Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01/01/2024, 14:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3d0a7935310b1fde5b39d9e7a7e5652d.exe
Resource
win7-20231215-en
windows7-x64
10 signatures
150 seconds
General
-
Target
3d0a7935310b1fde5b39d9e7a7e5652d.exe
-
Size
68KB
-
MD5
3d0a7935310b1fde5b39d9e7a7e5652d
-
SHA1
8fdc9d8799b9fca3ed5f2d5d3cf9b0ec7464202f
-
SHA256
8aa9ab89716f8003ca999456a7784b51f1242273c0faa80cb2e777cd31fc0c91
-
SHA512
2d5bd67c19c462bc22d2092fe3bf9c45969092e0d41f5bb61fb6e587946bc5537d302926f7f979649cf43e06cc13498dbfaa98f2dc283157172a846cddd8a33d
-
SSDEEP
1536:v8kwilTEhU4HDa1KkjWXUa21mc/Mue9KOq:3hlohUEK9ekpgq
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2008 WaterMark.exe -
Loads dropped DLL 2 IoCs
pid Process 2004 3d0a7935310b1fde5b39d9e7a7e5652d.exe 2004 3d0a7935310b1fde5b39d9e7a7e5652d.exe -
resource yara_rule behavioral1/memory/2008-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2008-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2004-1-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2008-246-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2008-410-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL svchost.exe File opened for modification C:\Program Files\Internet Explorer\jsprofilerui.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d11_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\wsdetect.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\eula.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Windows.Presentation.resources.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ACE.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\D3DCompiler_47.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClient.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClientsideProviders.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libgl_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pencht.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACECORE.DLL svchost.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSEngine.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libtimecode_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libchorus_flanger_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libequalizer_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libtextst_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwLatin.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\msdbg2.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpCommu.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\Microsoft.Ink.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunmscapi.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Engine.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\logger\libconsole_logger_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\installer.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.RunTime.Serialization.Resources.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEOLEDB.DLL svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgRes.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libsapi_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\ssv.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Design.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libremap_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\java.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jfxwebkit.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\librss_plugin.dll svchost.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 2008 WaterMark.exe 2008 WaterMark.exe 2008 WaterMark.exe 2008 WaterMark.exe 2008 WaterMark.exe 2008 WaterMark.exe 2008 WaterMark.exe 2008 WaterMark.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe 2120 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2008 WaterMark.exe Token: SeDebugPrivilege 2120 svchost.exe Token: SeDebugPrivilege 2008 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2004 wrote to memory of 2008 2004 3d0a7935310b1fde5b39d9e7a7e5652d.exe 28 PID 2004 wrote to memory of 2008 2004 3d0a7935310b1fde5b39d9e7a7e5652d.exe 28 PID 2004 wrote to memory of 2008 2004 3d0a7935310b1fde5b39d9e7a7e5652d.exe 28 PID 2004 wrote to memory of 2008 2004 3d0a7935310b1fde5b39d9e7a7e5652d.exe 28 PID 2008 wrote to memory of 2716 2008 WaterMark.exe 29 PID 2008 wrote to memory of 2716 2008 WaterMark.exe 29 PID 2008 wrote to memory of 2716 2008 WaterMark.exe 29 PID 2008 wrote to memory of 2716 2008 WaterMark.exe 29 PID 2008 wrote to memory of 2716 2008 WaterMark.exe 29 PID 2008 wrote to memory of 2716 2008 WaterMark.exe 29 PID 2008 wrote to memory of 2716 2008 WaterMark.exe 29 PID 2008 wrote to memory of 2716 2008 WaterMark.exe 29 PID 2008 wrote to memory of 2716 2008 WaterMark.exe 29 PID 2008 wrote to memory of 2716 2008 WaterMark.exe 29 PID 2008 wrote to memory of 2120 2008 WaterMark.exe 30 PID 2008 wrote to memory of 2120 2008 WaterMark.exe 30 PID 2008 wrote to memory of 2120 2008 WaterMark.exe 30 PID 2008 wrote to memory of 2120 2008 WaterMark.exe 30 PID 2008 wrote to memory of 2120 2008 WaterMark.exe 30 PID 2008 wrote to memory of 2120 2008 WaterMark.exe 30 PID 2008 wrote to memory of 2120 2008 WaterMark.exe 30 PID 2008 wrote to memory of 2120 2008 WaterMark.exe 30 PID 2008 wrote to memory of 2120 2008 WaterMark.exe 30 PID 2008 wrote to memory of 2120 2008 WaterMark.exe 30 PID 2120 wrote to memory of 260 2120 svchost.exe 4 PID 2120 wrote to memory of 260 2120 svchost.exe 4 PID 2120 wrote to memory of 260 2120 svchost.exe 4 PID 2120 wrote to memory of 260 2120 svchost.exe 4 PID 2120 wrote to memory of 260 2120 svchost.exe 4 PID 2120 wrote to memory of 336 2120 svchost.exe 3 PID 2120 wrote to memory of 336 2120 svchost.exe 3 PID 2120 wrote to memory of 336 2120 svchost.exe 3 PID 2120 wrote to memory of 336 2120 svchost.exe 3 PID 2120 wrote to memory of 336 2120 svchost.exe 3 PID 2120 wrote to memory of 372 2120 svchost.exe 2 PID 2120 wrote to memory of 372 2120 svchost.exe 2 PID 2120 wrote to memory of 372 2120 svchost.exe 2 PID 2120 wrote to memory of 372 2120 svchost.exe 2 PID 2120 wrote to memory of 372 2120 svchost.exe 2 PID 2120 wrote to memory of 388 2120 svchost.exe 1 PID 2120 wrote to memory of 388 2120 svchost.exe 1 PID 2120 wrote to memory of 388 2120 svchost.exe 1 PID 2120 wrote to memory of 388 2120 svchost.exe 1 PID 2120 wrote to memory of 388 2120 svchost.exe 1 PID 2120 wrote to memory of 424 2120 svchost.exe 5 PID 2120 wrote to memory of 424 2120 svchost.exe 5 PID 2120 wrote to memory of 424 2120 svchost.exe 5 PID 2120 wrote to memory of 424 2120 svchost.exe 5 PID 2120 wrote to memory of 424 2120 svchost.exe 5 PID 2120 wrote to memory of 468 2120 svchost.exe 7 PID 2120 wrote to memory of 468 2120 svchost.exe 7 PID 2120 wrote to memory of 468 2120 svchost.exe 7 PID 2120 wrote to memory of 468 2120 svchost.exe 7 PID 2120 wrote to memory of 468 2120 svchost.exe 7 PID 2120 wrote to memory of 484 2120 svchost.exe 6 PID 2120 wrote to memory of 484 2120 svchost.exe 6 PID 2120 wrote to memory of 484 2120 svchost.exe 6 PID 2120 wrote to memory of 484 2120 svchost.exe 6 PID 2120 wrote to memory of 484 2120 svchost.exe 6 PID 2120 wrote to memory of 492 2120 svchost.exe 8 PID 2120 wrote to memory of 492 2120 svchost.exe 8 PID 2120 wrote to memory of 492 2120 svchost.exe 8 PID 2120 wrote to memory of 492 2120 svchost.exe 8 PID 2120 wrote to memory of 492 2120 svchost.exe 8
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:388
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:372
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:484
-
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:620
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:108
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1256
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:300
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:992
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:832
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2288
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:804
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:740
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:680
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:604
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:2520
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:2076
-
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2472
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2148
-
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:492
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:260
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:424
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\3d0a7935310b1fde5b39d9e7a7e5652d.exe"C:\Users\Admin\AppData\Local\Temp\3d0a7935310b1fde5b39d9e7a7e5652d.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2716
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD53d0a7935310b1fde5b39d9e7a7e5652d
SHA18fdc9d8799b9fca3ed5f2d5d3cf9b0ec7464202f
SHA2568aa9ab89716f8003ca999456a7784b51f1242273c0faa80cb2e777cd31fc0c91
SHA5122d5bd67c19c462bc22d2092fe3bf9c45969092e0d41f5bb61fb6e587946bc5537d302926f7f979649cf43e06cc13498dbfaa98f2dc283157172a846cddd8a33d
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize149KB
MD5f8b6cb873436f54388642f031b3cfe2a
SHA19d00ed885ab9841f2490cba8325b4c7d8cac10d9
SHA2564d5a62811baf5b386d5fc7472e22b5a3e402911bad56d381881d989a03e4e387
SHA512bcd986e2b4864953c6c68472b333f7e986a5186c2c36ca0741df35800b3bc648b9206dbe8f51ac7687a94364d75d77d10af62c50e909aa2d0c9c4f3b11d26129
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize145KB
MD59179e8c0bf430e72bcac87f269b6655f
SHA1dece63480ac6045f8d8a20bbfc13bdc099a7bc14
SHA256bfa457cf36c79275d27249648e2d4249e87c0d797f844a1936bbad23221b00ab
SHA5125c5064e9058c8be1abb39ab27fc8a26a16e0d2052b14c8b96b3ae6780f464557457bd6d0289c6586d89d4744d9f5fbe2b3cfec6c35e2ea5dc4ded97821211f5f