Analysis
-
max time kernel
150s -
max time network
111s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-01-2023 03:42
Behavioral task
behavioral1
Sample
c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d.exe
Resource
win10v2004-20220901-en
General
-
Target
c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d.exe
-
Size
53KB
-
MD5
16c173ad58c283909cc64c5d8ec7957a
-
SHA1
9667e6baa025dac16d1e01d4fc18eebe5f5e60c8
-
SHA256
c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d
-
SHA512
44af4a504789ef782a4844e641415be28e4aae1627aad848dff945e4650110d7b17d91f367c19913388373a11602ef05e93a2d3177e29672873f022564969d9d
-
SSDEEP
1536:giyy4Zexm5U1E+cZDuQnjZ+bz7/M4PZPOn1n:ly491EFMyjZ+bz7/ML1
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
WaterMark.exepid process 1268 WaterMark.exe -
Processes:
resource yara_rule \Program Files (x86)\Microsoft\WaterMark.exe upx \Program Files (x86)\Microsoft\WaterMark.exe upx behavioral1/memory/1708-58-0x0000000000400000-0x000000000046B000-memory.dmp upx C:\Program Files (x86)\Microsoft\WaterMark.exe upx C:\Program Files (x86)\Microsoft\WaterMark.exe upx behavioral1/memory/1268-60-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1268-71-0x0000000000400000-0x000000000046B000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d.exepid process 1708 c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d.exe 1708 c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 10 IoCs
Processes:
svchost.exec610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7-zip32.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px1314.tmp c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.dll svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WaterMark.exepid process 1268 WaterMark.exe 1268 WaterMark.exe 1268 WaterMark.exe 1268 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WaterMark.exedescription pid process Token: SeDebugPrivilege 1268 WaterMark.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d.exeWaterMark.exedescription pid process target process PID 1708 wrote to memory of 1268 1708 c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d.exe WaterMark.exe PID 1708 wrote to memory of 1268 1708 c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d.exe WaterMark.exe PID 1708 wrote to memory of 1268 1708 c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d.exe WaterMark.exe PID 1708 wrote to memory of 1268 1708 c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d.exe WaterMark.exe PID 1268 wrote to memory of 1288 1268 WaterMark.exe svchost.exe PID 1268 wrote to memory of 1288 1268 WaterMark.exe svchost.exe PID 1268 wrote to memory of 1288 1268 WaterMark.exe svchost.exe PID 1268 wrote to memory of 1288 1268 WaterMark.exe svchost.exe PID 1268 wrote to memory of 1288 1268 WaterMark.exe svchost.exe PID 1268 wrote to memory of 1288 1268 WaterMark.exe svchost.exe PID 1268 wrote to memory of 1288 1268 WaterMark.exe svchost.exe PID 1268 wrote to memory of 1288 1268 WaterMark.exe svchost.exe PID 1268 wrote to memory of 1288 1268 WaterMark.exe svchost.exe PID 1268 wrote to memory of 1288 1268 WaterMark.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d.exe"C:\Users\Admin\AppData\Local\Temp\c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
53KB
MD516c173ad58c283909cc64c5d8ec7957a
SHA19667e6baa025dac16d1e01d4fc18eebe5f5e60c8
SHA256c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d
SHA51244af4a504789ef782a4844e641415be28e4aae1627aad848dff945e4650110d7b17d91f367c19913388373a11602ef05e93a2d3177e29672873f022564969d9d
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
53KB
MD516c173ad58c283909cc64c5d8ec7957a
SHA19667e6baa025dac16d1e01d4fc18eebe5f5e60c8
SHA256c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d
SHA51244af4a504789ef782a4844e641415be28e4aae1627aad848dff945e4650110d7b17d91f367c19913388373a11602ef05e93a2d3177e29672873f022564969d9d
-
\Program Files (x86)\Microsoft\WaterMark.exeFilesize
53KB
MD516c173ad58c283909cc64c5d8ec7957a
SHA19667e6baa025dac16d1e01d4fc18eebe5f5e60c8
SHA256c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d
SHA51244af4a504789ef782a4844e641415be28e4aae1627aad848dff945e4650110d7b17d91f367c19913388373a11602ef05e93a2d3177e29672873f022564969d9d
-
\Program Files (x86)\Microsoft\WaterMark.exeFilesize
53KB
MD516c173ad58c283909cc64c5d8ec7957a
SHA19667e6baa025dac16d1e01d4fc18eebe5f5e60c8
SHA256c610c346cf842b3f70c8fdea5353f98f154bff79a1358282509fdd887486c34d
SHA51244af4a504789ef782a4844e641415be28e4aae1627aad848dff945e4650110d7b17d91f367c19913388373a11602ef05e93a2d3177e29672873f022564969d9d
-
memory/1268-56-0x0000000000000000-mapping.dmp
-
memory/1268-71-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/1268-60-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/1288-65-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/1288-64-0x0000000000000000-mapping.dmp
-
memory/1288-62-0x0000000020010000-0x0000000020020000-memory.dmpFilesize
64KB
-
memory/1288-66-0x0000000020010000-0x0000000020020000-memory.dmpFilesize
64KB
-
memory/1288-70-0x0000000020010000-0x0000000020020000-memory.dmpFilesize
64KB
-
memory/1708-58-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB