Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 20:27
Static task
static1
Behavioral task
behavioral1
Sample
c6c9aa2eaf6311e97a9f1459870e26bd.dll
Resource
win7-20240221-en
General
-
Target
c6c9aa2eaf6311e97a9f1459870e26bd.dll
-
Size
166KB
-
MD5
c6c9aa2eaf6311e97a9f1459870e26bd
-
SHA1
19be3c799bb7fcf2bb14212603d3974e54cc22ea
-
SHA256
7a11f2189eed727ce81578705804e9f20859eba1b8fc4345c18d9cb3b1b9b3b0
-
SHA512
00c99e842238e926e60f0bababc4a1d65955f5bde2c0a7824ecb4fb4518878d9c16a1246640a8555d88319bafe5773c5ab0a080ce264f5a4456272c6673cdf52
-
SSDEEP
3072:bTU56gVxj27Ne4L99ZgyXf9MWebpjMGlDCdr9:84L7vBsGd9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 1716 regsvr32mgr.exe 2956 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 1728 regsvr32.exe 1728 regsvr32.exe 1716 regsvr32mgr.exe 1716 regsvr32mgr.exe -
resource yara_rule behavioral1/memory/1716-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1716-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1716-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1716-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1716-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1716-20-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1716-18-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2956-32-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2956-40-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2956-41-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2956-93-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2956-464-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libmpg123_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\JavaAccessBridge-64.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\libarchive_plugin.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationFramework.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_shout_plugin.dll svchost.exe File opened for modification C:\Program Files\DVD Maker\WMM2CLIP.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\JavaAccessBridge-64.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libvod_rtsp_plugin.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jdwp.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe svchost.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingEngine.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_livehttp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mp4_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libwave_plugin.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\F12.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\kcms.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\splashscreen.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\sbdrop.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\ITIRCL55.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libremoteosd_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\libprojectm_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Speech.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Windows.Presentation.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadco.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\dtplugin\npdeployJava1.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.ServiceModel.Resources.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jsound.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\weather.html svchost.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe regsvr32mgr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsound.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\dicjp.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\ucrtbase.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Design.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ogg_plugin.dll svchost.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 2956 WaterMark.exe 2956 WaterMark.exe 2956 WaterMark.exe 2956 WaterMark.exe 2956 WaterMark.exe 2956 WaterMark.exe 2956 WaterMark.exe 2956 WaterMark.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2956 WaterMark.exe Token: SeDebugPrivilege 2392 svchost.exe Token: SeDebugPrivilege 2956 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1716 regsvr32mgr.exe 2956 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2032 wrote to memory of 1728 2032 regsvr32.exe 28 PID 2032 wrote to memory of 1728 2032 regsvr32.exe 28 PID 2032 wrote to memory of 1728 2032 regsvr32.exe 28 PID 2032 wrote to memory of 1728 2032 regsvr32.exe 28 PID 2032 wrote to memory of 1728 2032 regsvr32.exe 28 PID 2032 wrote to memory of 1728 2032 regsvr32.exe 28 PID 2032 wrote to memory of 1728 2032 regsvr32.exe 28 PID 1728 wrote to memory of 1716 1728 regsvr32.exe 29 PID 1728 wrote to memory of 1716 1728 regsvr32.exe 29 PID 1728 wrote to memory of 1716 1728 regsvr32.exe 29 PID 1728 wrote to memory of 1716 1728 regsvr32.exe 29 PID 1716 wrote to memory of 2956 1716 regsvr32mgr.exe 30 PID 1716 wrote to memory of 2956 1716 regsvr32mgr.exe 30 PID 1716 wrote to memory of 2956 1716 regsvr32mgr.exe 30 PID 1716 wrote to memory of 2956 1716 regsvr32mgr.exe 30 PID 2956 wrote to memory of 2600 2956 WaterMark.exe 31 PID 2956 wrote to memory of 2600 2956 WaterMark.exe 31 PID 2956 wrote to memory of 2600 2956 WaterMark.exe 31 PID 2956 wrote to memory of 2600 2956 WaterMark.exe 31 PID 2956 wrote to memory of 2600 2956 WaterMark.exe 31 PID 2956 wrote to memory of 2600 2956 WaterMark.exe 31 PID 2956 wrote to memory of 2600 2956 WaterMark.exe 31 PID 2956 wrote to memory of 2600 2956 WaterMark.exe 31 PID 2956 wrote to memory of 2600 2956 WaterMark.exe 31 PID 2956 wrote to memory of 2600 2956 WaterMark.exe 31 PID 2956 wrote to memory of 2392 2956 WaterMark.exe 32 PID 2956 wrote to memory of 2392 2956 WaterMark.exe 32 PID 2956 wrote to memory of 2392 2956 WaterMark.exe 32 PID 2956 wrote to memory of 2392 2956 WaterMark.exe 32 PID 2956 wrote to memory of 2392 2956 WaterMark.exe 32 PID 2956 wrote to memory of 2392 2956 WaterMark.exe 32 PID 2956 wrote to memory of 2392 2956 WaterMark.exe 32 PID 2956 wrote to memory of 2392 2956 WaterMark.exe 32 PID 2956 wrote to memory of 2392 2956 WaterMark.exe 32 PID 2956 wrote to memory of 2392 2956 WaterMark.exe 32 PID 2392 wrote to memory of 260 2392 svchost.exe 1 PID 2392 wrote to memory of 260 2392 svchost.exe 1 PID 2392 wrote to memory of 260 2392 svchost.exe 1 PID 2392 wrote to memory of 260 2392 svchost.exe 1 PID 2392 wrote to memory of 260 2392 svchost.exe 1 PID 2392 wrote to memory of 336 2392 svchost.exe 2 PID 2392 wrote to memory of 336 2392 svchost.exe 2 PID 2392 wrote to memory of 336 2392 svchost.exe 2 PID 2392 wrote to memory of 336 2392 svchost.exe 2 PID 2392 wrote to memory of 336 2392 svchost.exe 2 PID 2392 wrote to memory of 372 2392 svchost.exe 3 PID 2392 wrote to memory of 372 2392 svchost.exe 3 PID 2392 wrote to memory of 372 2392 svchost.exe 3 PID 2392 wrote to memory of 372 2392 svchost.exe 3 PID 2392 wrote to memory of 372 2392 svchost.exe 3 PID 2392 wrote to memory of 384 2392 svchost.exe 4 PID 2392 wrote to memory of 384 2392 svchost.exe 4 PID 2392 wrote to memory of 384 2392 svchost.exe 4 PID 2392 wrote to memory of 384 2392 svchost.exe 4 PID 2392 wrote to memory of 384 2392 svchost.exe 4 PID 2392 wrote to memory of 420 2392 svchost.exe 5 PID 2392 wrote to memory of 420 2392 svchost.exe 5 PID 2392 wrote to memory of 420 2392 svchost.exe 5 PID 2392 wrote to memory of 420 2392 svchost.exe 5 PID 2392 wrote to memory of 420 2392 svchost.exe 5 PID 2392 wrote to memory of 464 2392 svchost.exe 6 PID 2392 wrote to memory of 464 2392 svchost.exe 6 PID 2392 wrote to memory of 464 2392 svchost.exe 6 PID 2392 wrote to memory of 464 2392 svchost.exe 6
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:260
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:372
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:584
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1964
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:1672
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:664
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:752
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:792
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1324
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:832
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:1824
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:984
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:272
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:896
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:340
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1228
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:3056
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:1504
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:480
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:488
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:384
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1392
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\c6c9aa2eaf6311e97a9f1459870e26bd.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\c6c9aa2eaf6311e97a9f1459870e26bd.dll3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\regsvr32mgr.exeC:\Windows\SysWOW64\regsvr32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2600
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize206KB
MD5895e5cc542a80596e390d5d679ab9d77
SHA17c6c538c254a850e02b5f5d3898cf30e4d2d000d
SHA256258ca4b8c51ebb60f53d5c915b5a83811f95de6d0666941d03a940eee22dc5c3
SHA5123d7695ac04a0c233b6f38765a1fecd5416b6f3cc0a8e6f39eb4d671f4fb3aff8f28ba9c7dff7c8aba140f079a221e065d5d6c8f3d263d3580542ad21f5c4c3af
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize202KB
MD55e55382ae6b5b07777c8cdca227827e3
SHA1eac3ac3c0f997bcc00eebeffe33a3329be9f50b4
SHA25688c55a4e722b79e6b22d087b576f2405cc20975b134e49457360ecc1683ac288
SHA512577d6ec0435b7ba2fab4c46d9574c10acf6e8c7dda86d95d983c2147fdc3a4b830d2933a1f0fd942285b1f7a7e74c59b1b01f8bbc5b109a1df76f11f8cf3c150
-
Filesize
96KB
MD58c51fd9d6daa7b6137634de19a49452c
SHA1db2a11cca434bacad2bf42adeecae38e99cf64f8
SHA256528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3
SHA512b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837