Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14/03/2024, 06:34
Behavioral task
behavioral1
Sample
c7edd4f4920f3dbef01fa5ff25d1bfb4.exe
Resource
win7-20240221-en
General
-
Target
c7edd4f4920f3dbef01fa5ff25d1bfb4.exe
-
Size
24KB
-
MD5
c7edd4f4920f3dbef01fa5ff25d1bfb4
-
SHA1
cc6d41e8fe35de57cecb68599ab8f772c61bc2b3
-
SHA256
5c414534767e207155d978b785c26c957fe176d2a4a91fcb7f626ddb086e40fd
-
SHA512
d1a09069304f0762d068a8b4049357367a03012c662bb6fa237451a88a1e83a4e7cee9a16c753f05aa4fef4cac5fc3ac3f313a83035454dec7ec2d5ee49118a3
-
SSDEEP
768:nPlVoufxw3E7zGz0UVO+7q9n6nPsdZaIop:PlVoKxw3EvI7I6nghO
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2216 WaterMark.exe -
Loads dropped DLL 1 IoCs
pid Process 1724 c7edd4f4920f3dbef01fa5ff25d1bfb4.exe -
resource yara_rule behavioral1/memory/1724-2-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/files/0x000d0000000136fc-7.dat upx behavioral1/memory/2216-9-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/memory/2216-31-0x0000000000400000-0x0000000000413000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\WaterMark.exe c7edd4f4920f3dbef01fa5ff25d1bfb4.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe c7edd4f4920f3dbef01fa5ff25d1bfb4.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px1333.tmp c7edd4f4920f3dbef01fa5ff25d1bfb4.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2216 WaterMark.exe 2216 WaterMark.exe 2216 WaterMark.exe 2216 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2216 WaterMark.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2216 1724 c7edd4f4920f3dbef01fa5ff25d1bfb4.exe 28 PID 1724 wrote to memory of 2216 1724 c7edd4f4920f3dbef01fa5ff25d1bfb4.exe 28 PID 1724 wrote to memory of 2216 1724 c7edd4f4920f3dbef01fa5ff25d1bfb4.exe 28 PID 1724 wrote to memory of 2216 1724 c7edd4f4920f3dbef01fa5ff25d1bfb4.exe 28 PID 2216 wrote to memory of 1584 2216 WaterMark.exe 29 PID 2216 wrote to memory of 1584 2216 WaterMark.exe 29 PID 2216 wrote to memory of 1584 2216 WaterMark.exe 29 PID 2216 wrote to memory of 1584 2216 WaterMark.exe 29 PID 2216 wrote to memory of 1584 2216 WaterMark.exe 29 PID 2216 wrote to memory of 1584 2216 WaterMark.exe 29 PID 2216 wrote to memory of 1584 2216 WaterMark.exe 29 PID 2216 wrote to memory of 1584 2216 WaterMark.exe 29 PID 2216 wrote to memory of 1584 2216 WaterMark.exe 29 PID 2216 wrote to memory of 1584 2216 WaterMark.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7edd4f4920f3dbef01fa5ff25d1bfb4.exe"C:\Users\Admin\AppData\Local\Temp\c7edd4f4920f3dbef01fa5ff25d1bfb4.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1584
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD5c7edd4f4920f3dbef01fa5ff25d1bfb4
SHA1cc6d41e8fe35de57cecb68599ab8f772c61bc2b3
SHA2565c414534767e207155d978b785c26c957fe176d2a4a91fcb7f626ddb086e40fd
SHA512d1a09069304f0762d068a8b4049357367a03012c662bb6fa237451a88a1e83a4e7cee9a16c753f05aa4fef4cac5fc3ac3f313a83035454dec7ec2d5ee49118a3