3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796

Analysis

max time kernel
494s
max time network
496s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/10/2022, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796.exe
Size

248KB
MD5

7c7617865e9425b82e9f397ce9afcca5
SHA1

d9595e8927b837d68e3eba2beba74c965b2f599b
SHA256

3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796
SHA512

3a2eb2db4fb7ad03fa202dfd5a5eea52f5e08dc08b841c0bf3fe98b1554bb72d17894e23ac87e627cd8e728ba76268597cb8b32ccb99253f99d343b4befe3ee3
SSDEEP

3072:DR2xn3k0CdM1vabyzJYWqCaaSV18NS2hliolT21wl4paLUMsNHw5iBPzrmjMyLiS:DR2J0LS6Vh6F6oY1w4MsNHwOrmkY

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5000	3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796mgr.exe
3820	WaterMark.exe
2268	WaterMark.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5000-138-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5000-146-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/5000-144-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/2576-142-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/5000-141-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2576-149-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/5000-155-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2576-154-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2268-161-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/5000-158-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3820-163-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3820-165-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/2268-166-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/2268-168-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3820-172-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3820-173-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/2268-174-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3820-180-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3820-181-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/2268-182-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/2268-183-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3820-184-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/2268-185-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/2268-186-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px9407.tmp	3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px93B9.tmp	3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796mgr.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
204	2112	WerFault.exe	87
5008	3596	WerFault.exe	88

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30992855"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30992855"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2511780566"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2511780566"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30992855"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C12005C2-55CA-11ED-B696-4A8324823CC0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2511780566"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30992855"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373621458"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30992855"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2519593151"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30992855"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2511780566"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C11FDEB2-55CA-11ED-B696-4A8324823CC0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2519905022"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30992855"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30992855"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2512259904"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2268	WaterMark.exe
2268	WaterMark.exe
3820	WaterMark.exe
3820	WaterMark.exe
3820	WaterMark.exe
3820	WaterMark.exe
2268	WaterMark.exe
2268	WaterMark.exe
3820	WaterMark.exe
3820	WaterMark.exe
2268	WaterMark.exe
2268	WaterMark.exe
3820	WaterMark.exe
3820	WaterMark.exe
2268	WaterMark.exe
2268	WaterMark.exe
3820	WaterMark.exe
3820	WaterMark.exe
2268	WaterMark.exe
2268	WaterMark.exe
3820	WaterMark.exe
3820	WaterMark.exe
2268	WaterMark.exe
2268	WaterMark.exe
3820	WaterMark.exe
3820	WaterMark.exe
3820	WaterMark.exe
3820	WaterMark.exe
2268	WaterMark.exe
2268	WaterMark.exe
2268	WaterMark.exe
2268	WaterMark.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4112	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	WaterMark.exe
Token: SeDebugPrivilege	3820	WaterMark.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2044	iexplore.exe
1332	iexplore.exe
4112	iexplore.exe
1308	iexplore.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
1308	iexplore.exe
1308	iexplore.exe
4112	iexplore.exe
4112	iexplore.exe
2044	iexplore.exe
2044	iexplore.exe
1332	iexplore.exe
1332	iexplore.exe
3012	IEXPLORE.EXE
3012	IEXPLORE.EXE
4424	IEXPLORE.EXE
4424	IEXPLORE.EXE
2980	IEXPLORE.EXE
2980	IEXPLORE.EXE
2908	IEXPLORE.EXE
2908	IEXPLORE.EXE
2980	IEXPLORE.EXE
2980	IEXPLORE.EXE

