db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995

Analysis

max time kernel
151s
max time network
126s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995.exe
Size

192KB
MD5

7565c3c29e79a24dd0e6f5894ecb9450
SHA1

ab1156f2af054838e14f42839e25d0e619ba796a
SHA256

db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995
SHA512

e623dee382057752bd401aa64b5efaeb807f82db8a4913f4df3e8b919faf98513d744a689a256c867ae1f16d87999300d6c40e0a7e026388b4b9e2477b58d5dd
SSDEEP

3072:oi+bQQgdYR4sOcBRdQZd5g18xJ5kOpaPM9erTRcm4esUV:Sb/gdY7HCKKJNaEoPKmJ

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
900	db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe
1476	WaterMark.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/900-62-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/900-61-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/900-68-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1476-83-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1476-85-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1476-192-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1996	db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995.exe
1996	db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995.exe
900	db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe
900	db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1B8D.tmp	db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1476	WaterMark.exe
1476	WaterMark.exe
1476	WaterMark.exe
1476	WaterMark.exe
1476	WaterMark.exe
1476	WaterMark.exe
1476	WaterMark.exe
1476	WaterMark.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	WaterMark.exe
Token: SeDebugPrivilege	592	svchost.exe
Token: SeDebugPrivilege	1476	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
900	db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe
1476	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 900	1996	db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995.exe	28
PID 1996 wrote to memory of 900	1996	db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995.exe	28
PID 1996 wrote to memory of 900	1996	db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995.exe	28
PID 1996 wrote to memory of 900	1996	db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995.exe	28
PID 900 wrote to memory of 1476	900	db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe	29
PID 900 wrote to memory of 1476	900	db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe	29
PID 900 wrote to memory of 1476	900	db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe	29
PID 900 wrote to memory of 1476	900	db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe	29
PID 1476 wrote to memory of 2008	1476	WaterMark.exe	30
PID 1476 wrote to memory of 2008	1476	WaterMark.exe	30
PID 1476 wrote to memory of 2008	1476	WaterMark.exe	30
PID 1476 wrote to memory of 2008	1476	WaterMark.exe	30
PID 1476 wrote to memory of 2008	1476	WaterMark.exe	30
PID 1476 wrote to memory of 2008	1476	WaterMark.exe	30
PID 1476 wrote to memory of 2008	1476	WaterMark.exe	30
PID 1476 wrote to memory of 2008	1476	WaterMark.exe	30
PID 1476 wrote to memory of 2008	1476	WaterMark.exe	30
PID 1476 wrote to memory of 2008	1476	WaterMark.exe	30
PID 1476 wrote to memory of 592	1476	WaterMark.exe	31
PID 1476 wrote to memory of 592	1476	WaterMark.exe	31
PID 1476 wrote to memory of 592	1476	WaterMark.exe	31
PID 1476 wrote to memory of 592	1476	WaterMark.exe	31
PID 1476 wrote to memory of 592	1476	WaterMark.exe	31
PID 1476 wrote to memory of 592	1476	WaterMark.exe	31
PID 1476 wrote to memory of 592	1476	WaterMark.exe	31
PID 1476 wrote to memory of 592	1476	WaterMark.exe	31
PID 1476 wrote to memory of 592	1476	WaterMark.exe	31
PID 1476 wrote to memory of 592	1476	WaterMark.exe	31
PID 592 wrote to memory of 260	592	svchost.exe	7
PID 592 wrote to memory of 260	592	svchost.exe	7
PID 592 wrote to memory of 260	592	svchost.exe	7
PID 592 wrote to memory of 260	592	svchost.exe	7
PID 592 wrote to memory of 260	592	svchost.exe	7
PID 592 wrote to memory of 332	592	svchost.exe	6
PID 592 wrote to memory of 332	592	svchost.exe	6
PID 592 wrote to memory of 332	592	svchost.exe	6
PID 592 wrote to memory of 332	592	svchost.exe	6
PID 592 wrote to memory of 332	592	svchost.exe	6
PID 592 wrote to memory of 368	592	svchost.exe	5
PID 592 wrote to memory of 368	592	svchost.exe	5
PID 592 wrote to memory of 368	592	svchost.exe	5
PID 592 wrote to memory of 368	592	svchost.exe	5
PID 592 wrote to memory of 368	592	svchost.exe	5
PID 592 wrote to memory of 384	592	svchost.exe	4
PID 592 wrote to memory of 384	592	svchost.exe	4
PID 592 wrote to memory of 384	592	svchost.exe	4
PID 592 wrote to memory of 384	592	svchost.exe	4
PID 592 wrote to memory of 384	592	svchost.exe	4
PID 592 wrote to memory of 420	592	svchost.exe	3
PID 592 wrote to memory of 420	592	svchost.exe	3
PID 592 wrote to memory of 420	592	svchost.exe	3
PID 592 wrote to memory of 420	592	svchost.exe	3
PID 592 wrote to memory of 420	592	svchost.exe	3
PID 592 wrote to memory of 464	592	svchost.exe	2
PID 592 wrote to memory of 464	592	svchost.exe	2
PID 592 wrote to memory of 464	592	svchost.exe	2
PID 592 wrote to memory of 464	592	svchost.exe	2
PID 592 wrote to memory of 464	592	svchost.exe	2
PID 592 wrote to memory of 480	592	svchost.exe	1
PID 592 wrote to memory of 480	592	svchost.exe	1
PID 592 wrote to memory of 480	592	svchost.exe	1
PID 592 wrote to memory of 480	592	svchost.exe	1
PID 592 wrote to memory of 480	592	svchost.exe	1
PID 592 wrote to memory of 488	592	svchost.exe	25

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:880
- - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    PID:1820
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:852
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1604
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:960
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1132
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1052
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:304
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:324
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:808
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:756
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:680
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:600

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1304
- C:\Users\Admin\AppData\Local\Temp\db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995.exe
  "C:\Users\Admin\AppData\Local\Temp\db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Users\Admin\AppData\Local\Temp\db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe
    C:\Users\Admin\AppData\Local\Temp\db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:2008
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:592

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
120KB

MD5
83a5fa4246ce7541bebc5e64bf0b01b6

SHA1
bc92ac6ec1aec9702570ef975066278ca3effbb0

SHA256
5ad61430a72e3c3492995dc43cd48b0d449513f518bbc02de740b69f43bede2a

SHA512
1420a5037f92049b933e01f20227f6b71093da7ed3b99e437759baed937152cb7ab9fc9f1aad1b3946beb97f3e498e38b0b7af3b506140d3c281540c1ee6a2bc

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
120KB

MD5
83a5fa4246ce7541bebc5e64bf0b01b6

SHA1
bc92ac6ec1aec9702570ef975066278ca3effbb0

SHA256
5ad61430a72e3c3492995dc43cd48b0d449513f518bbc02de740b69f43bede2a

SHA512
1420a5037f92049b933e01f20227f6b71093da7ed3b99e437759baed937152cb7ab9fc9f1aad1b3946beb97f3e498e38b0b7af3b506140d3c281540c1ee6a2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe

Filesize
120KB

MD5
83a5fa4246ce7541bebc5e64bf0b01b6

SHA1
bc92ac6ec1aec9702570ef975066278ca3effbb0

SHA256
5ad61430a72e3c3492995dc43cd48b0d449513f518bbc02de740b69f43bede2a

SHA512
1420a5037f92049b933e01f20227f6b71093da7ed3b99e437759baed937152cb7ab9fc9f1aad1b3946beb97f3e498e38b0b7af3b506140d3c281540c1ee6a2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe

Filesize
120KB

MD5
83a5fa4246ce7541bebc5e64bf0b01b6

SHA1
bc92ac6ec1aec9702570ef975066278ca3effbb0

SHA256
5ad61430a72e3c3492995dc43cd48b0d449513f518bbc02de740b69f43bede2a

SHA512
1420a5037f92049b933e01f20227f6b71093da7ed3b99e437759baed937152cb7ab9fc9f1aad1b3946beb97f3e498e38b0b7af3b506140d3c281540c1ee6a2bc

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
120KB

MD5
83a5fa4246ce7541bebc5e64bf0b01b6

SHA1
bc92ac6ec1aec9702570ef975066278ca3effbb0

SHA256
5ad61430a72e3c3492995dc43cd48b0d449513f518bbc02de740b69f43bede2a

SHA512
1420a5037f92049b933e01f20227f6b71093da7ed3b99e437759baed937152cb7ab9fc9f1aad1b3946beb97f3e498e38b0b7af3b506140d3c281540c1ee6a2bc

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
120KB

MD5
83a5fa4246ce7541bebc5e64bf0b01b6

SHA1
bc92ac6ec1aec9702570ef975066278ca3effbb0

SHA256
5ad61430a72e3c3492995dc43cd48b0d449513f518bbc02de740b69f43bede2a

SHA512
1420a5037f92049b933e01f20227f6b71093da7ed3b99e437759baed937152cb7ab9fc9f1aad1b3946beb97f3e498e38b0b7af3b506140d3c281540c1ee6a2bc

Download Submit
\Users\Admin\AppData\Local\Temp\db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe

Filesize
120KB

MD5
83a5fa4246ce7541bebc5e64bf0b01b6

SHA1
bc92ac6ec1aec9702570ef975066278ca3effbb0

SHA256
5ad61430a72e3c3492995dc43cd48b0d449513f518bbc02de740b69f43bede2a

SHA512
1420a5037f92049b933e01f20227f6b71093da7ed3b99e437759baed937152cb7ab9fc9f1aad1b3946beb97f3e498e38b0b7af3b506140d3c281540c1ee6a2bc

Download Submit
\Users\Admin\AppData\Local\Temp\db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe

Filesize
120KB

MD5
83a5fa4246ce7541bebc5e64bf0b01b6

SHA1
bc92ac6ec1aec9702570ef975066278ca3effbb0

SHA256
5ad61430a72e3c3492995dc43cd48b0d449513f518bbc02de740b69f43bede2a

SHA512
1420a5037f92049b933e01f20227f6b71093da7ed3b99e437759baed937152cb7ab9fc9f1aad1b3946beb97f3e498e38b0b7af3b506140d3c281540c1ee6a2bc

Download Submit
memory/592-90-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/592-87-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/900-62-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/900-68-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/900-61-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1476-83-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1476-85-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1476-192-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1996-58-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-78-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/2008-79-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2008-84-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2008-75-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2008-193-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download