Analysis
-
max time kernel
134s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 22:55
Static task
static1
Behavioral task
behavioral1
Sample
9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe
Resource
win7-20220901-en
General
-
Target
9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe
-
Size
121KB
-
MD5
2299a2d6f8d62723d3d76cac0bc2c01b
-
SHA1
a2c396aa7d073b50ddc96a9996eef8f47cb9b04b
-
SHA256
9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa
-
SHA512
2bc19355cc23cfa3c43e629d39742a8ceb75bec402202cbaaea78e39f452da250296628c0f35ff043047458275eaaca4f9b04768754f4ce475d92b4c32521a95
-
SSDEEP
1536:N8kwilTEhU4HDa1KkjWXUa21mc/Mue9VR:dhlohUEK9ekp6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WaterMark.exepid process 4420 WaterMark.exe -
Processes:
resource yara_rule behavioral2/memory/2296-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4420-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4420-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4420-145-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
Processes:
9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\pxF08F.tmp 9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe 9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe 9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4600 4196 WerFault.exe svchost.exe -
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1395437221" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1395437221" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31011901" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31011901" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31011901" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7D115AFB-A030-11ED-AECB-E62BBF623C53} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1433405101" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1603874331" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7D1133EB-A030-11ED-AECB-E62BBF623C53} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1603874331" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31011901" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "381801542" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31011901" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1433405101" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31011901" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
WaterMark.exepid process 4420 WaterMark.exe 4420 WaterMark.exe 4420 WaterMark.exe 4420 WaterMark.exe 4420 WaterMark.exe 4420 WaterMark.exe 4420 WaterMark.exe 4420 WaterMark.exe 4420 WaterMark.exe 4420 WaterMark.exe 4420 WaterMark.exe 4420 WaterMark.exe 4420 WaterMark.exe 4420 WaterMark.exe 4420 WaterMark.exe 4420 WaterMark.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 1152 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WaterMark.exedescription pid process Token: SeDebugPrivilege 4420 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeiexplore.exepid process 1152 iexplore.exe 1016 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 1016 iexplore.exe 1016 iexplore.exe 1152 iexplore.exe 1152 iexplore.exe 2164 IEXPLORE.EXE 2164 IEXPLORE.EXE 2068 IEXPLORE.EXE 2068 IEXPLORE.EXE 2068 IEXPLORE.EXE 2068 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exeWaterMark.exeiexplore.exeiexplore.exedescription pid process target process PID 2296 wrote to memory of 4420 2296 9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe WaterMark.exe PID 2296 wrote to memory of 4420 2296 9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe WaterMark.exe PID 2296 wrote to memory of 4420 2296 9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe WaterMark.exe PID 4420 wrote to memory of 4196 4420 WaterMark.exe svchost.exe PID 4420 wrote to memory of 4196 4420 WaterMark.exe svchost.exe PID 4420 wrote to memory of 4196 4420 WaterMark.exe svchost.exe PID 4420 wrote to memory of 4196 4420 WaterMark.exe svchost.exe PID 4420 wrote to memory of 4196 4420 WaterMark.exe svchost.exe PID 4420 wrote to memory of 4196 4420 WaterMark.exe svchost.exe PID 4420 wrote to memory of 4196 4420 WaterMark.exe svchost.exe PID 4420 wrote to memory of 4196 4420 WaterMark.exe svchost.exe PID 4420 wrote to memory of 4196 4420 WaterMark.exe svchost.exe PID 4420 wrote to memory of 1016 4420 WaterMark.exe iexplore.exe PID 4420 wrote to memory of 1016 4420 WaterMark.exe iexplore.exe PID 4420 wrote to memory of 1152 4420 WaterMark.exe iexplore.exe PID 4420 wrote to memory of 1152 4420 WaterMark.exe iexplore.exe PID 1016 wrote to memory of 2164 1016 iexplore.exe IEXPLORE.EXE PID 1016 wrote to memory of 2164 1016 iexplore.exe IEXPLORE.EXE PID 1016 wrote to memory of 2164 1016 iexplore.exe IEXPLORE.EXE PID 1152 wrote to memory of 2068 1152 iexplore.exe IEXPLORE.EXE PID 1152 wrote to memory of 2068 1152 iexplore.exe IEXPLORE.EXE PID 1152 wrote to memory of 2068 1152 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe"C:\Users\Admin\AppData\Local\Temp\9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 2084⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1016 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1152 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4196 -ip 41961⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
121KB
MD52299a2d6f8d62723d3d76cac0bc2c01b
SHA1a2c396aa7d073b50ddc96a9996eef8f47cb9b04b
SHA2569124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa
SHA5122bc19355cc23cfa3c43e629d39742a8ceb75bec402202cbaaea78e39f452da250296628c0f35ff043047458275eaaca4f9b04768754f4ce475d92b4c32521a95
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
121KB
MD52299a2d6f8d62723d3d76cac0bc2c01b
SHA1a2c396aa7d073b50ddc96a9996eef8f47cb9b04b
SHA2569124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa
SHA5122bc19355cc23cfa3c43e629d39742a8ceb75bec402202cbaaea78e39f452da250296628c0f35ff043047458275eaaca4f9b04768754f4ce475d92b4c32521a95
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD50518b0c986ebecc2e8b7d18563f3a3f9
SHA1f64c6bf2713c74c0519bc4dfbb1ef2d361d8fa0f
SHA2565beab60b4c60e1dd16a188541199742eb97df28aa6a3e41f7dcabc1c75dee492
SHA512a49b8b37bc4d23c631e891b9cc8921bc724f52a66c59f01823536423336fd387223f544ff6de19db5ed691a18285004bc2a1fc5730f4165e26b89479713f9915
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
434B
MD5f47dabfe531f2b135b1217714fbf04b3
SHA16a4a7744431ca01ed2969fb6b2a85b3136613ba0
SHA25683eb510c1f0c7bd17caf78fc0d2af4bbecffccc1710c2a9d3e408819a15df4df
SHA5124ed650a70a51ba5ed2cfc64cd653129a073f5a7fb9853fee26a1d7a67fededd3c02b186e750a0886bfaffb5868f4a3af8498d883dba0ae035e61af6f6420fa97
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7D1133EB-A030-11ED-AECB-E62BBF623C53}.datFilesize
3KB
MD5d019c6bfc731de7600a1ad010365a8e6
SHA1fa9f14689b6e48059c03cba0aa1afd917cb4b9d5
SHA256d9b2c8f352ca0055d728f4d5c91462ab2c246b888b912c6c5e74a6bfee22f2d6
SHA512d362d51b429d92621ef35039849399db443c8cc68e4a4395c22c982459eda89d0fb67f79cff177d7b5428a88d56870ddd283ca7ee5948eeaaeb5abd02865630f
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7D115AFB-A030-11ED-AECB-E62BBF623C53}.datFilesize
5KB
MD5e962f514efc5b67e70a1a4465bca52fe
SHA19e75c00bb49e2f54c5800a6233a75be2a8ef1532
SHA256379e630363d8b40977c04b8deed61cebfb530ea0fcb406006c186c3ff60e279d
SHA512f69463d07fdcd2670abf3024e384223ef888e3fe82e8dd8519280eeb26a20d49210238f0d1991b6898a1c898656cc1fbe33db85592aa31e6fb41e52f53c3383b
-
memory/2296-137-0x0000000002160000-0x0000000002187000-memory.dmpFilesize
156KB
-
memory/2296-132-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2296-136-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/4196-139-0x0000000000000000-mapping.dmp
-
memory/4420-140-0x0000000000640000-0x0000000000667000-memory.dmpFilesize
156KB
-
memory/4420-141-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/4420-144-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/4420-145-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/4420-133-0x0000000000000000-mapping.dmp