Suspicious use of UnmapMainImage 4 IoCs

pid	Process
5000	3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796mgr.exe
2576	3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796.exe
3820	WaterMark.exe
2268	WaterMark.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 5000	2576	3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796.exe	84
PID 2576 wrote to memory of 5000	2576	3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796.exe	84
PID 2576 wrote to memory of 5000	2576	3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796.exe	84
PID 5000 wrote to memory of 3820	5000	3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796mgr.exe	85
PID 5000 wrote to memory of 3820	5000	3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796mgr.exe	85
PID 5000 wrote to memory of 3820	5000	3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796mgr.exe	85
PID 2576 wrote to memory of 2268	2576	3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796.exe	86
PID 2576 wrote to memory of 2268	2576	3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796.exe	86
PID 2576 wrote to memory of 2268	2576	3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796.exe	86
PID 3820 wrote to memory of 2112	3820	WaterMark.exe	87
PID 3820 wrote to memory of 2112	3820	WaterMark.exe	87
PID 3820 wrote to memory of 2112	3820	WaterMark.exe	87
PID 3820 wrote to memory of 2112	3820	WaterMark.exe	87
PID 3820 wrote to memory of 2112	3820	WaterMark.exe	87
PID 3820 wrote to memory of 2112	3820	WaterMark.exe	87
PID 3820 wrote to memory of 2112	3820	WaterMark.exe	87
PID 3820 wrote to memory of 2112	3820	WaterMark.exe	87
PID 3820 wrote to memory of 2112	3820	WaterMark.exe	87
PID 2268 wrote to memory of 3596	2268	WaterMark.exe	88
PID 2268 wrote to memory of 3596	2268	WaterMark.exe	88
PID 2268 wrote to memory of 3596	2268	WaterMark.exe	88
PID 2268 wrote to memory of 3596	2268	WaterMark.exe	88
PID 2268 wrote to memory of 3596	2268	WaterMark.exe	88
PID 2268 wrote to memory of 3596	2268	WaterMark.exe	88
PID 2268 wrote to memory of 3596	2268	WaterMark.exe	88
PID 2268 wrote to memory of 3596	2268	WaterMark.exe	88
PID 2268 wrote to memory of 3596	2268	WaterMark.exe	88
PID 3820 wrote to memory of 4112	3820	WaterMark.exe	94
PID 3820 wrote to memory of 4112	3820	WaterMark.exe	94
PID 2268 wrote to memory of 1332	2268	WaterMark.exe	93
PID 2268 wrote to memory of 1332	2268	WaterMark.exe	93
PID 3820 wrote to memory of 2044	3820	WaterMark.exe	95
PID 3820 wrote to memory of 2044	3820	WaterMark.exe	95
PID 2268 wrote to memory of 1308	2268	WaterMark.exe	96
PID 2268 wrote to memory of 1308	2268	WaterMark.exe	96
PID 1308 wrote to memory of 4424	1308	iexplore.exe	98
PID 1308 wrote to memory of 4424	1308	iexplore.exe	98
PID 1308 wrote to memory of 4424	1308	iexplore.exe	98
PID 4112 wrote to memory of 2980	4112	iexplore.exe	97
PID 4112 wrote to memory of 2980	4112	iexplore.exe	97
PID 4112 wrote to memory of 2980	4112	iexplore.exe	97
PID 2044 wrote to memory of 3012	2044	iexplore.exe	100
PID 2044 wrote to memory of 3012	2044	iexplore.exe	100
PID 2044 wrote to memory of 3012	2044	iexplore.exe	100
PID 1332 wrote to memory of 2908	1332	iexplore.exe	99
PID 1332 wrote to memory of 2908	1332	iexplore.exe	99
PID 1332 wrote to memory of 2908	1332	iexplore.exe	99

C:\Users\Admin\AppData\Local\Temp\3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796.exe
"C:\Users\Admin\AppData\Local\Temp\3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Local\Temp\3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796mgr.exe
  C:\Users\Admin\AppData\Local\Temp\3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796mgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:3820
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:2112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 204
        5⤵
        Program crash
        
        PID:204
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4112
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4112 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2980
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2044 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3012
- C:\Program Files (x86)\Microsoft\WaterMark.exe
  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:3596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 204
      4⤵
      Program crash
      PID:5008
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1332 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2908
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1308 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2112 -ip 2112
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3596 -ip 3596
1⤵
PID:4008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
123KB

MD5
f366b94e5659b913db6a549937a32786

SHA1
ae3a4249a0b7165ab8c25a9dafc01cef2599928b

SHA256
714aa3429d5ed9f2cbb35e1c203ef4d7a8b83c5902a22eed1975a2340b817dcb

SHA512
349604890e182f3cc5dac1245db08fec8de920e3f1ac3cf5bac827700ebadc488f36d1cd8af00dd70e27e17f91d4852cd20c3bd01195d102a8a9f324767eb2e7

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
123KB

MD5
f366b94e5659b913db6a549937a32786

SHA1
ae3a4249a0b7165ab8c25a9dafc01cef2599928b

SHA256
714aa3429d5ed9f2cbb35e1c203ef4d7a8b83c5902a22eed1975a2340b817dcb

SHA512
349604890e182f3cc5dac1245db08fec8de920e3f1ac3cf5bac827700ebadc488f36d1cd8af00dd70e27e17f91d4852cd20c3bd01195d102a8a9f324767eb2e7

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
123KB

MD5
f366b94e5659b913db6a549937a32786

SHA1
ae3a4249a0b7165ab8c25a9dafc01cef2599928b

SHA256
714aa3429d5ed9f2cbb35e1c203ef4d7a8b83c5902a22eed1975a2340b817dcb

SHA512
349604890e182f3cc5dac1245db08fec8de920e3f1ac3cf5bac827700ebadc488f36d1cd8af00dd70e27e17f91d4852cd20c3bd01195d102a8a9f324767eb2e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
9ebd7a0345cc0e64adb3c109997a2c1a

SHA1
76ebba7d659452c2f3cd86b589dfd82fc73afddb

SHA256
43f974eae1ff849eb1ba9afc5c73ec9a5f1b32aa7c07c0f9124f9a320ac76ac5

SHA512
ebe08af1f17b7d31e388136734618c3a4f46433dca14bb95fa0cd8b7c80f543e09f42013d925bf7c872ab0ecd7d3b12a81f265bd6c486b189910722e052ed6fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
9ebd7a0345cc0e64adb3c109997a2c1a

SHA1
76ebba7d659452c2f3cd86b589dfd82fc73afddb

SHA256
43f974eae1ff849eb1ba9afc5c73ec9a5f1b32aa7c07c0f9124f9a320ac76ac5

SHA512
ebe08af1f17b7d31e388136734618c3a4f46433dca14bb95fa0cd8b7c80f543e09f42013d925bf7c872ab0ecd7d3b12a81f265bd6c486b189910722e052ed6fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
9ebd7a0345cc0e64adb3c109997a2c1a

SHA1
76ebba7d659452c2f3cd86b589dfd82fc73afddb

SHA256
43f974eae1ff849eb1ba9afc5c73ec9a5f1b32aa7c07c0f9124f9a320ac76ac5

SHA512
ebe08af1f17b7d31e388136734618c3a4f46433dca14bb95fa0cd8b7c80f543e09f42013d925bf7c872ab0ecd7d3b12a81f265bd6c486b189910722e052ed6fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
9ebd7a0345cc0e64adb3c109997a2c1a

SHA1
76ebba7d659452c2f3cd86b589dfd82fc73afddb

SHA256
43f974eae1ff849eb1ba9afc5c73ec9a5f1b32aa7c07c0f9124f9a320ac76ac5

SHA512
ebe08af1f17b7d31e388136734618c3a4f46433dca14bb95fa0cd8b7c80f543e09f42013d925bf7c872ab0ecd7d3b12a81f265bd6c486b189910722e052ed6fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
9057987c8d89c3f2c37a4be75c90e05b

SHA1
ddcd548448ac5509176d8704e83bdfe94bd20e58

SHA256
8aa252b9c4017fcb54634323f07b1279835c9090e8d4b48bc9b3a0ac8cec6c3c

SHA512
bb61178fbd79540639986758d09a9e7f170f5aad8d93ff4a4b9f2a415fc03529810fc784975f101e504b778cea52e46d203881a5486b66d1be06f4fa86192b90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
9d5b887a2ba72756d9d84a97c939a68c

SHA1
fa0226981fc4a3156a30c2375944ab0ef8ccc4ce

SHA256
b6cd71ae7624d7da02676c8403d64e27d53902126499657d2c5c484e0ca9876f

SHA512
ed34917b177b152c4cea02aa8534113801e26edd57f29c738b7511707c464c7c8ee8328fe0e19b67ed34535206a0d02f0a44e11ecdbf33e8ec8e6a14e46c7bbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
6060aed32af11796b0c0d4c64fd7c93c

SHA1
5dccd5ac8bb060eb8887c6f6f52704d88323cc44

SHA256
dc9bde98bce2d199adf5c3f00f0fbafeb52e823dda3cac46ace4cfcf291495e9

SHA512
29663efee45bbade151e37d7ad48a5567db4318c55676ec1a3f42a938c8036a4acfe05f6bba798fd1ba23fcd1ab673d583158e27330179b6a902e88a5bdf0cc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
fd8a55fa20ecaf807050de5d45cf977f

