Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 09:39
Static task
static1
Behavioral task
behavioral1
Sample
b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe
Resource
win7-20220812-en
General
-
Target
b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe
-
Size
120KB
-
MD5
fc767171269c89ab964faa2daa471e31
-
SHA1
05a912999017ede0c5885dd65db92fd8200542c2
-
SHA256
b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf
-
SHA512
6ffff7778c4dc5fdc49676872820301e5107145d64f8304ccb0e434157efdaafbe3dfb963041539b410cdff7bb0dd6b4888a7bea9a6884ec64a58d3a3782e849
-
SSDEEP
768:DQxkwifBsIqHpcrkMEYEhA7P4RhAtmaZFb79U9MKAjBEig6/1k21m3uHRdMNDj2Y:D8kwilTEhU4HDa1KkjWXUa21mc/Mue9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
WaterMark.exepid process 1008 WaterMark.exe -
Processes:
resource yara_rule behavioral1/memory/1208-57-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1008-70-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1008-183-0x0000000000400000-0x0000000000428000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exepid process 1208 b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe 1208 b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 10 IoCs
Processes:
b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exesvchost.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\pxF586.tmp b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
WaterMark.exesvchost.exepid process 1008 WaterMark.exe 1008 WaterMark.exe 1008 WaterMark.exe 1008 WaterMark.exe 1008 WaterMark.exe 1008 WaterMark.exe 1008 WaterMark.exe 1008 WaterMark.exe 1304 svchost.exe 1304 svchost.exe 1304 svchost.exe 1304 svchost.exe 1304 svchost.exe 1304 svchost.exe 1304 svchost.exe 1304 svchost.exe 1304 svchost.exe 1304 svchost.exe 1304 svchost.exe 1304 svchost.exe 1304 svchost.exe 1304 svchost.exe 1304 svchost.exe 1304 svchost.exe 1304 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WaterMark.exesvchost.exedescription pid process Token: SeDebugPrivilege 1008 WaterMark.exe Token: SeDebugPrivilege 1304 svchost.exe Token: SeDebugPrivilege 1008 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exeWaterMark.exesvchost.exedescription pid process target process PID 1208 wrote to memory of 1008 1208 b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe WaterMark.exe PID 1208 wrote to memory of 1008 1208 b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe WaterMark.exe PID 1208 wrote to memory of 1008 1208 b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe WaterMark.exe PID 1208 wrote to memory of 1008 1208 b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe WaterMark.exe PID 1008 wrote to memory of 1940 1008 WaterMark.exe svchost.exe PID 1008 wrote to memory of 1940 1008 WaterMark.exe svchost.exe PID 1008 wrote to memory of 1940 1008 WaterMark.exe svchost.exe PID 1008 wrote to memory of 1940 1008 WaterMark.exe svchost.exe PID 1008 wrote to memory of 1940 1008 WaterMark.exe svchost.exe PID 1008 wrote to memory of 1940 1008 WaterMark.exe svchost.exe PID 1008 wrote to memory of 1940 1008 WaterMark.exe svchost.exe PID 1008 wrote to memory of 1940 1008 WaterMark.exe svchost.exe PID 1008 wrote to memory of 1940 1008 WaterMark.exe svchost.exe PID 1008 wrote to memory of 1940 1008 WaterMark.exe svchost.exe PID 1008 wrote to memory of 1304 1008 WaterMark.exe svchost.exe PID 1008 wrote to memory of 1304 1008 WaterMark.exe svchost.exe PID 1008 wrote to memory of 1304 1008 WaterMark.exe svchost.exe PID 1008 wrote to memory of 1304 1008 WaterMark.exe svchost.exe PID 1008 wrote to memory of 1304 1008 WaterMark.exe svchost.exe PID 1008 wrote to memory of 1304 1008 WaterMark.exe svchost.exe PID 1008 wrote to memory of 1304 1008 WaterMark.exe svchost.exe PID 1008 wrote to memory of 1304 1008 WaterMark.exe svchost.exe PID 1008 wrote to memory of 1304 1008 WaterMark.exe svchost.exe PID 1008 wrote to memory of 1304 1008 WaterMark.exe svchost.exe PID 1304 wrote to memory of 260 1304 svchost.exe smss.exe PID 1304 wrote to memory of 260 1304 svchost.exe smss.exe PID 1304 wrote to memory of 260 1304 svchost.exe smss.exe PID 1304 wrote to memory of 260 1304 svchost.exe smss.exe PID 1304 wrote to memory of 260 1304 svchost.exe smss.exe PID 1304 wrote to memory of 332 1304 svchost.exe csrss.exe PID 1304 wrote to memory of 332 1304 svchost.exe csrss.exe PID 1304 wrote to memory of 332 1304 svchost.exe csrss.exe PID 1304 wrote to memory of 332 1304 svchost.exe csrss.exe PID 1304 wrote to memory of 332 1304 svchost.exe csrss.exe PID 1304 wrote to memory of 368 1304 svchost.exe wininit.exe PID 1304 wrote to memory of 368 1304 svchost.exe wininit.exe PID 1304 wrote to memory of 368 1304 svchost.exe wininit.exe PID 1304 wrote to memory of 368 1304 svchost.exe wininit.exe PID 1304 wrote to memory of 368 1304 svchost.exe wininit.exe PID 1304 wrote to memory of 376 1304 svchost.exe csrss.exe PID 1304 wrote to memory of 376 1304 svchost.exe csrss.exe PID 1304 wrote to memory of 376 1304 svchost.exe csrss.exe PID 1304 wrote to memory of 376 1304 svchost.exe csrss.exe PID 1304 wrote to memory of 376 1304 svchost.exe csrss.exe PID 1304 wrote to memory of 416 1304 svchost.exe winlogon.exe PID 1304 wrote to memory of 416 1304 svchost.exe winlogon.exe PID 1304 wrote to memory of 416 1304 svchost.exe winlogon.exe PID 1304 wrote to memory of 416 1304 svchost.exe winlogon.exe PID 1304 wrote to memory of 416 1304 svchost.exe winlogon.exe PID 1304 wrote to memory of 460 1304 svchost.exe services.exe PID 1304 wrote to memory of 460 1304 svchost.exe services.exe PID 1304 wrote to memory of 460 1304 svchost.exe services.exe PID 1304 wrote to memory of 460 1304 svchost.exe services.exe PID 1304 wrote to memory of 460 1304 svchost.exe services.exe PID 1304 wrote to memory of 476 1304 svchost.exe lsass.exe PID 1304 wrote to memory of 476 1304 svchost.exe lsass.exe PID 1304 wrote to memory of 476 1304 svchost.exe lsass.exe PID 1304 wrote to memory of 476 1304 svchost.exe lsass.exe PID 1304 wrote to memory of 476 1304 svchost.exe lsass.exe PID 1304 wrote to memory of 484 1304 svchost.exe lsm.exe PID 1304 wrote to memory of 484 1304 svchost.exe lsm.exe PID 1304 wrote to memory of 484 1304 svchost.exe lsm.exe PID 1304 wrote to memory of 484 1304 svchost.exe lsm.exe PID 1304 wrote to memory of 484 1304 svchost.exe lsm.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe"C:\Users\Admin\AppData\Local\Temp\b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe"2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
120KB
MD5fc767171269c89ab964faa2daa471e31
SHA105a912999017ede0c5885dd65db92fd8200542c2
SHA256b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf
SHA5126ffff7778c4dc5fdc49676872820301e5107145d64f8304ccb0e434157efdaafbe3dfb963041539b410cdff7bb0dd6b4888a7bea9a6884ec64a58d3a3782e849
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
120KB
MD5fc767171269c89ab964faa2daa471e31
SHA105a912999017ede0c5885dd65db92fd8200542c2
SHA256b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf
SHA5126ffff7778c4dc5fdc49676872820301e5107145d64f8304ccb0e434157efdaafbe3dfb963041539b410cdff7bb0dd6b4888a7bea9a6884ec64a58d3a3782e849
-
\Program Files (x86)\Microsoft\WaterMark.exeFilesize
120KB
MD5fc767171269c89ab964faa2daa471e31
SHA105a912999017ede0c5885dd65db92fd8200542c2
SHA256b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf
SHA5126ffff7778c4dc5fdc49676872820301e5107145d64f8304ccb0e434157efdaafbe3dfb963041539b410cdff7bb0dd6b4888a7bea9a6884ec64a58d3a3782e849
-
\Program Files (x86)\Microsoft\WaterMark.exeFilesize
120KB
MD5fc767171269c89ab964faa2daa471e31
SHA105a912999017ede0c5885dd65db92fd8200542c2
SHA256b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf
SHA5126ffff7778c4dc5fdc49676872820301e5107145d64f8304ccb0e434157efdaafbe3dfb963041539b410cdff7bb0dd6b4888a7bea9a6884ec64a58d3a3782e849
-
memory/1008-70-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1008-56-0x0000000000000000-mapping.dmp
-
memory/1008-183-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1008-131-0x0000000020021000-0x0000000020028000-memory.dmpFilesize
28KB
-
memory/1008-71-0x0000000000220000-0x0000000000248000-memory.dmpFilesize
160KB
-
memory/1208-57-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1208-59-0x00000000001B0000-0x00000000001D8000-memory.dmpFilesize
160KB
-
memory/1304-77-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1304-74-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1304-76-0x0000000000000000-mapping.dmp
-
memory/1940-66-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/1940-72-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/1940-65-0x0000000076261000-0x0000000076263000-memory.dmpFilesize
8KB
-
memory/1940-64-0x0000000000000000-mapping.dmp
-
memory/1940-62-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/1940-184-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB