Analysis
-
max time kernel
138s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2023 20:56
Static task
static1
Behavioral task
behavioral1
Sample
83b3bbff75e56d0f909b8cf46fed4890.dll
Resource
win7-20231020-en
General
-
Target
83b3bbff75e56d0f909b8cf46fed4890.dll
-
Size
564KB
-
MD5
83b3bbff75e56d0f909b8cf46fed4890
-
SHA1
31228d8d619decb64105e65ffae576f0ccddeb9c
-
SHA256
a1735e573eaa6b88ae074d9e59d3b1bbf856eda4737056f8d2b98a948061fd9c
-
SHA512
e841878f2f07ce9652f878b6a58f0037d251629c6f4b692445303660e103a8e03856b2a1249ad726ba9b2940edbe8e04a84949ea78dede6b6f45adf60d09fe16
-
SSDEEP
12288:tehnaNPpSVZmNxRCwnwm3W3OHIIf5m9RhWFVU:teh0PpS6NxNnwYeOHXAhWTU
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
rundll32mgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" rundll32mgr.exe -
Processes:
rundll32mgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe -
Processes:
rundll32mgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32mgr.exe -
Executes dropped EXE 2 IoCs
Processes:
rundll32mgr.exeWaterMark.exepid process 4860 rundll32mgr.exe 4188 WaterMark.exe -
Processes:
resource yara_rule behavioral2/memory/4860-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4860-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4860-9-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4860-11-0x0000000003160000-0x00000000041EE000-memory.dmp upx behavioral2/memory/4860-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4860-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4860-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4860-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4188-30-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4860-35-0x0000000003160000-0x00000000041EE000-memory.dmp upx behavioral2/memory/4188-41-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4188-42-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Processes:
rundll32mgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32mgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32mgr.exe -
Processes:
rundll32mgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Drops file in Program Files directory 3 IoCs
Processes:
rundll32mgr.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\px64C0.tmp rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1716 4800 WerFault.exe rundll32.exe -
Processes:
IEXPLORE.EXEIEXPLORE.EXEiexplore.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "939480432" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "408661361" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "915729168" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "915729168" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31074439" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31074439" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "939480432" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31074439" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6240D846-947A-11EE-A817-7E14E73CE8BA} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31074439" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{622DC1EC-947A-11EE-A817-7E14E73CE8BA} = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
WaterMark.exepid process 4188 WaterMark.exe 4188 WaterMark.exe 4188 WaterMark.exe 4188 WaterMark.exe 4188 WaterMark.exe 4188 WaterMark.exe 4188 WaterMark.exe 4188 WaterMark.exe 4188 WaterMark.exe 4188 WaterMark.exe 4188 WaterMark.exe 4188 WaterMark.exe 4188 WaterMark.exe 4188 WaterMark.exe 4188 WaterMark.exe 4188 WaterMark.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 4852 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WaterMark.exedescription pid process Token: SeDebugPrivilege 4188 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeiexplore.exepid process 4852 iexplore.exe 1108 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 4852 iexplore.exe 4852 iexplore.exe 1108 iexplore.exe 1108 iexplore.exe 928 IEXPLORE.EXE 928 IEXPLORE.EXE 4560 IEXPLORE.EXE 4560 IEXPLORE.EXE 928 IEXPLORE.EXE 928 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
rundll32mgr.exeWaterMark.exepid process 4860 rundll32mgr.exe 4188 WaterMark.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
rundll32.exerundll32.exerundll32mgr.exeWaterMark.exeiexplore.exeiexplore.exedescription pid process target process PID 4040 wrote to memory of 4800 4040 rundll32.exe rundll32.exe PID 4040 wrote to memory of 4800 4040 rundll32.exe rundll32.exe PID 4040 wrote to memory of 4800 4040 rundll32.exe rundll32.exe PID 4800 wrote to memory of 4860 4800 rundll32.exe rundll32mgr.exe PID 4800 wrote to memory of 4860 4800 rundll32.exe rundll32mgr.exe PID 4800 wrote to memory of 4860 4800 rundll32.exe rundll32mgr.exe PID 4860 wrote to memory of 4188 4860 rundll32mgr.exe WaterMark.exe PID 4860 wrote to memory of 4188 4860 rundll32mgr.exe WaterMark.exe PID 4860 wrote to memory of 4188 4860 rundll32mgr.exe WaterMark.exe PID 4188 wrote to memory of 4600 4188 WaterMark.exe svchost.exe PID 4188 wrote to memory of 4600 4188 WaterMark.exe svchost.exe PID 4188 wrote to memory of 4600 4188 WaterMark.exe svchost.exe PID 4188 wrote to memory of 4600 4188 WaterMark.exe svchost.exe PID 4188 wrote to memory of 4600 4188 WaterMark.exe svchost.exe PID 4188 wrote to memory of 4600 4188 WaterMark.exe svchost.exe PID 4188 wrote to memory of 4600 4188 WaterMark.exe svchost.exe PID 4188 wrote to memory of 4600 4188 WaterMark.exe svchost.exe PID 4188 wrote to memory of 4600 4188 WaterMark.exe svchost.exe PID 4188 wrote to memory of 1108 4188 WaterMark.exe iexplore.exe PID 4188 wrote to memory of 1108 4188 WaterMark.exe iexplore.exe PID 4188 wrote to memory of 4852 4188 WaterMark.exe iexplore.exe PID 4188 wrote to memory of 4852 4188 WaterMark.exe iexplore.exe PID 1108 wrote to memory of 4560 1108 iexplore.exe IEXPLORE.EXE PID 1108 wrote to memory of 4560 1108 iexplore.exe IEXPLORE.EXE PID 1108 wrote to memory of 4560 1108 iexplore.exe IEXPLORE.EXE PID 4852 wrote to memory of 928 4852 iexplore.exe IEXPLORE.EXE PID 4852 wrote to memory of 928 4852 iexplore.exe IEXPLORE.EXE PID 4852 wrote to memory of 928 4852 iexplore.exe IEXPLORE.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
rundll32mgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\83b3bbff75e56d0f909b8cf46fed4890.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\83b3bbff75e56d0f909b8cf46fed4890.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1108 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4852 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 6083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4800 -ip 48001⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{622DC1EC-947A-11EE-A817-7E14E73CE8BA}.datFilesize
3KB
MD5f691b878472d2a087ab54ac921417e09
SHA17ac0767c6a09a864a41738ab5e948e32c038faf6
SHA2566eb953c241d3d538587cf8098fd29469acf90594b8491a0114f716ad87f43055
SHA51277ad6d985b1ed3690d521e4b0dc4724a1995bea2b33d1dd492bce3be9f8ec554334f14d0de8694951d06a9440a2bcd79dd179793ada3c9f8757445aacdd386f2
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6240D846-947A-11EE-A817-7E14E73CE8BA}.datFilesize
5KB
MD561171a25ecc5b304bad94950eb52493d
SHA13b37ed6172572b7475670b8af2c4ab5194f46389
SHA2566b3f9b49d767b13d2d42f7ae6e1cea02a21ff4fb89d8fc7fe5b55163f7e2f283
SHA5127124dcc11b34a7de5cafc3ff99679f40cbe14d568e4631c7022a1bc7f567cefc0fc16898ed6c40d0ab7d55de6e31902f716c8e126dc75d78c0c30abf68b96e0b
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verE980.tmpFilesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKI5XVIY\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
memory/4188-37-0x0000000076EF2000-0x0000000076EF3000-memory.dmpFilesize
4KB
-
memory/4188-33-0x0000000076EF2000-0x0000000076EF3000-memory.dmpFilesize
4KB
-
memory/4188-42-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4188-41-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4188-38-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB
-
memory/4188-32-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/4188-22-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4188-30-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4800-36-0x0000000010000000-0x000000001008B000-memory.dmpFilesize
556KB
-
memory/4800-0-0x0000000010000000-0x000000001008B000-memory.dmpFilesize
556KB
-
memory/4860-10-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4860-16-0x0000000000930000-0x0000000000931000-memory.dmpFilesize
4KB
-
memory/4860-35-0x0000000003160000-0x00000000041EE000-memory.dmpFilesize
16.6MB
-
memory/4860-14-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4860-11-0x0000000003160000-0x00000000041EE000-memory.dmpFilesize
16.6MB
-
memory/4860-9-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4860-8-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4860-15-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4860-17-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4860-7-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4860-4-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB