Analysis
-
max time kernel
17s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
06-12-2023 20:56
Static task
static1
Behavioral task
behavioral1
Sample
83b3bbff75e56d0f909b8cf46fed4890.dll
Resource
win7-20231020-en
General
-
Target
83b3bbff75e56d0f909b8cf46fed4890.dll
-
Size
564KB
-
MD5
83b3bbff75e56d0f909b8cf46fed4890
-
SHA1
31228d8d619decb64105e65ffae576f0ccddeb9c
-
SHA256
a1735e573eaa6b88ae074d9e59d3b1bbf856eda4737056f8d2b98a948061fd9c
-
SHA512
e841878f2f07ce9652f878b6a58f0037d251629c6f4b692445303660e103a8e03856b2a1249ad726ba9b2940edbe8e04a84949ea78dede6b6f45adf60d09fe16
-
SSDEEP
12288:tehnaNPpSVZmNxRCwnwm3W3OHIIf5m9RhWFVU:teh0PpS6NxNnwYeOHXAhWTU
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
rundll32mgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" rundll32mgr.exe -
Processes:
rundll32mgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe -
Processes:
rundll32mgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32mgr.exe -
Executes dropped EXE 2 IoCs
Processes:
rundll32mgr.exeWaterMark.exepid process 1732 rundll32mgr.exe 2716 WaterMark.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exerundll32mgr.exepid process 1652 rundll32.exe 1652 rundll32.exe 1732 rundll32mgr.exe 1732 rundll32mgr.exe -
Processes:
resource yara_rule behavioral1/memory/1732-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1732-16-0x00000000026A0000-0x000000000372E000-memory.dmp upx behavioral1/memory/1732-19-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1732-25-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1732-31-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1732-32-0x00000000026A0000-0x000000000372E000-memory.dmp upx behavioral1/memory/1732-36-0x00000000026A0000-0x000000000372E000-memory.dmp upx behavioral1/memory/2716-55-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2716-63-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1732-27-0x00000000026A0000-0x000000000372E000-memory.dmp upx behavioral1/memory/1732-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1732-20-0x00000000026A0000-0x000000000372E000-memory.dmp upx behavioral1/memory/1732-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1732-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2716-340-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2716-357-0x0000000077C70000-0x0000000077DF0000-memory.dmp upx -
Processes:
rundll32mgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32mgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32mgr.exe -
Processes:
rundll32mgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe -
Drops file in System32 directory 3 IoCs
Processes:
rundll32.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.exerundll32mgr.exedescription ioc process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px498E.tmp rundll32mgr.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\imjplm.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
rundll32mgr.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI rundll32mgr.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1976 1652 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
rundll32mgr.exeWaterMark.exesvchost.exepid process 1732 rundll32mgr.exe 2716 WaterMark.exe 2716 WaterMark.exe 2716 WaterMark.exe 2716 WaterMark.exe 2716 WaterMark.exe 2716 WaterMark.exe 2716 WaterMark.exe 2716 WaterMark.exe 2188 svchost.exe 2188 svchost.exe 2188 svchost.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
rundll32mgr.exeWaterMark.exesvchost.exerundll32.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1732 rundll32mgr.exe Token: SeDebugPrivilege 1732 rundll32mgr.exe Token: SeDebugPrivilege 1732 rundll32mgr.exe Token: SeDebugPrivilege 1732 rundll32mgr.exe Token: SeDebugPrivilege 1732 rundll32mgr.exe Token: SeDebugPrivilege 1732 rundll32mgr.exe Token: SeDebugPrivilege 1732 rundll32mgr.exe Token: SeDebugPrivilege 1732 rundll32mgr.exe Token: SeDebugPrivilege 1732 rundll32mgr.exe Token: SeDebugPrivilege 1732 rundll32mgr.exe Token: SeDebugPrivilege 1732 rundll32mgr.exe Token: SeDebugPrivilege 1732 rundll32mgr.exe Token: SeDebugPrivilege 1732 rundll32mgr.exe Token: SeDebugPrivilege 1732 rundll32mgr.exe Token: SeDebugPrivilege 1732 rundll32mgr.exe Token: SeDebugPrivilege 1732 rundll32mgr.exe Token: SeDebugPrivilege 1732 rundll32mgr.exe Token: SeDebugPrivilege 1732 rundll32mgr.exe Token: SeDebugPrivilege 2716 WaterMark.exe Token: SeDebugPrivilege 2188 svchost.exe Token: SeDebugPrivilege 1652 rundll32.exe Token: SeDebugPrivilege 1976 WerFault.exe Token: SeDebugPrivilege 2716 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
