f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910

Analysis

max time kernel
134s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe
Size

400KB
MD5

90596b38302fa3036a151c74a00c25c1
SHA1

d528bbbab87baafe88d8dba1cf048badfb3276ef
SHA256

f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910
SHA512

941684bbf6942968ee96073305a79b4ee21eb3e12f48500f799e632195954cddb7ceb0ebe5b12a8b98a4ef0ddf15d7a90c1337498a953060d6140d351da2243a
SSDEEP

3072:KR2xn3k0CdM1vabyzJYWqgT7a55Qhj0XVq+eeHs60IIeLSD4XM+TzHv/hTciu:KR2J0LS6VqZ5KE+eBcIiXM+n/5Bu

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
852	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe
216	WaterMark.exe
32	WaterMark.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/852-140-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/852-141-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/852-145-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4752-144-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/4752-148-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/852-147-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4752-149-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/852-143-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4752-163-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/852-164-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/32-170-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/216-175-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/32-174-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/216-173-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/216-172-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/32-171-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/216-169-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/32-179-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/216-184-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/32-183-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/216-182-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/216-181-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/32-180-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/32-185-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxCA1B.tmp	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCA2B.tmp	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4316	3544	WerFault.exe	88
2132	524	WerFault.exe	87

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1772866536"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991835"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991835"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991835"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1783336027"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{94EED12E-51CE-11ED-B696-E62D9FD3CB0B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991835"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1772711394"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{94F5F48F-51CE-11ED-B696-E62D9FD3CB0B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991835"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1772866536"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991835"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1772711394"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991835"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1772711394"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1772711394"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{94F13198-51CE-11ED-B696-E62D9FD3CB0B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991835"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1783648129"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
32	WaterMark.exe
216	WaterMark.exe
32	WaterMark.exe
216	WaterMark.exe
32	WaterMark.exe
32	WaterMark.exe
216	WaterMark.exe
216	WaterMark.exe
216	WaterMark.exe
32	WaterMark.exe
32	WaterMark.exe
216	WaterMark.exe
32	WaterMark.exe
32	WaterMark.exe
216	WaterMark.exe
216	WaterMark.exe
32	WaterMark.exe
32	WaterMark.exe
216	WaterMark.exe
216	WaterMark.exe
32	WaterMark.exe
32	WaterMark.exe
216	WaterMark.exe
216	WaterMark.exe
32	WaterMark.exe
32	WaterMark.exe
32	WaterMark.exe
32	WaterMark.exe
216	WaterMark.exe
216	WaterMark.exe
216	WaterMark.exe
216	WaterMark.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4380	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	32	WaterMark.exe
Token: SeDebugPrivilege	216	WaterMark.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4380	iexplore.exe
2824	iexplore.exe
4876	iexplore.exe
2348	iexplore.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
4876	iexplore.exe
4876	iexplore.exe
2824	iexplore.exe
2824	iexplore.exe
2348	iexplore.exe
2348	iexplore.exe
4380	iexplore.exe
4380	iexplore.exe
2848	IEXPLORE.EXE
2848	IEXPLORE.EXE
1524	IEXPLORE.EXE
1856	IEXPLORE.EXE
1524	IEXPLORE.EXE
1856	IEXPLORE.EXE
4988	IEXPLORE.EXE
4988	IEXPLORE.EXE
1856	IEXPLORE.EXE
1856	IEXPLORE.EXE

Suspicious use of UnmapMainImage 4 IoCs

pid	Process
852	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe
4752	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe
32	WaterMark.exe
216	WaterMark.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 852	4752	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe	82
PID 4752 wrote to memory of 852	4752	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe	82
PID 4752 wrote to memory of 852	4752	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe	82
PID 4752 wrote to memory of 216	4752	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe	83
PID 4752 wrote to memory of 216	4752	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe	83
PID 4752 wrote to memory of 216	4752	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe	83
PID 852 wrote to memory of 32	852	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe	84
PID 852 wrote to memory of 32	852	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe	84
PID 852 wrote to memory of 32	852	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe	84
PID 32 wrote to memory of 3544	32	WaterMark.exe	88
PID 32 wrote to memory of 3544	32	WaterMark.exe	88
PID 32 wrote to memory of 3544	32	WaterMark.exe	88
PID 216 wrote to memory of 524	216	WaterMark.exe	87
PID 216 wrote to memory of 524	216	WaterMark.exe	87
PID 216 wrote to memory of 524	216	WaterMark.exe	87
PID 32 wrote to memory of 3544	32	WaterMark.exe	88
PID 32 wrote to memory of 3544	32	WaterMark.exe	88
PID 32 wrote to memory of 3544	32	WaterMark.exe	88
PID 32 wrote to memory of 3544	32	WaterMark.exe	88
PID 32 wrote to memory of 3544	32	WaterMark.exe	88
PID 32 wrote to memory of 3544	32	WaterMark.exe	88
PID 216 wrote to memory of 524	216	WaterMark.exe	87
PID 216 wrote to memory of 524	216	WaterMark.exe	87
PID 216 wrote to memory of 524	216	WaterMark.exe	87
PID 216 wrote to memory of 524	216	WaterMark.exe	87
PID 216 wrote to memory of 524	216	WaterMark.exe	87
PID 216 wrote to memory of 524	216	WaterMark.exe	87
PID 216 wrote to memory of 4876	216	WaterMark.exe	93
PID 216 wrote to memory of 4876	216	WaterMark.exe	93
PID 32 wrote to memory of 4380	32	WaterMark.exe	94
PID 32 wrote to memory of 4380	32	WaterMark.exe	94
PID 32 wrote to memory of 2824	32	WaterMark.exe	92
PID 32 wrote to memory of 2824	32	WaterMark.exe	92
PID 216 wrote to memory of 2348	216	WaterMark.exe	91
PID 216 wrote to memory of 2348	216	WaterMark.exe	91
PID 4380 wrote to memory of 1856	4380	iexplore.exe	97
PID 2348 wrote to memory of 4988	2348	iexplore.exe	98
PID 4380 wrote to memory of 1856	4380	iexplore.exe	97
PID 4380 wrote to memory of 1856	4380	iexplore.exe	97
PID 2348 wrote to memory of 4988	2348	iexplore.exe	98
PID 2348 wrote to memory of 4988	2348	iexplore.exe	98
PID 4876 wrote to memory of 1524	4876	iexplore.exe	95
PID 4876 wrote to memory of 1524	4876	iexplore.exe	95
PID 4876 wrote to memory of 1524	4876	iexplore.exe	95
PID 2824 wrote to memory of 2848	2824	iexplore.exe	96
PID 2824 wrote to memory of 2848	2824	iexplore.exe	96
PID 2824 wrote to memory of 2848	2824	iexplore.exe	96

C:\Users\Admin\AppData\Local\Temp\f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe
"C:\Users\Admin\AppData\Local\Temp\f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\AppData\Local\Temp\f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe
  C:\Users\Admin\AppData\Local\Temp\f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:32
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:3544
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 204
        5⤵
        Program crash
        
        PID:4316
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2824 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2848
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4380
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4380 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1856
- C:\Program Files (x86)\Microsoft\WaterMark.exe
  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 208
      4⤵
      Program crash
      PID:2132
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2348 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4988
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4876 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 524 -ip 524
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3544 -ip 3544
1⤵
PID:3496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
199KB

MD5
88211332d4fc42a9cc876ec6a973af54

SHA1
4c373cd811d2947317865ead3804b31aa89d81b1

SHA256
0f7506b46152b82d0bfc2b82098f7635cfbedb96b7bb7899a0f9ac26983de8b5

SHA512
207e6c1674a06506feee83e02b13d6474bf142522d8638ed03a4d6d2748ace8d238c04785a6082ed56e69b696f92011185a4bae9aebe7e6c17aa644f9998f7ae

