deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5

Analysis

max time kernel
133s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe
Size

123KB
MD5

811407dad7866484579fadb44b4c003a
SHA1

a49a315e6d6022d6f1b73fcff3226ebe8c5fc412
SHA256

deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5
SHA512

615d99de87a0c391472e32e7c0e1788309dc0ed193cd0d356decff13a56ad547d4854e14f16f648ee548061fdaf1263465af3a6d03374e48c0eca2088b75e5df
SSDEEP

768:n06R0UtgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9ICW:9R0Zn3Pc0LCH9MtbvabUDzJYWu3B

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3752	WaterMark.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1884-134-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1884-135-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/1884-137-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/1884-138-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/1884-136-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1884-143-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3752-149-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/3752-150-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/3752-151-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/3752-152-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/3752-153-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/3752-154-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/3752-155-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxFD7F.tmp	deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4380	204	WerFault.exe	84

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "407217766"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991762"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373151808"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{43BABD8A-5185-11ED-A0EE-7A46CE8ECE48} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "407217766"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "416594491"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991762"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991762"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3752	WaterMark.exe
3752	WaterMark.exe
3752	WaterMark.exe
3752	WaterMark.exe
3752	WaterMark.exe
3752	WaterMark.exe
3752	WaterMark.exe
3752	WaterMark.exe
3752	WaterMark.exe
3752	WaterMark.exe
3752	WaterMark.exe
3752	WaterMark.exe
3752	WaterMark.exe
3752	WaterMark.exe
3752	WaterMark.exe
3752	WaterMark.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3132	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3752	WaterMark.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3132	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3132	iexplore.exe
3132	iexplore.exe
900	IEXPLORE.EXE
900	IEXPLORE.EXE
900	IEXPLORE.EXE
900	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1884	deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe
3752	WaterMark.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 3752	1884	deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe	83
PID 1884 wrote to memory of 3752	1884	deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe	83
PID 1884 wrote to memory of 3752	1884	deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe	83
PID 3752 wrote to memory of 204	3752	WaterMark.exe	84
PID 3752 wrote to memory of 204	3752	WaterMark.exe	84
PID 3752 wrote to memory of 204	3752	WaterMark.exe	84
PID 3752 wrote to memory of 204	3752	WaterMark.exe	84
PID 3752 wrote to memory of 204	3752	WaterMark.exe	84
PID 3752 wrote to memory of 204	3752	WaterMark.exe	84
PID 3752 wrote to memory of 204	3752	WaterMark.exe	84
PID 3752 wrote to memory of 204	3752	WaterMark.exe	84
PID 3752 wrote to memory of 204	3752	WaterMark.exe	84
PID 3752 wrote to memory of 2228	3752	WaterMark.exe	89
PID 3752 wrote to memory of 2228	3752	WaterMark.exe	89
PID 3752 wrote to memory of 3132	3752	WaterMark.exe	90
PID 3752 wrote to memory of 3132	3752	WaterMark.exe	90
PID 3132 wrote to memory of 900	3132	iexplore.exe	91
PID 3132 wrote to memory of 900	3132	iexplore.exe	91
PID 3132 wrote to memory of 900	3132	iexplore.exe	91

C:\Users\Admin\AppData\Local\Temp\deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe
"C:\Users\Admin\AppData\Local\Temp\deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Program Files (x86)\Microsoft\WaterMark.exe
  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 204
      4⤵
      Program crash
      PID:4380
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    PID:2228
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3132 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 204 -ip 204
1⤵
PID:1404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
123KB

MD5
811407dad7866484579fadb44b4c003a

SHA1
a49a315e6d6022d6f1b73fcff3226ebe8c5fc412

SHA256
deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5

SHA512
615d99de87a0c391472e32e7c0e1788309dc0ed193cd0d356decff13a56ad547d4854e14f16f648ee548061fdaf1263465af3a6d03374e48c0eca2088b75e5df

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
123KB

MD5
811407dad7866484579fadb44b4c003a

SHA1
a49a315e6d6022d6f1b73fcff3226ebe8c5fc412

SHA256
deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5

SHA512
615d99de87a0c391472e32e7c0e1788309dc0ed193cd0d356decff13a56ad547d4854e14f16f648ee548061fdaf1263465af3a6d03374e48c0eca2088b75e5df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
7550b85aee4221c59808672005ed8855

SHA1
aeb269eff06f518132b9ecea824523fa125ba2d2

SHA256
2b1c1e36c5419b7b3351aad8a08fee019473c832fe242ec2bf438b160d5eb8b2

SHA512
216d401cb461099f7d2f3626957800cba77308b790ec181e2affb97339570bb9e168a56f3264cad79cd60589637679728fb2a87199a91667dc3ccfd4117f2bab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
aa476c70aff32ebdd4b6eb0a4103a830

SHA1
2850f393c1a130891c80b90e77d07bfbe42261e3

SHA256
bd14bb6838afd01947706a68bc52bbc25d7a7a40f8a7083725191704a1348cc6

SHA512
79b5d7ed5a2e2bd509a3e0e21328a3734f789c51d5391a893bae313cfaf575c9648e128dee28ee559a1013e0c2cb4e32f7629a83ab99d4d1ff003ea3720b718b

Download Submit
memory/1884-136-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1884-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1884-143-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1884-134-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1884-138-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1884-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3752-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3752-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3752-153-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3752-154-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3752-155-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3752-150-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3752-149-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download