SHA1
86f55882f8885153024c445df0fe3d06ae679e72

SHA256
32f5c7abf93c8af755d4aa4d4adc762cb324f25099f1abad9c879e80be22e9b0

SHA512
2618093fedad0f8537cf9c1cd25a76c187a9e92dabbeae0b47a383919ff27a842fbb560fcf0d93f000eb5b467f5a953b30d9a5af9af4f69cbdda8bede51174ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C11D7CF0-55CA-11ED-B696-4A8324823CC0}.dat

Filesize
5KB

MD5
d68b5b26e83a19dac108ba81a99cfcc1

SHA1
1d86c327edab3cc847154d28b4fc7b4a67a42a49

SHA256
618bde4b8feb42f9fc142476805d62ca0ce23c4af79c798629e7a9dbde3f8b61

SHA512
f68a5c71260ea1fbdfad1d0c5c206141ed3e1ba20509312bd209e1e94fb730d9256778dd8a7a54fa5c1dc9aa7e346a5648f6e3391a9c44ee2605ea43404745bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C11FDEB2-55CA-11ED-B696-4A8324823CC0}.dat

Filesize
5KB

MD5
5a78276b428d21bd9bb398ea82dbe4cd

SHA1
1bf465c2384f19064be1ae69c6c7667d5e68f0e7

SHA256
867e1923784dd99e1d543db6e7b665aa796ac54837e5ea82bb7b6f55a88ab118

SHA512
14f7b191de61a94385f1c0df9f8d9782d02e52d841db02c6b4abb88dac3451516a06bbd69c56d6001e30862ea447e088c868b591fe56705e0628f48d36c4f163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C12005C2-55CA-11ED-B696-4A8324823CC0}.dat

Filesize
3KB

MD5
44a69748b116272ecf6f7490f08b2ee3

SHA1
87d2d321ebf2590569d8560a4de262746c1e6b24

SHA256
0048c2a2d3c9af5df6c966b94e6d8d8f2d1191b3f97ec93503d87627f9caea08

SHA512
e5144741fc49e272eb6c51c33c00d233c3a935180b942b0db497d2cee97b6a2b2932173923c7c73b275755c3f8cb74b529825e5c0e39db46349a611e5f48d19c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C12005C2-55CA-11ED-B696-4A8324823CC0}.dat

Filesize
5KB

MD5
5a1eaa6edf21a0fc70b8fcbfc1e337c1

SHA1
8bd98561a4618c3e1caebbca614ffcb85a1f1b96

SHA256
22d105c60d6ca78c6bd178233f30c8753e7c224fa7b03c2095ce790e0267b2cf

SHA512
29c5639ee91c4c25446242742859dce054a3e9223c5579e10f3ab10fad925e03d67bc8fe0737c2d61c45c8d6e0643134823688276a2a55e97c3dd74e96897e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796mgr.exe

Filesize
123KB

MD5
f366b94e5659b913db6a549937a32786

SHA1
ae3a4249a0b7165ab8c25a9dafc01cef2599928b

SHA256
714aa3429d5ed9f2cbb35e1c203ef4d7a8b83c5902a22eed1975a2340b817dcb

SHA512
349604890e182f3cc5dac1245db08fec8de920e3f1ac3cf5bac827700ebadc488f36d1cd8af00dd70e27e17f91d4852cd20c3bd01195d102a8a9f324767eb2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a1c350e3fcd95acc2c6d1281a4e6c81a75a9678f4e4c55a417e011cd1400796mgr.exe

Filesize
123KB

MD5
f366b94e5659b913db6a549937a32786

SHA1
ae3a4249a0b7165ab8c25a9dafc01cef2599928b

SHA256
714aa3429d5ed9f2cbb35e1c203ef4d7a8b83c5902a22eed1975a2340b817dcb

SHA512
349604890e182f3cc5dac1245db08fec8de920e3f1ac3cf5bac827700ebadc488f36d1cd8af00dd70e27e17f91d4852cd20c3bd01195d102a8a9f324767eb2e7

Download Submit
memory/2268-182-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2268-166-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2268-168-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2268-183-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2268-185-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2268-161-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2268-186-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2268-174-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2576-149-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2576-154-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2576-142-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3820-184-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3820-172-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3820-181-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3820-165-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3820-163-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3820-173-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3820-180-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5000-179-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5000-141-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5000-155-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5000-144-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5000-146-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5000-158-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5000-138-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download