9a7380188ccbf14cbd6aa76f88123fe9a413220bed60c50749a78d10908f4943

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 17:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9a7380188ccbf14cbd6aa76f88123fe9a413220bed60c50749a78d10908f4943.exe
Size

123KB
MD5

05d25f241506d0d012af900b1c80f2ac
SHA1

ae85d9b2266c1ee625bc47c1b6cbf8c58203f0c3
SHA256

9a7380188ccbf14cbd6aa76f88123fe9a413220bed60c50749a78d10908f4943
SHA512

4ca391e908b76a97180b49484429178912774ccee3a60839a55b194ac70ee3e2a8841620b1f4fdfd1371bb9586c710c38af261944f6e91dba1e86e198b927e87
SSDEEP

768:d06R0UtgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9ICW:7R0Zn3Pc0LCH9MtbvabUDzJYWu3B

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
892	WaterMark.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1696-57-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1696-58-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1696-62-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/892-79-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/892-80-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/892-188-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1696	9a7380188ccbf14cbd6aa76f88123fe9a413220bed60c50749a78d10908f4943.exe
1696	9a7380188ccbf14cbd6aa76f88123fe9a413220bed60c50749a78d10908f4943.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	9a7380188ccbf14cbd6aa76f88123fe9a413220bed60c50749a78d10908f4943.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA10.tmp	9a7380188ccbf14cbd6aa76f88123fe9a413220bed60c50749a78d10908f4943.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	9a7380188ccbf14cbd6aa76f88123fe9a413220bed60c50749a78d10908f4943.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	svchost.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
892	WaterMark.exe
892	WaterMark.exe
892	WaterMark.exe
892	WaterMark.exe
892	WaterMark.exe
892	WaterMark.exe
892	WaterMark.exe
892	WaterMark.exe
2044	svchost.exe
2044	svchost.exe
2044	svchost.exe
2044	svchost.exe
2044	svchost.exe
2044	svchost.exe
2044	svchost.exe
2044	svchost.exe
2044	svchost.exe
2044	svchost.exe
2044	svchost.exe
2044	svchost.exe
2044	svchost.exe
2044	svchost.exe
2044	svchost.exe
2044	svchost.exe
2044	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	892	WaterMark.exe
Token: SeDebugPrivilege	2044	svchost.exe
Token: SeDebugPrivilege	892	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1696	9a7380188ccbf14cbd6aa76f88123fe9a413220bed60c50749a78d10908f4943.exe
892	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 892	1696	9a7380188ccbf14cbd6aa76f88123fe9a413220bed60c50749a78d10908f4943.exe	27
PID 1696 wrote to memory of 892	1696	9a7380188ccbf14cbd6aa76f88123fe9a413220bed60c50749a78d10908f4943.exe	27
PID 1696 wrote to memory of 892	1696	9a7380188ccbf14cbd6aa76f88123fe9a413220bed60c50749a78d10908f4943.exe	27
PID 1696 wrote to memory of 892	1696	9a7380188ccbf14cbd6aa76f88123fe9a413220bed60c50749a78d10908f4943.exe	27
PID 892 wrote to memory of 1884	892	WaterMark.exe	28
PID 892 wrote to memory of 1884	892	WaterMark.exe	28
PID 892 wrote to memory of 1884	892	WaterMark.exe	28
PID 892 wrote to memory of 1884	892	WaterMark.exe	28
PID 892 wrote to memory of 1884	892	WaterMark.exe	28
PID 892 wrote to memory of 1884	892	WaterMark.exe	28
PID 892 wrote to memory of 1884	892	WaterMark.exe	28
PID 892 wrote to memory of 1884	892	WaterMark.exe	28
PID 892 wrote to memory of 1884	892	WaterMark.exe	28
PID 892 wrote to memory of 1884	892	WaterMark.exe	28
PID 892 wrote to memory of 2044	892	WaterMark.exe	29
PID 892 wrote to memory of 2044	892	WaterMark.exe	29
PID 892 wrote to memory of 2044	892	WaterMark.exe	29
PID 892 wrote to memory of 2044	892	WaterMark.exe	29
PID 892 wrote to memory of 2044	892	WaterMark.exe	29
PID 892 wrote to memory of 2044	892	WaterMark.exe	29
PID 892 wrote to memory of 2044	892	WaterMark.exe	29
PID 892 wrote to memory of 2044	892	WaterMark.exe	29
PID 892 wrote to memory of 2044	892	WaterMark.exe	29
PID 892 wrote to memory of 2044	892	WaterMark.exe	29
PID 2044 wrote to memory of 260	2044	svchost.exe	25
PID 2044 wrote to memory of 260	2044	svchost.exe	25
PID 2044 wrote to memory of 260	2044	svchost.exe	25
PID 2044 wrote to memory of 260	2044	svchost.exe	25
PID 2044 wrote to memory of 260	2044	svchost.exe	25
PID 2044 wrote to memory of 332	2044	svchost.exe	24
PID 2044 wrote to memory of 332	2044	svchost.exe	24
PID 2044 wrote to memory of 332	2044	svchost.exe	24
PID 2044 wrote to memory of 332	2044	svchost.exe	24
PID 2044 wrote to memory of 332	2044	svchost.exe	24
PID 2044 wrote to memory of 368	2044	svchost.exe	5
PID 2044 wrote to memory of 368	2044	svchost.exe	5
PID 2044 wrote to memory of 368	2044	svchost.exe	5
PID 2044 wrote to memory of 368	2044	svchost.exe	5
PID 2044 wrote to memory of 368	2044	svchost.exe	5
PID 2044 wrote to memory of 384	2044	svchost.exe	4
PID 2044 wrote to memory of 384	2044	svchost.exe	4
PID 2044 wrote to memory of 384	2044	svchost.exe	4
PID 2044 wrote to memory of 384	2044	svchost.exe	4
PID 2044 wrote to memory of 384	2044	svchost.exe	4
PID 2044 wrote to memory of 420	2044	svchost.exe	3
PID 2044 wrote to memory of 420	2044	svchost.exe	3
PID 2044 wrote to memory of 420	2044	svchost.exe	3
PID 2044 wrote to memory of 420	2044	svchost.exe	3
PID 2044 wrote to memory of 420	2044	svchost.exe	3
PID 2044 wrote to memory of 468	2044	svchost.exe	2
PID 2044 wrote to memory of 468	2044	svchost.exe	2
PID 2044 wrote to memory of 468	2044	svchost.exe	2
PID 2044 wrote to memory of 468	2044	svchost.exe	2
PID 2044 wrote to memory of 468	2044	svchost.exe	2
PID 2044 wrote to memory of 476	2044	svchost.exe	1
PID 2044 wrote to memory of 476	2044	svchost.exe	1
PID 2044 wrote to memory of 476	2044	svchost.exe	1
PID 2044 wrote to memory of 476	2044	svchost.exe	1
PID 2044 wrote to memory of 476	2044	svchost.exe	1
PID 2044 wrote to memory of 484	2044	svchost.exe	23
PID 2044 wrote to memory of 484	2044	svchost.exe	23
PID 2044 wrote to memory of 484	2044	svchost.exe	23
PID 2044 wrote to memory of 484	2044	svchost.exe	23
PID 2044 wrote to memory of 484	2044	svchost.exe	23

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:468
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:756
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1028
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:796
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:952
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1232
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:284
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:300
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:872
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:832
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:800
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:668
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:588

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1840

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368
- C:\Users\Admin\AppData\Local\Temp\9a7380188ccbf14cbd6aa76f88123fe9a413220bed60c50749a78d10908f4943.exe
  "C:\Users\Admin\AppData\Local\Temp\9a7380188ccbf14cbd6aa76f88123fe9a413220bed60c50749a78d10908f4943.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in System32 directory
      Drops file in Program Files directory
      PID:1884
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2044

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1328

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
123KB

MD5
05d25f241506d0d012af900b1c80f2ac

SHA1
ae85d9b2266c1ee625bc47c1b6cbf8c58203f0c3

SHA256
9a7380188ccbf14cbd6aa76f88123fe9a413220bed60c50749a78d10908f4943

SHA512
4ca391e908b76a97180b49484429178912774ccee3a60839a55b194ac70ee3e2a8841620b1f4fdfd1371bb9586c710c38af261944f6e91dba1e86e198b927e87

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
123KB

MD5
05d25f241506d0d012af900b1c80f2ac

SHA1
ae85d9b2266c1ee625bc47c1b6cbf8c58203f0c3

SHA256
9a7380188ccbf14cbd6aa76f88123fe9a413220bed60c50749a78d10908f4943

SHA512
4ca391e908b76a97180b49484429178912774ccee3a60839a55b194ac70ee3e2a8841620b1f4fdfd1371bb9586c710c38af261944f6e91dba1e86e198b927e87

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
123KB

MD5
05d25f241506d0d012af900b1c80f2ac

SHA1
ae85d9b2266c1ee625bc47c1b6cbf8c58203f0c3

SHA256
9a7380188ccbf14cbd6aa76f88123fe9a413220bed60c50749a78d10908f4943

SHA512
4ca391e908b76a97180b49484429178912774ccee3a60839a55b194ac70ee3e2a8841620b1f4fdfd1371bb9586c710c38af261944f6e91dba1e86e198b927e87

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
123KB

MD5
05d25f241506d0d012af900b1c80f2ac

SHA1
ae85d9b2266c1ee625bc47c1b6cbf8c58203f0c3

SHA256
9a7380188ccbf14cbd6aa76f88123fe9a413220bed60c50749a78d10908f4943

SHA512
4ca391e908b76a97180b49484429178912774ccee3a60839a55b194ac70ee3e2a8841620b1f4fdfd1371bb9586c710c38af261944f6e91dba1e86e198b927e87

Download Submit
memory/892-79-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/892-188-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/892-80-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1696-57-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1696-58-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1696-62-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1884-75-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1884-81-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1884-71-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1884-189-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2044-83-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2044-86-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download