppData\Local\Temp\ab68196b717049f6302da1f9692da1f8384545433c0e72b86e36925af6d59d4dmgr.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
346KB
MD537a622e1d2a97d7f68526ef777a7c258
SHA122f676f7024b2b3e6fc9af5f88611956de7855e4
SHA256ab68196b717049f6302da1f9692da1f8384545433c0e72b86e36925af6d59d4d
SHA512c0011490b51b5c08e06a2a60f4b749afc7942c24dd64eb58e3421da7f72a1eda8c899a1ef14bfd2dded6ebcd2d9326518ac33c2ae85a0bdfa4782be7876a6dac
-
Filesize
346KB
MD537a622e1d2a97d7f68526ef777a7c258
SHA122f676f7024b2b3e6fc9af5f88611956de7855e4
SHA256ab68196b717049f6302da1f9692da1f8384545433c0e72b86e36925af6d59d4d
SHA512c0011490b51b5c08e06a2a60f4b749afc7942c24dd64eb58e3421da7f72a1eda8c899a1ef14bfd2dded6ebcd2d9326518ac33c2ae85a0bdfa4782be7876a6dac
-
Filesize
346KB
MD537a622e1d2a97d7f68526ef777a7c258
SHA122f676f7024b2b3e6fc9af5f88611956de7855e4
SHA256ab68196b717049f6302da1f9692da1f8384545433c0e72b86e36925af6d59d4d
SHA512c0011490b51b5c08e06a2a60f4b749afc7942c24dd64eb58e3421da7f72a1eda8c899a1ef14bfd2dded6ebcd2d9326518ac33c2ae85a0bdfa4782be7876a6dac
-
Filesize
346KB
MD537a622e1d2a97d7f68526ef777a7c258
SHA122f676f7024b2b3e6fc9af5f88611956de7855e4
SHA256ab68196b717049f6302da1f9692da1f8384545433c0e72b86e36925af6d59d4d
SHA512c0011490b51b5c08e06a2a60f4b749afc7942c24dd64eb58e3421da7f72a1eda8c899a1ef14bfd2dded6ebcd2d9326518ac33c2ae85a0bdfa4782be7876a6dac
-
Filesize
172KB
MD5f57abd3a76079ed9ba085bf71acf6cd3
SHA1018c940fdb62a466a5ada1338149bb7621ad8682
SHA25698c0c3c7b28a7eca1648bd25ae7927bae460de51a8a58c48b5c4fdc0a24963ba
SHA512cb77e53914ab4e3ed8804cea0c75f13630a756903a1db0e3f1e9b81cadae981a3fba32cf5ab2597c7b6104937fa1114a5588c0df78ae2d17f38c6e115120f001
-
Filesize
172KB
MD5f57abd3a76079ed9ba085bf71acf6cd3
SHA1018c940fdb62a466a5ada1338149bb7621ad8682
SHA25698c0c3c7b28a7eca1648bd25ae7927bae460de51a8a58c48b5c4fdc0a24963ba
SHA512cb77e53914ab4e3ed8804cea0c75f13630a756903a1db0e3f1e9b81cadae981a3fba32cf5ab2597c7b6104937fa1114a5588c0df78ae2d17f38c6e115120f001
-
Filesize
172KB
MD5f57abd3a76079ed9ba085bf71acf6cd3
SHA1018c940fdb62a466a5ada1338149bb7621ad8682
SHA25698c0c3c7b28a7eca1648bd25ae7927bae460de51a8a58c48b5c4fdc0a24963ba
SHA512cb77e53914ab4e3ed8804cea0c75f13630a756903a1db0e3f1e9b81cadae981a3fba32cf5ab2597c7b6104937fa1114a5588c0df78ae2d17f38c6e115120f001
-
Filesize
172KB
MD5f57abd3a76079ed9ba085bf71acf6cd3
SHA1018c940fdb62a466a5ada1338149bb7621ad8682
SHA25698c0c3c7b28a7eca1648bd25ae7927bae460de51a8a58c48b5c4fdc0a24963ba
SHA512cb77e53914ab4e3ed8804cea0c75f13630a756903a1db0e3f1e9b81cadae981a3fba32cf5ab2597c7b6104937fa1114a5588c0df78ae2d17f38c6e115120f001
-
Filesize
346KB
MD537a622e1d2a97d7f68526ef777a7c258
SHA122f676f7024b2b3e6fc9af5f88611956de7855e4
SHA256ab68196b717049f6302da1f9692da1f8384545433c0e72b86e36925af6d59d4d
SHA512c0011490b51b5c08e06a2a60f4b749afc7942c24dd64eb58e3421da7f72a1eda8c899a1ef14bfd2dded6ebcd2d9326518ac33c2ae85a0bdfa4782be7876a6dac
-
Filesize
346KB
MD537a622e1d2a97d7f68526ef777a7c258
SHA122f676f7024b2b3e6fc9af5f88611956de7855e4
SHA256ab68196b717049f6302da1f9692da1f8384545433c0e72b86e36925af6d59d4d
SHA512c0011490b51b5c08e06a2a60f4b749afc7942c24dd64eb58e3421da7f72a1eda8c899a1ef14bfd2dded6ebcd2d9326518ac33c2ae85a0bdfa4782be7876a6dac
-
Filesize
346KB
MD537a622e1d2a97d7f68526ef777a7c258
SHA122f676f7024b2b3e6fc9af5f88611956de7855e4
SHA256ab68196b717049f6302da1f9692da1f8384545433c0e72b86e36925af6d59d4d
SHA512c0011490b51b5c08e06a2a60f4b749afc7942c24dd64eb58e3421da7f72a1eda8c899a1ef14bfd2dded6ebcd2d9326518ac33c2ae85a0bdfa4782be7876a6dac
-
Filesize
346KB
MD537a622e1d2a97d7f68526ef777a7c258
SHA122f676f7024b2b3e6fc9af5f88611956de7855e4
SHA256ab68196b717049f6302da1f9692da1f8384545433c0e72b86e36925af6d59d4d
SHA512c0011490b51b5c08e06a2a60f4b749afc7942c24dd64eb58e3421da7f72a1eda8c899a1ef14bfd2dded6ebcd2d9326518ac33c2ae85a0bdfa4782be7876a6dac
-
Filesize
172KB
MD5f57abd3a76079ed9ba085bf71acf6cd3
SHA1018c940fdb62a466a5ada1338149bb7621ad8682
SHA25698c0c3c7b28a7eca1648bd25ae7927bae460de51a8a58c48b5c4fdc0a24963ba
SHA512cb77e53914ab4e3ed8804cea0c75f13630a756903a1db0e3f1e9b81cadae981a3fba32cf5ab2597c7b6104937fa1114a5588c0df78ae2d17f38c6e115120f001
-
Filesize
172KB
MD5f57abd3a76079ed9ba085bf71acf6cd3
SHA1018c940fdb62a466a5ada1338149bb7621ad8682
SHA25698c0c3c7b28a7eca1648bd25ae7927bae460de51a8a58c48b5c4fdc0a24963ba
SHA512cb77e53914ab4e3ed8804cea0c75f13630a756903a1db0e3f1e9b81cadae981a3fba32cf5ab2597c7b6104937fa1114a5588c0df78ae2d17f38c6e115120f001
-
Filesize
172KB
MD5f57abd3a76079ed9ba085bf71acf6cd3
SHA1018c940fdb62a466a5ada1338149bb7621ad8682
SHA25698c0c3c7b28a7eca1648bd25ae7927bae460de51a8a58c48b5c4fdc0a24963ba
SHA512cb77e53914ab4e3ed8804cea0c75f13630a756903a1db0e3f1e9b81cadae981a3fba32cf5ab2597c7b6104937fa1114a5588c0df78ae2d17f38c6e115120f001
-
Filesize
172KB
MD5f57abd3a76079ed9ba085bf71acf6cd3
SHA1018c940fdb62a466a5ada1338149bb7621ad8682
SHA25698c0c3c7b28a7eca1648bd25ae7927bae460de51a8a58c48b5c4fdc0a24963ba
SHA512cb77e53914ab4e3ed8804cea0c75f13630a756903a1db0e3f1e9b81cadae981a3fba32cf5ab2597c7b6104937fa1114a5588c0df78ae2d17f38c6e115120f001
-
Filesize
132KB
-
Filesize
312KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
8KB
-
Filesize
488KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
132KB
-
Filesize
312KB
-
Filesize
488KB
-
Filesize
488KB
-
Filesize
488KB
-
Filesize
132KB
-
Filesize
488KB
-
Filesize
72KB
-
Filesize
132KB
-
Filesize
488KB
-
Filesize
488KB
-
Filesize
312KB
-
Filesize
132KB
-
Filesize
132KB