Analysis
-
max time kernel
94s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2023 03:42
Static task
static1
Behavioral task
behavioral1
Sample
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe
Resource
win7-20220812-en
General
-
Target
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe
-
Size
160KB
-
MD5
896d561765d793ad98a6e17155d78440
-
SHA1
ee6c4cd6f39e8d7e32130b13ac832f1cff32e3c3
-
SHA256
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc
-
SHA512
0caefd9a8fe0219f3fe001f3f7c5a135ad4f95de334794dd99ee163f3177f9c7a42939f067d1e9773008af68e63ff240e85cb041040850d8eccadc9e3e4c1f47
-
SSDEEP
3072:iT2xNfzEmPUac0yCRS9EK0TLmkQzWAJ4IeQkXN5gNAm6Nk:mkPpe0mkQzxJ4IeQC+aE
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe -
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe -
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe -
Executes dropped EXE 1 IoCs
Processes:
WaterMark.exepid process 1756 WaterMark.exe -
Processes:
resource yara_rule behavioral2/memory/4736-135-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4736-137-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4736-136-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/4736-138-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/4736-139-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/4736-133-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/4736-143-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4736-145-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1756-147-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/1756-152-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/1756-151-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/1756-150-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/1756-157-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe -
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe -
Drops file in Program Files directory 3 IoCs
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\px6A38.tmp d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe -
Drops file in Windows directory 1 IoCs
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe -
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31011941" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{868C0133-A058-11ED-B696-5E3721E937B7} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31011941" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1536345044" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31011941" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31011941" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1542595011" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1542750778" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "381818734" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{868BDA23-A058-11ED-B696-5E3721E937B7} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1536345044" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exeWaterMark.exepid process 4736 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe 4736 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe 1756 WaterMark.exe 1756 WaterMark.exe 1756 WaterMark.exe 1756 WaterMark.exe 1756 WaterMark.exe 1756 WaterMark.exe 1756 WaterMark.exe 1756 WaterMark.exe 1756 WaterMark.exe 1756 WaterMark.exe 1756 WaterMark.exe 1756 WaterMark.exe 1756 WaterMark.exe 1756 WaterMark.exe 1756 WaterMark.exe 1756 WaterMark.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 1032 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exeWaterMark.exedescription pid process Token: SeDebugPrivilege 4736 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 4736 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 4736 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 4736 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 4736 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 4736 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 4736 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 4736 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 4736 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 4736 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe Token: SeDebugPrivilege 1756 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeiexplore.exepid process 1032 iexplore.exe 2728 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 2728 iexplore.exe 2728 iexplore.exe 1032 iexplore.exe 1032 iexplore.exe 4692 IEXPLORE.EXE 4692 IEXPLORE.EXE 4824 IEXPLORE.EXE 4824 IEXPLORE.EXE 4692 IEXPLORE.EXE 4692 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exeWaterMark.exepid process 4736 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe 1756 WaterMark.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exeWaterMark.exeiexplore.exeiexplore.exedescription pid process target process PID 4736 wrote to memory of 1756 4736 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe WaterMark.exe PID 4736 wrote to memory of 1756 4736 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe WaterMark.exe PID 4736 wrote to memory of 1756 4736 d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe WaterMark.exe PID 1756 wrote to memory of 3480 1756 WaterMark.exe svchost.exe PID 1756 wrote to memory of 3480 1756 WaterMark.exe svchost.exe PID 1756 wrote to memory of 3480 1756 WaterMark.exe svchost.exe PID 1756 wrote to memory of 3480 1756 WaterMark.exe svchost.exe PID 1756 wrote to memory of 3480 1756 WaterMark.exe svchost.exe PID 1756 wrote to memory of 3480 1756 WaterMark.exe svchost.exe PID 1756 wrote to memory of 3480 1756 WaterMark.exe svchost.exe PID 1756 wrote to memory of 3480 1756 WaterMark.exe svchost.exe PID 1756 wrote to memory of 3480 1756 WaterMark.exe svchost.exe PID 1756 wrote to memory of 2728 1756 WaterMark.exe iexplore.exe PID 1756 wrote to memory of 2728 1756 WaterMark.exe iexplore.exe PID 1756 wrote to memory of 1032 1756 WaterMark.exe iexplore.exe PID 1756 wrote to memory of 1032 1756 WaterMark.exe iexplore.exe PID 2728 wrote to memory of 4824 2728 iexplore.exe IEXPLORE.EXE PID 2728 wrote to memory of 4824 2728 iexplore.exe IEXPLORE.EXE PID 2728 wrote to memory of 4824 2728 iexplore.exe IEXPLORE.EXE PID 1032 wrote to memory of 4692 1032 iexplore.exe IEXPLORE.EXE PID 1032 wrote to memory of 4692 1032 iexplore.exe IEXPLORE.EXE PID 1032 wrote to memory of 4692 1032 iexplore.exe IEXPLORE.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe"C:\Users\Admin\AppData\Local\Temp\d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe"1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1032 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
160KB
MD5896d561765d793ad98a6e17155d78440
SHA1ee6c4cd6f39e8d7e32130b13ac832f1cff32e3c3
SHA256d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc
SHA5120caefd9a8fe0219f3fe001f3f7c5a135ad4f95de334794dd99ee163f3177f9c7a42939f067d1e9773008af68e63ff240e85cb041040850d8eccadc9e3e4c1f47
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
160KB
MD5896d561765d793ad98a6e17155d78440
SHA1ee6c4cd6f39e8d7e32130b13ac832f1cff32e3c3
SHA256d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc
SHA5120caefd9a8fe0219f3fe001f3f7c5a135ad4f95de334794dd99ee163f3177f9c7a42939f067d1e9773008af68e63ff240e85cb041040850d8eccadc9e3e4c1f47
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD50518b0c986ebecc2e8b7d18563f3a3f9
SHA1f64c6bf2713c74c0519bc4dfbb1ef2d361d8fa0f
SHA2565beab60b4c60e1dd16a188541199742eb97df28aa6a3e41f7dcabc1c75dee492
SHA512a49b8b37bc4d23c631e891b9cc8921bc724f52a66c59f01823536423336fd387223f544ff6de19db5ed691a18285004bc2a1fc5730f4165e26b89479713f9915
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD536f62dc8408cdfed6204f4d055b58b50
SHA1b930e41f6a50624897bb78a34854bb53dea361e1
SHA25663c2c690d3205dc175f8378560011874b62fb7d6a74695a7c22ce8d6ed673c5a
SHA5122bdb9299dac81874d527a9cdfa7cf119e658706debed9fdcbee7e793302043663b3394607c04f6b101a73c630b8c72dafee2071f6576b5d99183499eb78770ac
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{868BDA23-A058-11ED-B696-5E3721E937B7}.datFilesize
5KB
MD5cd99c5557a73cd02a95f7f6dad660d77
SHA17153f0832f2490dc84fb7521224bf0c4261922fb
SHA2567c9fa06ebdd378b29088fa464536c39bed8f8a04e10132f02812597d62c18e03
SHA51286908572b99cd8216f642cd974d1d8b409705a2fe6564cf1c50638a9b21f645ef91877d9aa53d06b5a49dfa78421627bb8e2deab851e8f20161be37d0604067d
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{868C0133-A058-11ED-B696-5E3721E937B7}.datFilesize
3KB
MD516c170a74f7ed6880150f00937d27281
SHA16b40a8b878ffb4f5175097b4fad7bcd654177c56
SHA25686419a90a0943e832cf8e98ba6c1e4fb39ed2068f6987898d4462f7b22d1d48f
SHA51239b3a49b2ce81f98f8758b84b6134ef4c086d8e91e3513d2ef008521687c5964b2dd942333aa7f9d1462215448243396ebf3ecf6c97103680de7d233012b8251
-
memory/1756-152-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1756-157-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1756-140-0x0000000000000000-mapping.dmp
-
memory/1756-150-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1756-151-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1756-147-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3480-154-0x0000000000000000-mapping.dmp
-
memory/4736-145-0x0000000002590000-0x000000000361E000-memory.dmpFilesize
16.6MB
-
memory/4736-143-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4736-135-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4736-133-0x0000000002590000-0x000000000361E000-memory.dmpFilesize
16.6MB
-
memory/4736-139-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4736-138-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4736-158-0x0000000002590000-0x000000000361E000-memory.dmpFilesize
16.6MB
-
memory/4736-136-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4736-137-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB