Analysis
-
max time kernel
175s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 09:39
Static task
static1
Behavioral task
behavioral1
Sample
b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe
Resource
win7-20220812-en
General
-
Target
b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe
-
Size
120KB
-
MD5
fc767171269c89ab964faa2daa471e31
-
SHA1
05a912999017ede0c5885dd65db92fd8200542c2
-
SHA256
b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf
-
SHA512
6ffff7778c4dc5fdc49676872820301e5107145d64f8304ccb0e434157efdaafbe3dfb963041539b410cdff7bb0dd6b4888a7bea9a6884ec64a58d3a3782e849
-
SSDEEP
768:DQxkwifBsIqHpcrkMEYEhA7P4RhAtmaZFb79U9MKAjBEig6/1k21m3uHRdMNDj2Y:D8kwilTEhU4HDa1KkjWXUa21mc/Mue9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WaterMark.exepid process 4792 WaterMark.exe -
Processes:
resource yara_rule behavioral2/memory/4044-132-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4792-138-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4792-142-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4792-145-0x0000000000400000-0x0000000000428000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
Processes:
b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe File opened for modification C:\Program Files (x86)\Microsoft\px62A.tmp b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1152 4324 WerFault.exe svchost.exe -
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31011790" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31011790" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "381753838" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5C6D883D-9FC1-11ED-919F-C2D7A23AFBD4} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "941433676" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31011790" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31011790" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1063776844" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5C724D20-9FC1-11ED-919F-C2D7A23AFBD4} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31011790" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1018464639" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "941433676" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1063776844" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31011790" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1018464639" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
WaterMark.exepid process 4792 WaterMark.exe 4792 WaterMark.exe 4792 WaterMark.exe 4792 WaterMark.exe 4792 WaterMark.exe 4792 WaterMark.exe 4792 WaterMark.exe 4792 WaterMark.exe 4792 WaterMark.exe 4792 WaterMark.exe 4792 WaterMark.exe 4792 WaterMark.exe 4792 WaterMark.exe 4792 WaterMark.exe 4792 WaterMark.exe 4792 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WaterMark.exedescription pid process Token: SeDebugPrivilege 4792 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeiexplore.exepid process 2380 iexplore.exe 2648 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 2380 iexplore.exe 2380 iexplore.exe 2648 iexplore.exe 2648 iexplore.exe 4460 IEXPLORE.EXE 4460 IEXPLORE.EXE 1444 IEXPLORE.EXE 1444 IEXPLORE.EXE 4460 IEXPLORE.EXE 4460 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exeWaterMark.exeiexplore.exeiexplore.exedescription pid process target process PID 4044 wrote to memory of 4792 4044 b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe WaterMark.exe PID 4044 wrote to memory of 4792 4044 b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe WaterMark.exe PID 4044 wrote to memory of 4792 4044 b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe WaterMark.exe PID 4792 wrote to memory of 4324 4792 WaterMark.exe svchost.exe PID 4792 wrote to memory of 4324 4792 WaterMark.exe svchost.exe PID 4792 wrote to memory of 4324 4792 WaterMark.exe svchost.exe PID 4792 wrote to memory of 4324 4792 WaterMark.exe svchost.exe PID 4792 wrote to memory of 4324 4792 WaterMark.exe svchost.exe PID 4792 wrote to memory of 4324 4792 WaterMark.exe svchost.exe PID 4792 wrote to memory of 4324 4792 WaterMark.exe svchost.exe PID 4792 wrote to memory of 4324 4792 WaterMark.exe svchost.exe PID 4792 wrote to memory of 4324 4792 WaterMark.exe svchost.exe PID 4792 wrote to memory of 2380 4792 WaterMark.exe iexplore.exe PID 4792 wrote to memory of 2380 4792 WaterMark.exe iexplore.exe PID 4792 wrote to memory of 2648 4792 WaterMark.exe iexplore.exe PID 4792 wrote to memory of 2648 4792 WaterMark.exe iexplore.exe PID 2380 wrote to memory of 4460 2380 iexplore.exe IEXPLORE.EXE PID 2380 wrote to memory of 4460 2380 iexplore.exe IEXPLORE.EXE PID 2380 wrote to memory of 4460 2380 iexplore.exe IEXPLORE.EXE PID 2648 wrote to memory of 1444 2648 iexplore.exe IEXPLORE.EXE PID 2648 wrote to memory of 1444 2648 iexplore.exe IEXPLORE.EXE PID 2648 wrote to memory of 1444 2648 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe"C:\Users\Admin\AppData\Local\Temp\b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 2124⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2380 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4324 -ip 43241⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
120KB
MD5fc767171269c89ab964faa2daa471e31
SHA105a912999017ede0c5885dd65db92fd8200542c2
SHA256b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf
SHA5126ffff7778c4dc5fdc49676872820301e5107145d64f8304ccb0e434157efdaafbe3dfb963041539b410cdff7bb0dd6b4888a7bea9a6884ec64a58d3a3782e849
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
120KB
MD5fc767171269c89ab964faa2daa471e31
SHA105a912999017ede0c5885dd65db92fd8200542c2
SHA256b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf
SHA5126ffff7778c4dc5fdc49676872820301e5107145d64f8304ccb0e434157efdaafbe3dfb963041539b410cdff7bb0dd6b4888a7bea9a6884ec64a58d3a3782e849
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD526cb63224b51d99ce887c9ff8130a338
SHA1108ad165d80234621dfba3fb62195a26ce821acb
SHA256c0a8afd7b1a047144b9cf337e4518f7ce1b5108dbbd135e593b4411855222a41
SHA5125f0782919fdc942a1614fd76e25b62c74e96e4e8a12a30b1162db2d9bd3fd6ae8160c3edc101f7ea80137aabdbae62ae57bbe29b96b995b66f80162a647bd76d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD5952a2aa3ffef99b1e14a10d7a894de89
SHA175abe69c7aab8e423262f2ff62aaf3068a8f5904
SHA256429dacc95c262ac137a637896e642dee695495cc717406116975c087cb569fce
SHA512c80c62a0c80a03c9d2dec9fb09e26e96239fd774d349c8285025ae0d1c096a22e5734977c89385b461126812eb0fd630a2c2f782ed740271b9f7692a38d56922
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5C6D883D-9FC1-11ED-919F-C2D7A23AFBD4}.datFilesize
3KB
MD575cfac59b706a0aa81b9f08090fd7a60
SHA1918883c3f16f539f0776f68becd8b788d8387d97
SHA256b047082f96f1ae84bbf337eefaccb0b1116991e9161cde04bfae57cadb26e41a
SHA5124d771291ee28ba3c4b840a3f46887a5d1e088c6c6a4e93c1f3fdf8222d19bdb62306e53e1d203d9620c46f6813a67d90bc1fcf5c4505e77b2f4a561c0cbbad73
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5C724D20-9FC1-11ED-919F-C2D7A23AFBD4}.datFilesize
3KB
MD5723df9c0799ccea0fdcf78fc58fbdb9c
SHA1d28c0dbc591f2d9fd34ba2f57c1b16276f14cefa
SHA2560898a416b9efce88eb630808eacd66106e47380284d1183cf5cade718d8bc7da
SHA51222640addd01e34a9e52be0c013f234c9c35f9fea4e3df01a17694b89d6aa87eea46dc90a5d617241630d5225469365675140c1bcd33c50a2a791982fcfba2d1a
-
memory/4044-133-0x00000000004B0000-0x00000000004D8000-memory.dmpFilesize
160KB
-
memory/4044-132-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4324-140-0x0000000000000000-mapping.dmp
-
memory/4792-138-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4792-142-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4792-141-0x0000000000460000-0x0000000000488000-memory.dmpFilesize
160KB
-
memory/4792-145-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4792-137-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4792-134-0x0000000000000000-mapping.dmp