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
199KB

MD5
88211332d4fc42a9cc876ec6a973af54

SHA1
4c373cd811d2947317865ead3804b31aa89d81b1

SHA256
0f7506b46152b82d0bfc2b82098f7635cfbedb96b7bb7899a0f9ac26983de8b5

SHA512
207e6c1674a06506feee83e02b13d6474bf142522d8638ed03a4d6d2748ace8d238c04785a6082ed56e69b696f92011185a4bae9aebe7e6c17aa644f9998f7ae

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
199KB

MD5
88211332d4fc42a9cc876ec6a973af54

SHA1
4c373cd811d2947317865ead3804b31aa89d81b1

SHA256
0f7506b46152b82d0bfc2b82098f7635cfbedb96b7bb7899a0f9ac26983de8b5

SHA512
207e6c1674a06506feee83e02b13d6474bf142522d8638ed03a4d6d2748ace8d238c04785a6082ed56e69b696f92011185a4bae9aebe7e6c17aa644f9998f7ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
7550b85aee4221c59808672005ed8855

SHA1
aeb269eff06f518132b9ecea824523fa125ba2d2

SHA256
2b1c1e36c5419b7b3351aad8a08fee019473c832fe242ec2bf438b160d5eb8b2

SHA512
216d401cb461099f7d2f3626957800cba77308b790ec181e2affb97339570bb9e168a56f3264cad79cd60589637679728fb2a87199a91667dc3ccfd4117f2bab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
7550b85aee4221c59808672005ed8855

SHA1
aeb269eff06f518132b9ecea824523fa125ba2d2

SHA256
2b1c1e36c5419b7b3351aad8a08fee019473c832fe242ec2bf438b160d5eb8b2

SHA512
216d401cb461099f7d2f3626957800cba77308b790ec181e2affb97339570bb9e168a56f3264cad79cd60589637679728fb2a87199a91667dc3ccfd4117f2bab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
7550b85aee4221c59808672005ed8855

SHA1
aeb269eff06f518132b9ecea824523fa125ba2d2

SHA256
2b1c1e36c5419b7b3351aad8a08fee019473c832fe242ec2bf438b160d5eb8b2

SHA512
216d401cb461099f7d2f3626957800cba77308b790ec181e2affb97339570bb9e168a56f3264cad79cd60589637679728fb2a87199a91667dc3ccfd4117f2bab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
ccb563c580405313c882371762b0aa09

SHA1
369a76d4b13a8f01651a6229d287a55d36878aef

SHA256
91f7d1a75834bf424a82494b712d5080bd1c10a979164889cb23f8471850403d

SHA512
2372dcf946137d74d57a854a437591ed111b3ab53ea2246ec13faf9a3e6df4fda9d3f3809edae834e615dc9d828c0acd2cec6a6fd599b0705b8b6ff3b8aa232c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
42e618aa3737b1bb768fb75197da2e2b

SHA1
13ea9f6affac09c10dca29381fe7df897e3ef685

SHA256
97e7f6c1cb2dc5c5d449e901febcbe7ff7604c0a238bc97a3004f1ee9dd4e5bb

SHA512
69d8ae29c15647d0ffaad5204220b5e7b9ab2bb98af04d0b1d76b1e730be13c7d05a35ebb8e98c3616df57503b7244969494123b7eab8b4316000c887e924ed4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
42e618aa3737b1bb768fb75197da2e2b

SHA1
13ea9f6affac09c10dca29381fe7df897e3ef685

SHA256
97e7f6c1cb2dc5c5d449e901febcbe7ff7604c0a238bc97a3004f1ee9dd4e5bb

SHA512
69d8ae29c15647d0ffaad5204220b5e7b9ab2bb98af04d0b1d76b1e730be13c7d05a35ebb8e98c3616df57503b7244969494123b7eab8b4316000c887e924ed4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
83a77518fe612475a71e8c49454b6d22

SHA1
eb425c3d6ab3c95d70e0044c75ab73080d0faa0b

SHA256
14878aadaaf76b4c487b2faaae76114ec4ee84fa097570de67b9a5796534811c

SHA512
c0f0273e482ce9525009aed7dadae908a7ffbd85bc8028c4fc1729510ebc3060ce56397ffa791d6b12dcff344e3f5e64db78db280170b16f3613d09380410cbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{94EED12E-51CE-11ED-B696-E62D9FD3CB0B}.dat

Filesize
4KB

MD5
bd53b22789e4e096d15c633ff3579f86

SHA1
f6e905f593dd8fb6b541eda3c08bdb3f65f94802

SHA256
e60b102e5a8b03e6506ea2e0944e182cff64fccf3388524d9b2a2950bcd8fb37

SHA512
b7704c7666e1ffd43d3090b7f25329ad41da6c28e47175281a2a316cb10aceb6bf2271366b10420da11aa41d5ab3c31bc8dd7e03cc4cd78a2cf03e6b9b50e22e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{94EED12E-51CE-11ED-B696-E62D9FD3CB0B}.dat

Filesize
5KB

MD5
d41b4b710c4eac16c79f5c4de35c699c

SHA1
48ee0ded7c14a56cc775d4b26d70ae0c820b5513

SHA256
43fc7e695cf9c86e58eaed9c900d72113e06b0844a2556a8efdf32387b968fee

SHA512
ae046f00b35e3d8843b6a4dcc3d4cd7b879d24be9277802e3d462500a59c1910b6bfbbdaade900dc62b7d965f87a58c46ad4e64ee361059a98db1e54f59e9143

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{94F5F48F-51CE-11ED-B696-E62D9FD3CB0B}.dat

Filesize
5KB

MD5
33aa382809ff05af1f6e2fde958a7411

SHA1
071c082ac23d909250e681fab55a2c00ec3b2c37

SHA256
2c4ce457ea271e56425ccf63c253e1caa5c122adc916d3e86d80390a91c4cd4f

SHA512
f2ad008a986af88169d7acb6612395c6ce0d0c86ba178c3f2153f9f4ed106340232652beca4d3a082e4cd406ae1de49cd0b6dec398b1253635b00e648aa52567

Download Submit
C:\Users\Admin\AppData\Local\Temp\f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe

Filesize
199KB

MD5
88211332d4fc42a9cc876ec6a973af54

SHA1
4c373cd811d2947317865ead3804b31aa89d81b1

SHA256
0f7506b46152b82d0bfc2b82098f7635cfbedb96b7bb7899a0f9ac26983de8b5

SHA512
207e6c1674a06506feee83e02b13d6474bf142522d8638ed03a4d6d2748ace8d238c04785a6082ed56e69b696f92011185a4bae9aebe7e6c17aa644f9998f7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe

Filesize
199KB

MD5
88211332d4fc42a9cc876ec6a973af54

SHA1
4c373cd811d2947317865ead3804b31aa89d81b1

SHA256
0f7506b46152b82d0bfc2b82098f7635cfbedb96b7bb7899a0f9ac26983de8b5

SHA512
207e6c1674a06506feee83e02b13d6474bf142522d8638ed03a4d6d2748ace8d238c04785a6082ed56e69b696f92011185a4bae9aebe7e6c17aa644f9998f7ae

Download Submit
memory/32-183-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/32-185-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/32-180-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/32-179-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/32-171-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/32-170-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/32-174-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/216-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/216-173-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/216-172-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/216-175-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/216-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/216-181-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/216-182-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/852-147-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/852-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/852-164-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/852-145-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/852-141-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/852-140-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4752-149-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4752-163-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4752-148-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4752-144-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4752-136-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download