1c25cd7148baebedf60767376b6762e03779c297f7bca1ad0336b091ac113649

General

Target

1c25cd7148baebedf60767376b6762e03779c297f7bca1ad0336b091ac113649.exe
Size

252KB
MD5

0be1546dd494217bf5ed10e71726f6c5
SHA1

28758bbb3ca914be85028d25b209f1c4c522e97c
SHA256

1c25cd7148baebedf60767376b6762e03779c297f7bca1ad0336b091ac113649
SHA512

dfcd0c31a0140255f8609db26d407f538896dbfe06f0c9a5addb8411a56f7d1deb5bd18637b26356612cdac4de8129af1caab7e061a700dc5566fe8bf7103e0e
SSDEEP

1536:f8kwilTEhU4HDa1KkjWXUa21mc/Mue9bEwyyxM2f5+j:nhlohUEK9ekpNAgj

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4360	WaterMark.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4696-132-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4360-139-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4360-143-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4360-144-0x0000000000400000-0x0000000000433000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxB72F.tmp	1c25cd7148baebedf60767376b6762e03779c297f7bca1ad0336b091ac113649.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	1c25cd7148baebedf60767376b6762e03779c297f7bca1ad0336b091ac113649.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	1c25cd7148baebedf60767376b6762e03779c297f7bca1ad0336b091ac113649.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
808	4596	WerFault.exe	38

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4360	WaterMark.exe
4360	WaterMark.exe
4360	WaterMark.exe
4360	WaterMark.exe
4360	WaterMark.exe
4360	WaterMark.exe
4360	WaterMark.exe
4360	WaterMark.exe
4360	WaterMark.exe
4360	WaterMark.exe
4360	WaterMark.exe
4360	WaterMark.exe
4360	WaterMark.exe
4360	WaterMark.exe
4360	WaterMark.exe
4360	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4360	WaterMark.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 4360	4696	1c25cd7148baebedf60767376b6762e03779c297f7bca1ad0336b091ac113649.exe	39
PID 4696 wrote to memory of 4360	4696	1c25cd7148baebedf60767376b6762e03779c297f7bca1ad0336b091ac113649.exe	39
PID 4696 wrote to memory of 4360	4696	1c25cd7148baebedf60767376b6762e03779c297f7bca1ad0336b091ac113649.exe	39
PID 4360 wrote to memory of 4596	4360	WaterMark.exe	38
PID 4360 wrote to memory of 4596	4360	WaterMark.exe	38
PID 4360 wrote to memory of 4596	4360	WaterMark.exe	38
PID 4360 wrote to memory of 4596	4360	WaterMark.exe	38
PID 4360 wrote to memory of 4596	4360	WaterMark.exe	38
PID 4360 wrote to memory of 4596	4360	WaterMark.exe	38
PID 4360 wrote to memory of 4596	4360	WaterMark.exe	38
PID 4360 wrote to memory of 4596	4360	WaterMark.exe	38
PID 4360 wrote to memory of 4596	4360	WaterMark.exe	38
PID 4360 wrote to memory of 5084	4360	WaterMark.exe	85
PID 4360 wrote to memory of 5084	4360	WaterMark.exe	85
PID 4360 wrote to memory of 4772	4360	WaterMark.exe	86
PID 4360 wrote to memory of 4772	4360	WaterMark.exe	86

C:\Users\Admin\AppData\Local\Temp\1c25cd7148baebedf60767376b6762e03779c297f7bca1ad0336b091ac113649.exe
"C:\Users\Admin\AppData\Local\Temp\1c25cd7148baebedf60767376b6762e03779c297f7bca1ad0336b091ac113649.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Program Files (x86)\Microsoft\WaterMark.exe
  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    PID:5084
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5084 CREDAT:17410 /prefetch:2
      4⤵
      PID:3300
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    PID:4772
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4772 CREDAT:17410 /prefetch:2
      4⤵
      PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4596 -ip 4596
1⤵
PID:4536

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
PID:4596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 204
  2⤵
  - Program crash
  PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
25KB

MD5
e58eb417747833b5a54664598d10ad5d

SHA1
798486ff85a38e93f385f333672cd499838db498

SHA256
599f197c45b10abd0c9947dcb988fe28c93f5a073961fa67035934dfa6870ea6

SHA512
40fa4176b15149ab41d432ecd5747871ea8b4c1baf1feced042a95dfad0b9e3be23be896da3c4bc53c19c850bf732cd79621a74182d72994765bcab3f7f2e1c4

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
43KB

MD5
25a9b18fa347a7db09009299ae332a98

SHA1
daa7acaa964f27c6a789ad1c53d3500e654de839

SHA256
5c725060cc1322826bbc198bc83f93f9e4ea98682d6472d18ab8ed39a3b9dc11

SHA512
34527f7f0cd15ac466026384e99570c326bda9950548e7ac5751451b1181bd636870c3c38359bbf2cb2e883a8620384e119ea4110ddd1ab4fefadbf6c85265a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9BE4A10F-5752-11ED-89AC-5EAE84113378}.dat

Filesize
5KB

MD5
0e924c435889c64a7e5770f89b64045c

SHA1
926a1684451e4814c645db1fa43fb7fe4887a9e2

SHA256
813d5f48c593391cf32fe79c20087bd3da2e6a82f0338ccf7a8baa39e81e05f9

SHA512
bff2d8fe7c10bb3c1b5c4e2b1aa65d391b7c3f43c8b453b8871daa2291c1bcd6c05b3cf1dee40406fac7a26c817c0c64301f2e90376348e848b89440410d6eb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9BE965D5-5752-11ED-89AC-5EAE84113378}.dat

Filesize
3KB

MD5
b844c20d28b2ad66740318815899825c

SHA1
6dbf08defc5b8941237d0f7522bda131819a169e

SHA256
28a1a2f68d5480ae978578e463ecb82addb614d98ef3b830a7f5255af4d90baa

SHA512
9275a199fbc6601d58a32fdb1c7fdb3ee9ceb1f5dafc577333634912cbe5641c0d87f1da09cd4d65085f056214a38a33df05ded8d9d802291b8f34bfb89871ef

Download Submit
memory/4360-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-140-0x0000000002070000-0x00000000020A3000-memory.dmp

Filesize
204KB

Download
memory/4360-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-133-0x0000000002170000-0x00000000021A3000-memory.dmp

Filesize
204KB

Download
memory/4696-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing