Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
30-01-2023 03:42
Behavioral task
behavioral1
Sample
f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020.exe
Resource
win10v2004-20220812-en
General
-
Target
f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020.exe
-
Size
357KB
-
MD5
c80dce1c7f49342bc4e3e7faec27574b
-
SHA1
591cd2f5ee09f24173725d95abb045b97545b043
-
SHA256
f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020
-
SHA512
1cedc6b1aed227f9a686a077b2fa0cd97f7a35e2fe3c5e90be4a3c061e03aad1587da2c47e93ae89f3bce954db3e87b8e2524bbf8c25e45fcfecdf2ad8a49120
-
SSDEEP
1536:Ih+CizEh+bTIKE5plPxM3/SaxAFZ/Zqrl+McbHu7qAMO9Bv+Pp9Zn0amGwSh:vCTb5pjMvVC/orl+9TuG7a2LZ0axwS
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
WaterMark.exepid process 1208 WaterMark.exe -
Processes:
resource yara_rule \Program Files (x86)\Microsoft\WaterMark.exe upx \Program Files (x86)\Microsoft\WaterMark.exe upx behavioral1/memory/1380-58-0x0000000000400000-0x000000000045B000-memory.dmp upx C:\Program Files (x86)\Microsoft\WaterMark.exe upx behavioral1/memory/1208-59-0x0000000000400000-0x000000000045B000-memory.dmp upx C:\Program Files (x86)\Microsoft\WaterMark.exe upx behavioral1/memory/1208-70-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/1208-184-0x0000000000400000-0x000000000045B000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020.exepid process 1380 f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020.exe 1380 f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 10 IoCs
Processes:
f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020.exesvchost.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\px1594.tmp f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020.exe File opened for modification C:\Program Files\7-Zip\7z.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
WaterMark.exesvchost.exepid process 1208 WaterMark.exe 1208 WaterMark.exe 1208 WaterMark.exe 1208 WaterMark.exe 1208 WaterMark.exe 1208 WaterMark.exe 1208 WaterMark.exe 1208 WaterMark.exe 536 svchost.exe 536 svchost.exe 536 svchost.exe 536 svchost.exe 536 svchost.exe 536 svchost.exe 536 svchost.exe 536 svchost.exe 536 svchost.exe 536 svchost.exe 536 svchost.exe 536 svchost.exe 536 svchost.exe 536 svchost.exe 536 svchost.exe 536 svchost.exe 536 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WaterMark.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 1208 WaterMark.exe Token: SeDebugPrivilege 536 svchost.exe Token: SeDebugPrivilege 1208 WaterMark.exe Token: SeDebugPrivilege 700 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020.exeWaterMark.exesvchost.exedescription pid process target process PID 1380 wrote to memory of 1208 1380 f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020.exe WaterMark.exe PID 1380 wrote to memory of 1208 1380 f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020.exe WaterMark.exe PID 1380 wrote to memory of 1208 1380 f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020.exe WaterMark.exe PID 1380 wrote to memory of 1208 1380 f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020.exe WaterMark.exe PID 1208 wrote to memory of 700 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 700 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 700 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 700 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 700 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 700 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 700 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 700 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 700 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 700 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 536 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 536 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 536 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 536 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 536 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 536 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 536 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 536 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 536 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 536 1208 WaterMark.exe svchost.exe PID 536 wrote to memory of 260 536 svchost.exe smss.exe PID 536 wrote to memory of 260 536 svchost.exe smss.exe PID 536 wrote to memory of 260 536 svchost.exe smss.exe PID 536 wrote to memory of 260 536 svchost.exe smss.exe PID 536 wrote to memory of 260 536 svchost.exe smss.exe PID 536 wrote to memory of 336 536 svchost.exe csrss.exe PID 536 wrote to memory of 336 536 svchost.exe csrss.exe PID 536 wrote to memory of 336 536 svchost.exe csrss.exe PID 536 wrote to memory of 336 536 svchost.exe csrss.exe PID 536 wrote to memory of 336 536 svchost.exe csrss.exe PID 536 wrote to memory of 372 536 svchost.exe wininit.exe PID 536 wrote to memory of 372 536 svchost.exe wininit.exe PID 536 wrote to memory of 372 536 svchost.exe wininit.exe PID 536 wrote to memory of 372 536 svchost.exe wininit.exe PID 536 wrote to memory of 372 536 svchost.exe wininit.exe PID 536 wrote to memory of 384 536 svchost.exe csrss.exe PID 536 wrote to memory of 384 536 svchost.exe csrss.exe PID 536 wrote to memory of 384 536 svchost.exe csrss.exe PID 536 wrote to memory of 384 536 svchost.exe csrss.exe PID 536 wrote to memory of 384 536 svchost.exe csrss.exe PID 536 wrote to memory of 420 536 svchost.exe winlogon.exe PID 536 wrote to memory of 420 536 svchost.exe winlogon.exe PID 536 wrote to memory of 420 536 svchost.exe winlogon.exe PID 536 wrote to memory of 420 536 svchost.exe winlogon.exe PID 536 wrote to memory of 420 536 svchost.exe winlogon.exe PID 536 wrote to memory of 464 536 svchost.exe services.exe PID 536 wrote to memory of 464 536 svchost.exe services.exe PID 536 wrote to memory of 464 536 svchost.exe services.exe PID 536 wrote to memory of 464 536 svchost.exe services.exe PID 536 wrote to memory of 464 536 svchost.exe services.exe PID 536 wrote to memory of 480 536 svchost.exe lsass.exe PID 536 wrote to memory of 480 536 svchost.exe lsass.exe PID 536 wrote to memory of 480 536 svchost.exe lsass.exe PID 536 wrote to memory of 480 536 svchost.exe lsass.exe PID 536 wrote to memory of 480 536 svchost.exe lsass.exe PID 536 wrote to memory of 488 536 svchost.exe lsm.exe PID 536 wrote to memory of 488 536 svchost.exe lsm.exe PID 536 wrote to memory of 488 536 svchost.exe lsm.exe PID 536 wrote to memory of 488 536 svchost.exe lsm.exe PID 536 wrote to memory of 488 536 svchost.exe lsm.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020.exe"C:\Users\Admin\AppData\Local\Temp\f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020.exe"2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
357KB
MD5c80dce1c7f49342bc4e3e7faec27574b
SHA1591cd2f5ee09f24173725d95abb045b97545b043
SHA256f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020
SHA5121cedc6b1aed227f9a686a077b2fa0cd97f7a35e2fe3c5e90be4a3c061e03aad1587da2c47e93ae89f3bce954db3e87b8e2524bbf8c25e45fcfecdf2ad8a49120
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
357KB
MD5c80dce1c7f49342bc4e3e7faec27574b
SHA1591cd2f5ee09f24173725d95abb045b97545b043
SHA256f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020
SHA5121cedc6b1aed227f9a686a077b2fa0cd97f7a35e2fe3c5e90be4a3c061e03aad1587da2c47e93ae89f3bce954db3e87b8e2524bbf8c25e45fcfecdf2ad8a49120
-
\Program Files (x86)\Microsoft\WaterMark.exeFilesize
357KB
MD5c80dce1c7f49342bc4e3e7faec27574b
SHA1591cd2f5ee09f24173725d95abb045b97545b043
SHA256f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020
SHA5121cedc6b1aed227f9a686a077b2fa0cd97f7a35e2fe3c5e90be4a3c061e03aad1587da2c47e93ae89f3bce954db3e87b8e2524bbf8c25e45fcfecdf2ad8a49120
-
\Program Files (x86)\Microsoft\WaterMark.exeFilesize
357KB
MD5c80dce1c7f49342bc4e3e7faec27574b
SHA1591cd2f5ee09f24173725d95abb045b97545b043
SHA256f15c00e4d90df78c855c09e684d4a7b38fdf8c6562517c5ae4066fb6126c4020
SHA5121cedc6b1aed227f9a686a077b2fa0cd97f7a35e2fe3c5e90be4a3c061e03aad1587da2c47e93ae89f3bce954db3e87b8e2524bbf8c25e45fcfecdf2ad8a49120
-
memory/536-76-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/536-75-0x0000000000000000-mapping.dmp
-
memory/536-73-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/700-64-0x0000000000000000-mapping.dmp
-
memory/700-62-0x0000000020010000-0x0000000020021000-memory.dmpFilesize
68KB
-
memory/700-65-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB
-
memory/700-66-0x0000000020010000-0x0000000020021000-memory.dmpFilesize
68KB
-
memory/700-71-0x0000000020010000-0x0000000020021000-memory.dmpFilesize
68KB
-
memory/1208-70-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/1208-59-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/1208-56-0x0000000000000000-mapping.dmp
-
memory/1208-128-0x0000000020020000-0x000000002002B000-memory.dmpFilesize
44KB
-
memory/1208-184-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/1380-58-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB