Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-01-2023 03:42
Static task
static1
Behavioral task
behavioral1
Sample
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe
Resource
win7-20220812-en
General
-
Target
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe
-
Size
160KB
-
MD5
896d561765d793ad98a6e17155d78440
-
SHA1
ee6c4cd6f39e8d7e32130b13ac832f1cff32e3c3
-
SHA256
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc
-
SHA512
0caefd9a8fe0219f3fe001f3f7c5a135ad4f95de334794dd99ee163f3177f9c7a42939f067d1e9773008af68e63ff240e85cb041040850d8eccadc9e3e4c1f47
-
SSDEEP
3072:iT2xNfzEmPUac0yCRS9EK0TLmkQzWAJ4IeQkXN5gNAm6Nk:mkPpe0mkQzxJ4IeQC+aE
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Modifies firewall policy service 2 TTPs 9 IoCs
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exesvchost.exeWaterMark.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" WaterMark.exe -
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exeWaterMark.exesvchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exesvchost.exeWaterMark.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
WaterMark.exepid process 1656 WaterMark.exe -
Processes:
resource yara_rule behavioral1/memory/1488-55-0x0000000002120000-0x00000000031AE000-memory.dmp upx behavioral1/memory/1488-59-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1488-58-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1488-64-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1488-66-0x0000000002120000-0x00000000031AE000-memory.dmp upx behavioral1/memory/1488-61-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1656-68-0x0000000002140000-0x00000000031CE000-memory.dmp upx behavioral1/memory/1656-79-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1656-83-0x0000000002140000-0x00000000031CE000-memory.dmp upx behavioral1/memory/1656-86-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1656-151-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1656-152-0x0000000002140000-0x00000000031CE000-memory.dmp upx behavioral1/memory/288-203-0x0000000002C50000-0x0000000003CDE000-memory.dmp upx behavioral1/memory/288-285-0x0000000002C50000-0x0000000003CDE000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
WaterMark.exepid process 1656 WaterMark.exe -
Loads dropped DLL 2 IoCs
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exepid process 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe -
Processes:
WaterMark.exed1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" WaterMark.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe -
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exeWaterMark.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exeWaterMark.exedescription ioc process File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\J: WaterMark.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\G: WaterMark.exe File opened (read-only) \??\H: WaterMark.exe File opened (read-only) \??\K: WaterMark.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\E: WaterMark.exe File opened (read-only) \??\I: WaterMark.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
svchost.exedescription ioc process File opened for modification C:\autorun.inf svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 5 IoCs
Processes:
svchost.exed1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px2C0.tmp d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exeWaterMark.exesvchost.exesvchost.exepid process 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe 1656 WaterMark.exe 1656 WaterMark.exe 1656 WaterMark.exe 1656 WaterMark.exe 1656 WaterMark.exe 1656 WaterMark.exe 1656 WaterMark.exe 1656 WaterMark.exe 1656 WaterMark.exe 1656 WaterMark.exe 1840 svchost.exe 1840 svchost.exe 288 svchost.exe 1840 svchost.exe 288 svchost.exe 1840 svchost.exe 288 svchost.exe 288 svchost.exe 288 svchost.exe 1840 svchost.exe 288 svchost.exe 288 svchost.exe 288 svchost.exe 288 svchost.exe 288 svchost.exe 288 svchost.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exeWaterMark.exesvchost.exedescription pid process Token: SeDebugPrivilege 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1656 WaterMark.exe Token: SeDebugPrivilege 1840 svchost.exe Token: SeDebugPrivilege 1656 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exeWaterMark.exepid process 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe 1656 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exeWaterMark.exesvchost.exedescription pid process target process PID 1488 wrote to memory of 1160 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe taskhost.exe PID 1488 wrote to memory of 1232 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Dwm.exe PID 1488 wrote to memory of 1284 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Explorer.EXE PID 1488 wrote to memory of 1656 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe WaterMark.exe PID 1488 wrote to memory of 1656 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe WaterMark.exe PID 1488 wrote to memory of 1656 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe WaterMark.exe PID 1488 wrote to memory of 1656 1488 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe WaterMark.exe PID 1656 wrote to memory of 1160 1656 WaterMark.exe taskhost.exe PID 1656 wrote to memory of 1232 1656 WaterMark.exe Dwm.exe PID 1656 wrote to memory of 1284 1656 WaterMark.exe Explorer.EXE PID 1656 wrote to memory of 288 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 288 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 288 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 288 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 288 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 288 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 288 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 288 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 288 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 288 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 1840 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 1160 1656 WaterMark.exe taskhost.exe PID 1656 wrote to memory of 1232 1656 WaterMark.exe Dwm.exe PID 1656 wrote to memory of 1284 1656 WaterMark.exe Explorer.EXE PID 1656 wrote to memory of 288 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 288 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 1840 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 1840 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 1840 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 1840 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 1840 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 1840 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 1840 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 1840 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 1840 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 1840 1656 WaterMark.exe svchost.exe PID 1656 wrote to memory of 1840 1656 WaterMark.exe svchost.exe PID 1840 wrote to memory of 260 1840 svchost.exe smss.exe PID 1840 wrote to memory of 260 1840 svchost.exe smss.exe PID 1840 wrote to memory of 260 1840 svchost.exe smss.exe PID 1840 wrote to memory of 260 1840 svchost.exe smss.exe PID 1840 wrote to memory of 260 1840 svchost.exe smss.exe PID 1840 wrote to memory of 332 1840 svchost.exe csrss.exe PID 1840 wrote to memory of 332 1840 svchost.exe csrss.exe PID 1840 wrote to memory of 332 1840 svchost.exe csrss.exe PID 1840 wrote to memory of 332 1840 svchost.exe csrss.exe PID 1840 wrote to memory of 332 1840 svchost.exe csrss.exe PID 1840 wrote to memory of 368 1840 svchost.exe wininit.exe PID 1840 wrote to memory of 368 1840 svchost.exe wininit.exe PID 1840 wrote to memory of 368 1840 svchost.exe wininit.exe PID 1840 wrote to memory of 368 1840 svchost.exe wininit.exe PID 1840 wrote to memory of 368 1840 svchost.exe wininit.exe PID 1840 wrote to memory of 380 1840 svchost.exe csrss.exe PID 1840 wrote to memory of 380 1840 svchost.exe csrss.exe PID 1840 wrote to memory of 380 1840 svchost.exe csrss.exe PID 1840 wrote to memory of 380 1840 svchost.exe csrss.exe PID 1840 wrote to memory of 380 1840 svchost.exe csrss.exe PID 1840 wrote to memory of 416 1840 svchost.exe winlogon.exe PID 1840 wrote to memory of 416 1840 svchost.exe winlogon.exe PID 1840 wrote to memory of 416 1840 svchost.exe winlogon.exe PID 1840 wrote to memory of 416 1840 svchost.exe winlogon.exe PID 1840 wrote to memory of 416 1840 svchost.exe winlogon.exe PID 1840 wrote to memory of 460 1840 svchost.exe services.exe PID 1840 wrote to memory of 460 1840 svchost.exe services.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
WaterMark.exed1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe"C:\Users\Admin\AppData\Local\Temp\d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Deletes itself
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
160KB
MD5896d561765d793ad98a6e17155d78440
SHA1ee6c4cd6f39e8d7e32130b13ac832f1cff32e3c3
SHA256d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc
SHA5120caefd9a8fe0219f3fe001f3f7c5a135ad4f95de334794dd99ee163f3177f9c7a42939f067d1e9773008af68e63ff240e85cb041040850d8eccadc9e3e4c1f47
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
160KB
MD5896d561765d793ad98a6e17155d78440
SHA1ee6c4cd6f39e8d7e32130b13ac832f1cff32e3c3
SHA256d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc
SHA5120caefd9a8fe0219f3fe001f3f7c5a135ad4f95de334794dd99ee163f3177f9c7a42939f067d1e9773008af68e63ff240e85cb041040850d8eccadc9e3e4c1f47
-
C:\Windows\SYSTEM.INIFilesize
255B
MD5cf93e4d26ba68966ce9a11e994a5a9d3
SHA1f52e887aa5a6357a48a8c1c0f62e5c8e447cc1e4
SHA2569e8c2c209c85a359d8720dc82254f95d34e0676ab9c0563c638afaf7bfdec807
SHA5128daafc03b1eb33f303e8340621745345f93459b20fb66903c5b9743c3afdf71fe21c7203548d562d1bb4c58a5205cb9e82d22c32c67a61078ddb1e2b3bced44f
-
\Program Files (x86)\Microsoft\WaterMark.exeFilesize
160KB
MD5896d561765d793ad98a6e17155d78440
SHA1ee6c4cd6f39e8d7e32130b13ac832f1cff32e3c3
SHA256d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc
SHA5120caefd9a8fe0219f3fe001f3f7c5a135ad4f95de334794dd99ee163f3177f9c7a42939f067d1e9773008af68e63ff240e85cb041040850d8eccadc9e3e4c1f47
-
\Program Files (x86)\Microsoft\WaterMark.exeFilesize
160KB
MD5896d561765d793ad98a6e17155d78440
SHA1ee6c4cd6f39e8d7e32130b13ac832f1cff32e3c3
SHA256d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc
SHA5120caefd9a8fe0219f3fe001f3f7c5a135ad4f95de334794dd99ee163f3177f9c7a42939f067d1e9773008af68e63ff240e85cb041040850d8eccadc9e3e4c1f47
-
memory/288-78-0x0000000000000000-mapping.dmp
-
memory/288-76-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/288-109-0x0000000000190000-0x0000000000192000-memory.dmpFilesize
8KB
-
memory/288-200-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/288-285-0x0000000002C50000-0x0000000003CDE000-memory.dmpFilesize
16.6MB
-
memory/288-81-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/288-203-0x0000000002C50000-0x0000000003CDE000-memory.dmpFilesize
16.6MB
-
memory/288-88-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/1488-66-0x0000000002120000-0x00000000031AE000-memory.dmpFilesize
16.6MB
-
memory/1488-55-0x0000000002120000-0x00000000031AE000-memory.dmpFilesize
16.6MB
-
memory/1488-59-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1488-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/1488-61-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1488-58-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1488-199-0x0000000002120000-0x00000000031AE000-memory.dmpFilesize
16.6MB
-
memory/1488-64-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1656-79-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1656-86-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1656-151-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1656-152-0x0000000002140000-0x00000000031CE000-memory.dmpFilesize
16.6MB
-
memory/1656-84-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/1656-83-0x0000000002140000-0x00000000031CE000-memory.dmpFilesize
16.6MB
-
memory/1656-68-0x0000000002140000-0x00000000031CE000-memory.dmpFilesize
16.6MB
-
memory/1656-63-0x0000000000000000-mapping.dmp
-
memory/1840-90-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1840-92-0x0000000000000000-mapping.dmp
-
memory/1840-93-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1840-110-0x0000000000090000-0x0000000000092000-memory.dmpFilesize
8KB
-
memory/1840-202-0x0000000000090000-0x0000000000092000-memory.dmpFilesize
8KB