596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31

General

Target

596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31.exe
Size

301KB
MD5

321a721d97e8388b218d228554c5eec7
SHA1

3a575091003c5ade5a35634c86763f3b67edc6c6
SHA256

596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31
SHA512

686e4b8ed6bbcf196a8ca06757b1e5ba3522bd56c671ebc39bae6737f37a48f269f0edf0ba93e6474a50696c4edbf6c71457d1cb9ee204ec37a47533f732e2eb
SSDEEP

3072:bG8zUShJdiwv3OEcIlJ+k433GZ+cQRA7oTRCSAGjcc2zWm7/O2JN7RSNGx:/i7Egnq+xRA7b4l23NENm

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31.exewator.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wator.exe

Executes dropped EXE 1 IoCs

Processes:

wator.exe

pid process

1580 wator.exe

pid	process
1580	wator.exe

Loads dropped DLL 2 IoCs

Processes:

596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31.exe

pid	process
1752	596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31.exe
1752	596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wator.exe596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /P"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /H"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /E"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /F"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /r"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /U"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /Z"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /m"	596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /p"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /l"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /S"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /C"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /I"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /O"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /u"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /t"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /v"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /J"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /N"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /y"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /d"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /B"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /Y"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /e"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /a"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /b"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /f"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /M"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /g"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /j"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /q"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /w"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /T"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /R"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /A"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /n"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /x"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /c"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /K"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /D"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /i"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /k"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /V"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /s"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /z"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /Q"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /G"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /W"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /L"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /h"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /X"	wator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wator = "C:\\Users\\Admin\\wator.exe /m"	wator.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31.exewator.exe

pid	process
1752	596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe
1580	wator.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31.exewator.exe

pid process

1752 596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31.exe
1580 wator.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31.exe

description	pid	process	target process
PID 1752 wrote to memory of 1580	1752	596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31.exe	wator.exe
PID 1752 wrote to memory of 1580	1752	596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31.exe	wator.exe
PID 1752 wrote to memory of 1580	1752	596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31.exe	wator.exe
PID 1752 wrote to memory of 1580	1752	596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31.exe	wator.exe

C:\Users\Admin\AppData\Local\Temp\596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31.exe
"C:\Users\Admin\AppData\Local\Temp\596817a177cf7d167fe32717f514a3400219d785f10bb9cff63285c088deee31.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\wator.exe
"C:\Users\Admin\wator.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\wator.exe

Filesize
301KB

MD5
c7985e9b35843b956ac6a426aa89f19e

SHA1
55b638916c72808b9f3dd3644a98cd36fa96a88e

SHA256
5ee291d09bb0a7fd1c441e3adc97fa1fced52b989fc7b3c1063b78ecb2094d32

SHA512
a261c66a3ea501d9c5b0618667ddc57354a44a9ff10b86c9a65a52b90c3b039af877a7d427387f59d44e9ac25b38d943f1403e417e9ef14449ec5ff25eef1d7b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads