Analysis
-
max time kernel
151s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-10-2022 00:02
Static task
static1
Behavioral task
behavioral1
Sample
ec02a37a69a07e0c10727f67f071c61d015acda9a30893d1dee7221866114992.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ec02a37a69a07e0c10727f67f071c61d015acda9a30893d1dee7221866114992.exe
Resource
win10v2004-20220812-en
General
-
Target
ec02a37a69a07e0c10727f67f071c61d015acda9a30893d1dee7221866114992.exe
-
Size
96KB
-
MD5
62910034b7d12a46cc364551bfee5c1b
-
SHA1
306a0b044797b291c943dff0d35fa460c99ac49f
-
SHA256
ec02a37a69a07e0c10727f67f071c61d015acda9a30893d1dee7221866114992
-
SHA512
11cece8e9013bf07f9f0ae262035aa01efab72701e509b4629e7bd93eadd121c13dd7df9bc829f68bfd89a6fa23a8bb30ebd9709d6ef7135238e567e4b236a7f
-
SSDEEP
768:a06R0UEgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9IC2:wR0In3Pc0LCH9MtbvabUDzJYWu3Bb
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 952 WaterMark.exe -
resource yara_rule behavioral1/memory/1388-57-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1388-58-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1388-63-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/952-70-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/952-73-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/952-188-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Loads dropped DLL 2 IoCs
pid Process 1388 ec02a37a69a07e0c10727f67f071c61d015acda9a30893d1dee7221866114992.exe 1388 ec02a37a69a07e0c10727f67f071c61d015acda9a30893d1dee7221866114992.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxB19.tmp ec02a37a69a07e0c10727f67f071c61d015acda9a30893d1dee7221866114992.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe ec02a37a69a07e0c10727f67f071c61d015acda9a30893d1dee7221866114992.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe ec02a37a69a07e0c10727f67f071c61d015acda9a30893d1dee7221866114992.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 952 WaterMark.exe 952 WaterMark.exe 952 WaterMark.exe 952 WaterMark.exe 952 WaterMark.exe 952 WaterMark.exe 952 WaterMark.exe 952 WaterMark.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 952 WaterMark.exe Token: SeDebugPrivilege 320 svchost.exe Token: SeDebugPrivilege 952 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1388 ec02a37a69a07e0c10727f67f071c61d015acda9a30893d1dee7221866114992.exe 952 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1388 wrote to memory of 952 1388 ec02a37a69a07e0c10727f67f071c61d015acda9a30893d1dee7221866114992.exe 27 PID 1388 wrote to memory of 952 1388 ec02a37a69a07e0c10727f67f071c61d015acda9a30893d1dee7221866114992.exe 27 PID 1388 wrote to memory of 952 1388 ec02a37a69a07e0c10727f67f071c61d015acda9a30893d1dee7221866114992.exe 27 PID 1388 wrote to memory of 952 1388 ec02a37a69a07e0c10727f67f071c61d015acda9a30893d1dee7221866114992.exe 27 PID 952 wrote to memory of 1508 952 WaterMark.exe 28 PID 952 wrote to memory of 1508 952 WaterMark.exe 28 PID 952 wrote to memory of 1508 952 WaterMark.exe 28 PID 952 wrote to memory of 1508 952 WaterMark.exe 28 PID 952 wrote to memory of 1508 952 WaterMark.exe 28 PID 952 wrote to memory of 1508 952 WaterMark.exe 28 PID 952 wrote to memory of 1508 952 WaterMark.exe 28 PID 952 wrote to memory of 1508 952 WaterMark.exe 28 PID 952 wrote to memory of 1508 952 WaterMark.exe 28 PID 952 wrote to memory of 1508 952 WaterMark.exe 28 PID 952 wrote to memory of 320 952 WaterMark.exe 29 PID 952 wrote to memory of 320 952 WaterMark.exe 29 PID 952 wrote to memory of 320 952 WaterMark.exe 29 PID 952 wrote to memory of 320 952 WaterMark.exe 29 PID 952 wrote to memory of 320 952 WaterMark.exe 29 PID 952 wrote to memory of 320 952 WaterMark.exe 29 PID 952 wrote to memory of 320 952 WaterMark.exe 29 PID 952 wrote to memory of 320 952 WaterMark.exe 29 PID 952 wrote to memory of 320 952 WaterMark.exe 29 PID 952 wrote to memory of 320 952 WaterMark.exe 29 PID 320 wrote to memory of 260 320 svchost.exe 7 PID 320 wrote to memory of 260 320 svchost.exe 7 PID 320 wrote to memory of 260 320 svchost.exe 7 PID 320 wrote to memory of 260 320 svchost.exe 7 PID 320 wrote to memory of 260 320 svchost.exe 7 PID 320 wrote to memory of 336 320 svchost.exe 6 PID 320 wrote to memory of 336 320 svchost.exe 6 PID 320 wrote to memory of 336 320 svchost.exe 6 PID 320 wrote to memory of 336 320 svchost.exe 6 PID 320 wrote to memory of 336 320 svchost.exe 6 PID 320 wrote to memory of 372 320 svchost.exe 5 PID 320 wrote to memory of 372 320 svchost.exe 5 PID 320 wrote to memory of 372 320 svchost.exe 5 PID 320 wrote to memory of 372 320 svchost.exe 5 PID 320 wrote to memory of 372 320 svchost.exe 5 PID 320 wrote to memory of 384 320 svchost.exe 4 PID 320 wrote to memory of 384 320 svchost.exe 4 PID 320 wrote to memory of 384 320 svchost.exe 4 PID 320 wrote to memory of 384 320 svchost.exe 4 PID 320 wrote to memory of 384 320 svchost.exe 4 PID 320 wrote to memory of 420 320 svchost.exe 3 PID 320 wrote to memory of 420 320 svchost.exe 3 PID 320 wrote to memory of 420 320 svchost.exe 3 PID 320 wrote to memory of 420 320 svchost.exe 3 PID 320 wrote to memory of 420 320 svchost.exe 3 PID 320 wrote to memory of 464 320 svchost.exe 2 PID 320 wrote to memory of 464 320 svchost.exe 2 PID 320 wrote to memory of 464 320 svchost.exe 2 PID 320 wrote to memory of 464 320 svchost.exe 2 PID 320 wrote to memory of 464 320 svchost.exe 2 PID 320 wrote to memory of 480 320 svchost.exe 1 PID 320 wrote to memory of 480 320 svchost.exe 1 PID 320 wrote to memory of 480 320 svchost.exe 1 PID 320 wrote to memory of 480 320 svchost.exe 1 PID 320 wrote to memory of 480 320 svchost.exe 1 PID 320 wrote to memory of 488 320 svchost.exe 8 PID 320 wrote to memory of 488 320 svchost.exe 8 PID 320 wrote to memory of 488 320 svchost.exe 8 PID 320 wrote to memory of 488 320 svchost.exe 8 PID 320 wrote to memory of 488 320 svchost.exe 8
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:480
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:464
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:812
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵PID:1184
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:852
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵PID:880
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R3⤵PID:2004
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:324
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1084
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1124
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:1012
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:764
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:680
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:600
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:1044
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:1660
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:384
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:372
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:488
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:260
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\ec02a37a69a07e0c10727f67f071c61d015acda9a30893d1dee7221866114992.exe"C:\Users\Admin\AppData\Local\Temp\ec02a37a69a07e0c10727f67f071c61d015acda9a30893d1dee7221866114992.exe"2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1508
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD562910034b7d12a46cc364551bfee5c1b
SHA1306a0b044797b291c943dff0d35fa460c99ac49f
SHA256ec02a37a69a07e0c10727f67f071c61d015acda9a30893d1dee7221866114992
SHA51211cece8e9013bf07f9f0ae262035aa01efab72701e509b4629e7bd93eadd121c13dd7df9bc829f68bfd89a6fa23a8bb30ebd9709d6ef7135238e567e4b236a7f
-
Filesize
96KB
MD562910034b7d12a46cc364551bfee5c1b
SHA1306a0b044797b291c943dff0d35fa460c99ac49f
SHA256ec02a37a69a07e0c10727f67f071c61d015acda9a30893d1dee7221866114992
SHA51211cece8e9013bf07f9f0ae262035aa01efab72701e509b4629e7bd93eadd121c13dd7df9bc829f68bfd89a6fa23a8bb30ebd9709d6ef7135238e567e4b236a7f
-
Filesize
96KB
MD562910034b7d12a46cc364551bfee5c1b
SHA1306a0b044797b291c943dff0d35fa460c99ac49f
SHA256ec02a37a69a07e0c10727f67f071c61d015acda9a30893d1dee7221866114992
SHA51211cece8e9013bf07f9f0ae262035aa01efab72701e509b4629e7bd93eadd121c13dd7df9bc829f68bfd89a6fa23a8bb30ebd9709d6ef7135238e567e4b236a7f
-
Filesize
96KB
MD562910034b7d12a46cc364551bfee5c1b
SHA1306a0b044797b291c943dff0d35fa460c99ac49f
SHA256ec02a37a69a07e0c10727f67f071c61d015acda9a30893d1dee7221866114992
SHA51211cece8e9013bf07f9f0ae262035aa01efab72701e509b4629e7bd93eadd121c13dd7df9bc829f68bfd89a6fa23a8bb30ebd9709d6ef7135238e567e4b236a7f