Analysis
-
max time kernel
3s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ad69ba9f0c1b6d2e22141d0cfbfdf892.exe
Resource
win7-20231215-en
11 signatures
150 seconds
General
-
Target
ad69ba9f0c1b6d2e22141d0cfbfdf892.exe
-
Size
116KB
-
MD5
ad69ba9f0c1b6d2e22141d0cfbfdf892
-
SHA1
d0fb135c6dbf4d67e9e80ea422ad0f3a0afcf5ce
-
SHA256
383df27b84ca79e918b559f8450046bcdce04616aa39a3849b046941d4bc6a52
-
SHA512
b8f26cbee38afbcf8ff0f76f780d972f1464bada7563cbaf4a957b82b79b897668cb29c4feed22c45f7154d5978d8a0e4303f19fcd5c66663378dbcea6c269fb
-
SSDEEP
1536:/R0vxn3Pc0LCH9MtbvabUDzJYWu3BvbSGBYYonJasu7o:/R2xn3k0CdM1vabyzJYWqxbFBYBn0e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1404 WaterMark.exe -
resource yara_rule behavioral2/memory/228-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1404-17-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/1404-26-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1404-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1404-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/228-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/228-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/228-5-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/228-4-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/228-3-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/228-2-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1404-33-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1404-34-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px3C8C.tmp ad69ba9f0c1b6d2e22141d0cfbfdf892.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe ad69ba9f0c1b6d2e22141d0cfbfdf892.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe ad69ba9f0c1b6d2e22141d0cfbfdf892.exe -
Program crash 1 IoCs
pid pid_target Process 1932 4552 WerFault.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DABB87B8-AD8F-11EE-8184-CE055DF4442A} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1404 WaterMark.exe 1404 WaterMark.exe 1404 WaterMark.exe 1404 WaterMark.exe 1404 WaterMark.exe 1404 WaterMark.exe 1404 WaterMark.exe 1404 WaterMark.exe 1404 WaterMark.exe 1404 WaterMark.exe 1404 WaterMark.exe 1404 WaterMark.exe 1404 WaterMark.exe 1404 WaterMark.exe 1404 WaterMark.exe 1404 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1404 WaterMark.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2804 iexplore.exe 2804 iexplore.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 228 ad69ba9f0c1b6d2e22141d0cfbfdf892.exe 1404 WaterMark.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 228 wrote to memory of 1404 228 ad69ba9f0c1b6d2e22141d0cfbfdf892.exe 24 PID 228 wrote to memory of 1404 228 ad69ba9f0c1b6d2e22141d0cfbfdf892.exe 24 PID 228 wrote to memory of 1404 228 ad69ba9f0c1b6d2e22141d0cfbfdf892.exe 24 PID 1404 wrote to memory of 4552 1404 WaterMark.exe 23 PID 1404 wrote to memory of 4552 1404 WaterMark.exe 23 PID 1404 wrote to memory of 4552 1404 WaterMark.exe 23 PID 1404 wrote to memory of 4552 1404 WaterMark.exe 23 PID 1404 wrote to memory of 4552 1404 WaterMark.exe 23 PID 1404 wrote to memory of 4552 1404 WaterMark.exe 23 PID 1404 wrote to memory of 4552 1404 WaterMark.exe 23 PID 1404 wrote to memory of 4552 1404 WaterMark.exe 23 PID 1404 wrote to memory of 4552 1404 WaterMark.exe 23 PID 1404 wrote to memory of 4708 1404 WaterMark.exe 66 PID 1404 wrote to memory of 4708 1404 WaterMark.exe 66 PID 1404 wrote to memory of 2804 1404 WaterMark.exe 68 PID 1404 wrote to memory of 2804 1404 WaterMark.exe 68 PID 2804 wrote to memory of 4476 2804 iexplore.exe 67 PID 2804 wrote to memory of 4476 2804 iexplore.exe 67 PID 2804 wrote to memory of 4476 2804 iexplore.exe 67
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad69ba9f0c1b6d2e22141d0cfbfdf892.exe"C:\Users\Admin\AppData\Local\Temp\ad69ba9f0c1b6d2e22141d0cfbfdf892.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
PID:4708
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4552 -ip 45521⤵PID:4424
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 2081⤵
- Program crash
PID:1932
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe1⤵PID:4552
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2804 CREDAT:17410 /prefetch:21⤵PID:4476