Analysis
-
max time kernel
133s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2022, 23:13
Static task
static1
Behavioral task
behavioral1
Sample
5c3a3e92dcfea0262d820e37fed142650fb02aac4ed4bc0e8e218e24708a8cd2.dll
Resource
win7-20220812-en
General
-
Target
5c3a3e92dcfea0262d820e37fed142650fb02aac4ed4bc0e8e218e24708a8cd2.dll
-
Size
275KB
-
MD5
a130da82f39d8bad198cbbf5e213e470
-
SHA1
2489c6fd0ef7989180d68865b41dbeafd8bc5c91
-
SHA256
5c3a3e92dcfea0262d820e37fed142650fb02aac4ed4bc0e8e218e24708a8cd2
-
SHA512
bb04db4a7a89019316290dabff9845b9326217a361d3cd6630821887d8a26eb1f1d41000c5566fff8882c41144cb52152dbbc81df1fbc7741af09fd10fcf3f65
-
SSDEEP
3072:UnMoFkOKCg3CXmSSZlzgeBTg4vRPo5NNFs+XNtUU/chmcFTulOVq5pNOM9hioVE5:UMJOWK4l0wqOVq1Iy1uULkpeI
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4932 rundll32mgr.exe 4804 WaterMark.exe -
resource yara_rule behavioral2/memory/4932-138-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4932-139-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4932-143-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4804-151-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/4804-152-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/4804-153-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/4804-154-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/4804-157-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/4804-158-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/4804-159-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/4804-160-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px9455.tmp rundll32mgr.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2636 440 WerFault.exe 84 -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6C097EB5-594A-11ED-B696-EE6CABA3804C} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993751" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6C0256EF-594A-11ED-B696-EE6CABA3804C} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374006162" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30993751" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1094406119" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1094406119" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4804 WaterMark.exe 4804 WaterMark.exe 4804 WaterMark.exe 4804 WaterMark.exe 4804 WaterMark.exe 4804 WaterMark.exe 4804 WaterMark.exe 4804 WaterMark.exe 4804 WaterMark.exe 4804 WaterMark.exe 4804 WaterMark.exe 4804 WaterMark.exe 4804 WaterMark.exe 4804 WaterMark.exe 4804 WaterMark.exe 4804 WaterMark.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 948 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4804 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 948 iexplore.exe 1100 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 948 iexplore.exe 948 iexplore.exe 1100 iexplore.exe 1100 iexplore.exe 2436 IEXPLORE.EXE 2436 IEXPLORE.EXE 320 IEXPLORE.EXE 320 IEXPLORE.EXE 320 IEXPLORE.EXE 320 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4932 rundll32mgr.exe 4804 WaterMark.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1124 wrote to memory of 984 1124 rundll32.exe 81 PID 1124 wrote to memory of 984 1124 rundll32.exe 81 PID 1124 wrote to memory of 984 1124 rundll32.exe 81 PID 984 wrote to memory of 4932 984 rundll32.exe 82 PID 984 wrote to memory of 4932 984 rundll32.exe 82 PID 984 wrote to memory of 4932 984 rundll32.exe 82 PID 4932 wrote to memory of 4804 4932 rundll32mgr.exe 83 PID 4932 wrote to memory of 4804 4932 rundll32mgr.exe 83 PID 4932 wrote to memory of 4804 4932 rundll32mgr.exe 83 PID 4804 wrote to memory of 440 4804 WaterMark.exe 84 PID 4804 wrote to memory of 440 4804 WaterMark.exe 84 PID 4804 wrote to memory of 440 4804 WaterMark.exe 84 PID 4804 wrote to memory of 440 4804 WaterMark.exe 84 PID 4804 wrote to memory of 440 4804 WaterMark.exe 84 PID 4804 wrote to memory of 440 4804 WaterMark.exe 84 PID 4804 wrote to memory of 440 4804 WaterMark.exe 84 PID 4804 wrote to memory of 440 4804 WaterMark.exe 84 PID 4804 wrote to memory of 440 4804 WaterMark.exe 84 PID 4804 wrote to memory of 1100 4804 WaterMark.exe 87 PID 4804 wrote to memory of 1100 4804 WaterMark.exe 87 PID 4804 wrote to memory of 948 4804 WaterMark.exe 88 PID 4804 wrote to memory of 948 4804 WaterMark.exe 88 PID 948 wrote to memory of 320 948 iexplore.exe 90 PID 948 wrote to memory of 320 948 iexplore.exe 90 PID 948 wrote to memory of 320 948 iexplore.exe 90 PID 1100 wrote to memory of 2436 1100 iexplore.exe 89 PID 1100 wrote to memory of 2436 1100 iexplore.exe 89 PID 1100 wrote to memory of 2436 1100 iexplore.exe 89
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5c3a3e92dcfea0262d820e37fed142650fb02aac4ed4bc0e8e218e24708a8cd2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5c3a3e92dcfea0262d820e37fed142650fb02aac4ed4bc0e8e218e24708a8cd2.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 2086⤵
- Program crash
PID:2636
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1100 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2436
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:320
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 440 -ip 4401⤵PID:3056
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD5f0e18ddeb04313caa6b28a5e1634d73c
SHA170c359935a774ff3e82d394c902ad6c3f601e019
SHA256d3d1e572afbb0158b52b787342f5ce72baebed1edbff1844c682dbdc65b20aab
SHA512296355b15b90bfa30a20b22c6bfad39a28fb94d72ce43e918026ad531ace8d5a4fe9e6d895b53c2e0411aaaea7053b016b3c887142ca3205d7f125771e636e47
-
Filesize
124KB
MD5f0e18ddeb04313caa6b28a5e1634d73c
SHA170c359935a774ff3e82d394c902ad6c3f601e019
SHA256d3d1e572afbb0158b52b787342f5ce72baebed1edbff1844c682dbdc65b20aab
SHA512296355b15b90bfa30a20b22c6bfad39a28fb94d72ce43e918026ad531ace8d5a4fe9e6d895b53c2e0411aaaea7053b016b3c887142ca3205d7f125771e636e47
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6C0256EF-594A-11ED-B696-EE6CABA3804C}.dat
Filesize3KB
MD56e51fefa9f9f94b10f2efa162c6720f5
SHA1feaa3a9ba1650cd707798b5647f8d8307e9db5b9
SHA256699e1bb00cb6c0e4191e8ed24c7bbd1f0c78dcc1324b0c09a7f29837f7a6939c
SHA512526e5b52763c9fcb8bfb6a3b1aff813129b704763b22ee101c659d7a23e838b82ea5e8b85c957c94ddc5a53d2a9ca05864762a51807d25f955738e1cb1599c08
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6C097EB5-594A-11ED-B696-EE6CABA3804C}.dat
Filesize5KB
MD5816555bcff2df8239c771dabfea8e38c
SHA1f6bb3fa7baddb9987dd5aec1ef9a231b328f989e
SHA25690886b9a45846f3d5070ce9a9ba56338b83bce58213b1d1814add99a8e112084
SHA5121db1d44d365a0551a14656a7c276517f013238811e8d7db8ebd62d30ac263f6ba1618ff07c4f3c8c15d141e4a539449baa592086bc64296628c421a3d7caf815
-
Filesize
124KB
MD5f0e18ddeb04313caa6b28a5e1634d73c
SHA170c359935a774ff3e82d394c902ad6c3f601e019
SHA256d3d1e572afbb0158b52b787342f5ce72baebed1edbff1844c682dbdc65b20aab
SHA512296355b15b90bfa30a20b22c6bfad39a28fb94d72ce43e918026ad531ace8d5a4fe9e6d895b53c2e0411aaaea7053b016b3c887142ca3205d7f125771e636e47
-
Filesize
124KB
MD5f0e18ddeb04313caa6b28a5e1634d73c
SHA170c359935a774ff3e82d394c902ad6c3f601e019
SHA256d3d1e572afbb0158b52b787342f5ce72baebed1edbff1844c682dbdc65b20aab
SHA512296355b15b90bfa30a20b22c6bfad39a28fb94d72ce43e918026ad531ace8d5a4fe9e6d895b53c2e0411aaaea7053b016b3c887142ca3205d7f125771e636e47