rundll32mgr.exeWaterMark.exepid process 1732 rundll32mgr.exe 2716 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exerundll32mgr.exeWaterMark.exesvchost.exedescription pid process target process PID 2564 wrote to memory of 1652 2564 rundll32.exe rundll32.exe PID 2564 wrote to memory of 1652 2564 rundll32.exe rundll32.exe PID 2564 wrote to memory of 1652 2564 rundll32.exe rundll32.exe PID 2564 wrote to memory of 1652 2564 rundll32.exe rundll32.exe PID 2564 wrote to memory of 1652 2564 rundll32.exe rundll32.exe PID 2564 wrote to memory of 1652 2564 rundll32.exe rundll32.exe PID 2564 wrote to memory of 1652 2564 rundll32.exe rundll32.exe PID 1652 wrote to memory of 1732 1652 rundll32.exe rundll32mgr.exe PID 1652 wrote to memory of 1732 1652 rundll32.exe rundll32mgr.exe PID 1652 wrote to memory of 1732 1652 rundll32.exe rundll32mgr.exe PID 1652 wrote to memory of 1732 1652 rundll32.exe rundll32mgr.exe PID 1652 wrote to memory of 1976 1652 rundll32.exe WerFault.exe PID 1652 wrote to memory of 1976 1652 rundll32.exe WerFault.exe PID 1652 wrote to memory of 1976 1652 rundll32.exe WerFault.exe PID 1652 wrote to memory of 1976 1652 rundll32.exe WerFault.exe PID 1732 wrote to memory of 1172 1732 rundll32mgr.exe taskhost.exe PID 1732 wrote to memory of 1284 1732 rundll32mgr.exe Dwm.exe PID 1732 wrote to memory of 1316 1732 rundll32mgr.exe Explorer.EXE PID 1732 wrote to memory of 2716 1732 rundll32mgr.exe WaterMark.exe PID 1732 wrote to memory of 2716 1732 rundll32mgr.exe WaterMark.exe PID 1732 wrote to memory of 2716 1732 rundll32mgr.exe WaterMark.exe PID 1732 wrote to memory of 2716 1732 rundll32mgr.exe WaterMark.exe PID 2716 wrote to memory of 2668 2716 WaterMark.exe svchost.exe PID 2716 wrote to memory of 2668 2716 WaterMark.exe svchost.exe PID 2716 wrote to memory of 2668 2716 WaterMark.exe svchost.exe PID 2716 wrote to memory of 2668 2716 WaterMark.exe svchost.exe PID 2716 wrote to memory of 2668 2716 WaterMark.exe svchost.exe PID 2716 wrote to memory of 2668 2716 WaterMark.exe svchost.exe PID 2716 wrote to memory of 2668 2716 WaterMark.exe svchost.exe PID 2716 wrote to memory of 2668 2716 WaterMark.exe svchost.exe PID 2716 wrote to memory of 2668 2716 WaterMark.exe svchost.exe PID 2716 wrote to memory of 2668 2716 WaterMark.exe svchost.exe PID 2716 wrote to memory of 2188 2716 WaterMark.exe svchost.exe PID 2716 wrote to memory of 2188 2716 WaterMark.exe svchost.exe PID 2716 wrote to memory of 2188 2716 WaterMark.exe svchost.exe PID 2716 wrote to memory of 2188 2716 WaterMark.exe svchost.exe PID 2716 wrote to memory of 2188 2716 WaterMark.exe svchost.exe PID 2716 wrote to memory of 2188 2716 WaterMark.exe svchost.exe PID 2716 wrote to memory of 2188 2716 WaterMark.exe svchost.exe PID 2716 wrote to memory of 2188 2716 WaterMark.exe svchost.exe PID 2716 wrote to memory of 2188 2716 WaterMark.exe svchost.exe PID 2716 wrote to memory of 2188 2716 WaterMark.exe svchost.exe PID 2188 wrote to memory of 260 2188 svchost.exe smss.exe PID 2188 wrote to memory of 260 2188 svchost.exe smss.exe PID 2188 wrote to memory of 260 2188 svchost.exe smss.exe PID 2188 wrote to memory of 260 2188 svchost.exe smss.exe PID 2188 wrote to memory of 260 2188 svchost.exe smss.exe PID 2188 wrote to memory of 336 2188 svchost.exe csrss.exe PID 2188 wrote to memory of 336 2188 svchost.exe csrss.exe PID 2188 wrote to memory of 336 2188 svchost.exe csrss.exe PID 2188 wrote to memory of 336 2188 svchost.exe csrss.exe PID 2188 wrote to memory of 336 2188 svchost.exe csrss.exe PID 2188 wrote to memory of 372 2188 svchost.exe wininit.exe PID 2188 wrote to memory of 372 2188 svchost.exe wininit.exe PID 2188 wrote to memory of 372 2188 svchost.exe wininit.exe PID 2188 wrote to memory of 372 2188 svchost.exe wininit.exe PID 2188 wrote to memory of 372 2188 svchost.exe wininit.exe PID 2188 wrote to memory of 384 2188 svchost.exe csrss.exe PID 2188 wrote to memory of 384 2188 svchost.exe csrss.exe PID 2188 wrote to memory of 384 2188 svchost.exe csrss.exe PID 2188 wrote to memory of 384 2188 svchost.exe csrss.exe PID 2188 wrote to memory of 384 2188 svchost.exe csrss.exe PID 2188 wrote to memory of 420 2188 svchost.exe winlogon.exe PID 2188 wrote to memory of 420 2188 svchost.exe winlogon.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
rundll32mgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\83b3bbff75e56d0f909b8cf46fed4890.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\83b3bbff75e56d0f909b8cf46fed4890.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 2284⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.htmlFilesize
342KB
MD5f360924e921f9895931556d0883bbe77
SHA16e82da26a0867b71851a17638bdb165855356419
SHA256174cdcfbf0f40304f5fb495b8e8f3a312615ac01ad4194a8b0b72d7a3e010511
SHA5127ffd0db2800a3f6a1d2ee544062f4c3f595e9452ebf29232de6c1979a3979f84a549cfa3136524fd322d18f96b8fa1ecd55470c655dc266289b24f777eb5fcf7
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.htmlFilesize
338KB
MD56aacc70a71e2b0fb1d17b985337c7c3f
SHA1ec2ce80d2d4595a3eb8efc1bdce5dd4834a7e6af
SHA2564be9e3288a04cd5153322da567d705f33d87deed111c74a1260d24d77754172b
SHA5126114429860088cc62d1e65fac6c8994ecc9fa284dc0fa98b31780e0e19de589d3e26f9659e9a9f5e16c0705aa4aa46b83e573010cea2fcb88380412946cc5eba
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
\Windows\SysWOW64\rundll32mgr.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
\Windows\SysWOW64\rundll32mgr.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
memory/1172-23-0x00000000003D0000-0x00000000003D2000-memory.dmpFilesize
8KB
-
memory/1652-4-0x00000000001A0000-0x00000000001D4000-memory.dmpFilesize
208KB
-
memory/1652-318-0x0000000077C90000-0x0000000077C91000-memory.dmpFilesize
4KB
-
memory/1652-314-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/1652-313-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1652-6253-0x0000000010000000-0x000000001008B000-memory.dmpFilesize
556KB
-
memory/1652-10-0x00000000001A0000-0x00000000001D4000-memory.dmpFilesize
208KB
-
memory/1652-2-0x0000000010000000-0x000000001008B000-memory.dmpFilesize
556KB
-
memory/1732-36-0x00000000026A0000-0x000000000372E000-memory.dmpFilesize
16.6MB
-
memory/1732-31-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1732-12-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1732-14-0x00000000026A0000-0x000000000372E000-memory.dmpFilesize
16.6MB
-
memory/1732-16-0x00000000026A0000-0x000000000372E000-memory.dmpFilesize
16.6MB
-
memory/1732-19-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1732-25-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1732-32-0x00000000026A0000-0x000000000372E000-memory.dmpFilesize
16.6MB
-
memory/1732-49-0x00000000007B0000-0x00000000007E4000-memory.dmpFilesize
208KB
-
memory/1732-52-0x00000000007B0000-0x00000000007E4000-memory.dmpFilesize
208KB
-
memory/1732-13-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1732-17-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1732-18-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/1732-27-0x00000000026A0000-0x000000000372E000-memory.dmpFilesize
16.6MB
-
memory/1732-24-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1732-20-0x00000000026A0000-0x000000000372E000-memory.dmpFilesize
16.6MB
-
memory/2188-95-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2188-114-0x0000000077C90000-0x0000000077C91000-memory.dmpFilesize
4KB
-
memory/2668-89-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2668-83-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2668-81-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/2668-85-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/2668-76-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2668-66-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2668-79-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/2668-362-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2668-68-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/2716-55-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2716-340-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2716-355-0x0000000077C8F000-0x0000000077C90000-memory.dmpFilesize
4KB
-
memory/2716-357-0x0000000077C70000-0x0000000077DF0000-memory.dmpFilesize
1.5MB
-
memory/2716-62-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2716-539-0x0000000077C70000-0x0000000077DF0000-memory.dmpFilesize
1.5MB
-
memory/2716-64-0x0000000077C8F000-0x0000000077C90000-memory.dmpFilesize
4KB
-
memory/2716-93-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2716-63-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB