7b41f9b6d4792b89ad6b42e5baabadaed06d94a811e7b39183a03628173a9662

Analysis

max time kernel
158s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b41f9b6d4792b89ad6b42e5baabadaed06d94a811e7b39183a03628173a9662.dll
Size

285KB
MD5

802eb9c45206347f84e6896869be3c28
SHA1

d5ff8095cd4cd56accbac251604acfd085f040d1
SHA256

7b41f9b6d4792b89ad6b42e5baabadaed06d94a811e7b39183a03628173a9662
SHA512

7593d20acbaa8c9d10f6f49911039f97da768d7b8e6a5d51c5e786b0a245bd5959d4d930b723d5ba29e29226b06c7d4765ec3c60adf6e810f71168623d1babec
SSDEEP

6144:65f4F+lY+NOttNIQ9jHC74RFVPNzQWSrwCgQ:614clY7ttNIGJNsJWQ

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4884	regsvr32mgr.exe
4692	WaterMark.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4884-139-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4884-138-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4884-137-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4884-140-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4884-141-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4692-151-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4692-152-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4692-155-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxFCF.tmp	regsvr32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	regsvr32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	regsvr32mgr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3680	4592	WerFault.exe	84

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991837"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1502717086"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991837"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1260373373"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373184138"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1260373373"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1260373373"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{760CF0D7-51D0-11ED-89AC-DEF0885D2AEB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1260373373"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991837"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1502717086"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991837"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991837"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991837"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{760F51D9-51D0-11ED-89AC-DEF0885D2AEB} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wbcdll.Wbc.1\CLSID\ = "{132DF7CC-8A54-4422-9546-CB999A44FCB3}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{132DF7CC-8A54-4422-9546-CB999A44FCB3}\AppID = "{5A74A8C8-4FF4-47E7-A6C2-BDE712D7AA6D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{132DF7CC-8A54-4422-9546-CB999A44FCB3}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1CE92C3-F161-4652-A02B-FC5366163152}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1CE92C3-F161-4652-A02B-FC5366163152}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82CDA084-8C77-4D46-BE00-2E1283B0E2BA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wbcdll.Wbc\CurVer\ = "wbcdll.Wbc.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{132DF7CC-8A54-4422-9546-CB999A44FCB3}\ = "Wbc Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16606270-4435-4759-B420-46EA354F21EE}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C89BD3E6-3DB9-468B-8ACB-8DBCD87B6C6E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C89BD3E6-3DB9-468B-8ACB-8DBCD87B6C6E}\ = "_IWbcEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C89BD3E6-3DB9-468B-8ACB-8DBCD87B6C6E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C89BD3E6-3DB9-468B-8ACB-8DBCD87B6C6E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B1CE92C3-F161-4652-A02B-FC5366163152}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82CDA084-8C77-4D46-BE00-2E1283B0E2BA}\TypeLib\ = "{16606270-4435-4759-B420-46EA354F21EE}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82CDA084-8C77-4D46-BE00-2E1283B0E2BA}\ = "PSFactoryBuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wbcdll.Wbc\ = "Wbc Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{132DF7CC-8A54-4422-9546-CB999A44FCB3}\TypeLib\ = "{16606270-4435-4759-B420-46EA354F21EE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C89BD3E6-3DB9-468B-8ACB-8DBCD87B6C6E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C89BD3E6-3DB9-468B-8ACB-8DBCD87B6C6E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C89BD3E6-3DB9-468B-8ACB-8DBCD87B6C6E}\TypeLib\ = "{16606270-4435-4759-B420-46EA354F21EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C89BD3E6-3DB9-468B-8ACB-8DBCD87B6C6E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B1CE92C3-F161-4652-A02B-FC5366163152}\TypeLib\ = "{16606270-4435-4759-B420-46EA354F21EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82CDA084-8C77-4D46-BE00-2E1283B0E2BA}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\Interface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82CDA084-8C77-4D46-BE00-2E1283B0E2BA}\ProxyStubClsid32\ = "{82CDA084-8C77-4D46-BE00-2E1283B0E2BA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wbcdll.Wbc.1\ = "Wbc Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{132DF7CC-8A54-4422-9546-CB999A44FCB3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7b41f9b6d4792b89ad6b42e5baabadaed06d94a811e7b39183a03628173a9662.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{132DF7CC-8A54-4422-9546-CB999A44FCB3}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C89BD3E6-3DB9-468B-8ACB-8DBCD87B6C6E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B1CE92C3-F161-4652-A02B-FC5366163152}\ = "IWbc"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{132DF7CC-8A54-4422-9546-CB999A44FCB3}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{132DF7CC-8A54-4422-9546-CB999A44FCB3}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82CDA084-8C77-4D46-BE00-2E1283B0E2BA}\ = "IWbcUI"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1CE92C3-F161-4652-A02B-FC5366163152}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\wbcdll.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\wbcdll.DLL\AppID = "{5A74A8C8-4FF4-47E7-A6C2-BDE712D7AA6D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wbcdll.Wbc	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{132DF7CC-8A54-4422-9546-CB999A44FCB3}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{132DF7CC-8A54-4422-9546-CB999A44FCB3}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{132DF7CC-8A54-4422-9546-CB999A44FCB3}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{132DF7CC-8A54-4422-9546-CB999A44FCB3}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{132DF7CC-8A54-4422-9546-CB999A44FCB3}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16606270-4435-4759-B420-46EA354F21EE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B1CE92C3-F161-4652-A02B-FC5366163152}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82CDA084-8C77-4D46-BE00-2E1283B0E2BA}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wbcdll.Wbc.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{132DF7CC-8A54-4422-9546-CB999A44FCB3}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B1CE92C3-F161-4652-A02B-FC5366163152}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{5A74A8C8-4FF4-47E7-A6C2-BDE712D7AA6D}\ = "wbcdll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wbcdll.Wbc\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16606270-4435-4759-B420-46EA354F21EE}\1.0\ = "wbcdll 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1CE92C3-F161-4652-A02B-FC5366163152}\ = "IWbc"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82CDA084-8C77-4D46-BE00-2E1283B0E2BA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82CDA084-8C77-4D46-BE00-2E1283B0E2BA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82CDA084-8C77-4D46-BE00-2E1283B0E2BA}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82CDA084-8C77-4D46-BE00-2E1283B0E2BA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82CDA084-8C77-4D46-BE00-2E1283B0E2BA}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7b41f9b6d4792b89ad6b42e5baabadaed06d94a811e7b39183a03628173a9662.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{132DF7CC-8A54-4422-9546-CB999A44FCB3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{132DF7CC-8A54-4422-9546-CB999A44FCB3}\VersionIndependentProgID\ = "wbcdll.Wbc"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{132DF7CC-8A54-4422-9546-CB999A44FCB3}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16606270-4435-4759-B420-46EA354F21EE}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16606270-4435-4759-B420-46EA354F21EE}\1.0\0	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4692	WaterMark.exe
4692	WaterMark.exe
4692	WaterMark.exe
4692	WaterMark.exe
4692	WaterMark.exe
4692	WaterMark.exe
4692	WaterMark.exe
4692	WaterMark.exe
4692	WaterMark.exe
4692	WaterMark.exe
4692	WaterMark.exe
4692	WaterMark.exe
4692	WaterMark.exe
4692	WaterMark.exe
4692	WaterMark.exe
4692	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4692	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4928	iexplore.exe
5040	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4928	iexplore.exe
4928	iexplore.exe
5040	iexplore.exe
5040	iexplore.exe
3676	IEXPLORE.EXE
3676	IEXPLORE.EXE
4616	IEXPLORE.EXE
4616	IEXPLORE.EXE
3676	IEXPLORE.EXE
3676	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4884	regsvr32mgr.exe
4692	WaterMark.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1912	1984	regsvr32.exe	81
PID 1984 wrote to memory of 1912	1984	regsvr32.exe	81
PID 1984 wrote to memory of 1912	1984	regsvr32.exe	81
PID 1912 wrote to memory of 4884	1912	regsvr32.exe	82
PID 1912 wrote to memory of 4884	1912	regsvr32.exe	82
PID 1912 wrote to memory of 4884	1912	regsvr32.exe	82
PID 4884 wrote to memory of 4692	4884	regsvr32mgr.exe	83
PID 4884 wrote to memory of 4692	4884	regsvr32mgr.exe	83
PID 4884 wrote to memory of 4692	4884	regsvr32mgr.exe	83
PID 4692 wrote to memory of 4592	4692	WaterMark.exe	84
PID 4692 wrote to memory of 4592	4692	WaterMark.exe	84
PID 4692 wrote to memory of 4592	4692	WaterMark.exe	84
PID 4692 wrote to memory of 4592	4692	WaterMark.exe	84
PID 4692 wrote to memory of 4592	4692	WaterMark.exe	84
PID 4692 wrote to memory of 4592	4692	WaterMark.exe	84
PID 4692 wrote to memory of 4592	4692	WaterMark.exe	84
PID 4692 wrote to memory of 4592	4692	WaterMark.exe	84
PID 4692 wrote to memory of 4592	4692	WaterMark.exe	84
PID 4692 wrote to memory of 4928	4692	WaterMark.exe	85
PID 4692 wrote to memory of 4928	4692	WaterMark.exe	85
PID 4692 wrote to memory of 5040	4692	WaterMark.exe	87
PID 4692 wrote to memory of 5040	4692	WaterMark.exe	87
PID 4928 wrote to memory of 3676	4928	iexplore.exe	90
PID 4928 wrote to memory of 3676	4928	iexplore.exe	90
PID 4928 wrote to memory of 3676	4928	iexplore.exe	90
PID 5040 wrote to memory of 4616	5040	iexplore.exe	91
PID 5040 wrote to memory of 4616	5040	iexplore.exe	91
PID 5040 wrote to memory of 4616	5040	iexplore.exe	91

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7b41f9b6d4792b89ad6b42e5baabadaed06d94a811e7b39183a03628173a9662.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\7b41f9b6d4792b89ad6b42e5baabadaed06d94a811e7b39183a03628173a9662.dll
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:4592
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 204
        6⤵
        Program crash
        
        PID:3680
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4928
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4928 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3676
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5040
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5040 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4592 -ip 4592
1⤵
PID:3972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
59KB

MD5
aea1462e5f1f31dd74df7833b5a07305

SHA1
cea53b9b3311f1003df5d9266f9e3fbd5c971f28

SHA256
62c957db467d22cf12af74a4dae478e7d239ecae5d53f3c6399583f38f5224af

SHA512
776eeffb068df67e852191f5ec869df6e4cb6c4f14dbe8748cf6b3f9aad2f3b09baa7c61285cb5a5f1253b5bd9525470a25ca77fbe2d26ed02ae7d955142970e

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
59KB

MD5
aea1462e5f1f31dd74df7833b5a07305

SHA1
cea53b9b3311f1003df5d9266f9e3fbd5c971f28

SHA256
62c957db467d22cf12af74a4dae478e7d239ecae5d53f3c6399583f38f5224af

SHA512
776eeffb068df67e852191f5ec869df6e4cb6c4f14dbe8748cf6b3f9aad2f3b09baa7c61285cb5a5f1253b5bd9525470a25ca77fbe2d26ed02ae7d955142970e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
7550b85aee4221c59808672005ed8855

SHA1
aeb269eff06f518132b9ecea824523fa125ba2d2

SHA256
2b1c1e36c5419b7b3351aad8a08fee019473c832fe242ec2bf438b160d5eb8b2

SHA512
216d401cb461099f7d2f3626957800cba77308b790ec181e2affb97339570bb9e168a56f3264cad79cd60589637679728fb2a87199a91667dc3ccfd4117f2bab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
7550b85aee4221c59808672005ed8855

SHA1
aeb269eff06f518132b9ecea824523fa125ba2d2

SHA256
2b1c1e36c5419b7b3351aad8a08fee019473c832fe242ec2bf438b160d5eb8b2

SHA512
216d401cb461099f7d2f3626957800cba77308b790ec181e2affb97339570bb9e168a56f3264cad79cd60589637679728fb2a87199a91667dc3ccfd4117f2bab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
d078862bb7f9eeebdcc23e4b5def1d15

SHA1
9a2633c9efe59fe9a1788af387c651dbaea49260

SHA256
098df52c926b6660f157504bbcaf7c4f809b1b6490b2985fa4f14b7cc4c9a54e

SHA512
fbeb466f60a63e61b20de945d58b8cd769191590345437b53fe5fad54b9cc54e0ae91918e13ce8d7e112d4d302b994c786b7bb891a005dd852e7f42608894a83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
bae75ed4a63ee6c2fc7f068d1d7971c7

SHA1
1e2666eefa6470a582f8d4375f46fe680011a23c

SHA256
58cf85095155804318cdf058b9cf9d94796c7c83362f10a2c47e773f89addbc2

SHA512
5e1902ec094dd0e73443586add477b906d1001b66c5991b7c18fd6e146da900526eb8bad2c0590b2fa170914be6b1375be3dd0133e23e6aa46a4e84cda6dbccd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{760CF0D7-51D0-11ED-89AC-DEF0885D2AEB}.dat

Filesize
5KB

MD5
3b1b021497a2826068bbe7615ad8086f

SHA1
e7a4a55e169c911d1b2b7f4cab0a1a76d32ff825

SHA256
12d0f4a18c61b52795dc6ab55ddba7f9ed695a98eabfa87b9c134e23b8451724

SHA512
f980264f35c02c863b59a0dd55b72a6e0d14c7aab5522906795d9abc61e4f46e9c4b6fee68890c83d0828158d6872a7f8feaf1c47d5f0da50b0987506a5f72a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{760F51D9-51D0-11ED-89AC-DEF0885D2AEB}.dat

Filesize
5KB

MD5
6926a8602a1ac7dd1baa7be89b65c0ab

SHA1
8c8689f651aeb61bd50b1d0cf1adf9bc27e8eefb

SHA256
ae7b1eb8f2b9d206c25463f13336ffb7df37955dfbbee5ec819ae0610c4b23da

SHA512
f6ef57f7e489eacddf66f528bec46e84af2f552629a7298a22b72a46ee8eaed95c2a23062c11f4b404344210770db638b8fdbd5bbccf6c5ff15d0c5d95fa5e68

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
aea1462e5f1f31dd74df7833b5a07305

SHA1
cea53b9b3311f1003df5d9266f9e3fbd5c971f28

SHA256
62c957db467d22cf12af74a4dae478e7d239ecae5d53f3c6399583f38f5224af

SHA512
776eeffb068df67e852191f5ec869df6e4cb6c4f14dbe8748cf6b3f9aad2f3b09baa7c61285cb5a5f1253b5bd9525470a25ca77fbe2d26ed02ae7d955142970e

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
aea1462e5f1f31dd74df7833b5a07305

SHA1
cea53b9b3311f1003df5d9266f9e3fbd5c971f28

SHA256
62c957db467d22cf12af74a4dae478e7d239ecae5d53f3c6399583f38f5224af

SHA512
776eeffb068df67e852191f5ec869df6e4cb6c4f14dbe8748cf6b3f9aad2f3b09baa7c61285cb5a5f1253b5bd9525470a25ca77fbe2d26ed02ae7d955142970e

Download Submit
memory/1912-133-0x0000000074E40000-0x0000000074E8E000-memory.dmp

Filesize
312KB

Download
memory/4692-152-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4692-151-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4692-155-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4884-141-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4884-140-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4884-137-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4884-138-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4884-139-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download