Analysis
-
max time kernel
133s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 02:42
Static task
static1
Behavioral task
behavioral1
Sample
c39a02d65e046ab3f46ee1f2315e17b8bf3b748af294d68d0d1a7d8c2f3252d8.dll
Resource
win7-20240508-en
General
-
Target
c39a02d65e046ab3f46ee1f2315e17b8bf3b748af294d68d0d1a7d8c2f3252d8.dll
-
Size
157KB
-
MD5
5d5bed54a20709d639a8cccb47b87c47
-
SHA1
e98c5f4d7139731abf1ec3ad305c991af6eebb15
-
SHA256
c39a02d65e046ab3f46ee1f2315e17b8bf3b748af294d68d0d1a7d8c2f3252d8
-
SHA512
7193a0ec1bfa0f6f1d72fd57a2be46cb6d2e14aacce1e45c6069bacb82ef5ed8d385acd63f48ff08179dacca6a6a8cd96cb1e67a2e4153dbaf6b059099dcccd6
-
SSDEEP
3072:IMr6N9WfdNAbxBk69VyZhDsHYZ3rDINcQR0n6ecZdGU1QLaLNmYqhPzxm1p:IMqWfdNANG6yEYZ7DVQgsQLPzo1p
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 11 IoCs
Processes:
resource yara_rule behavioral2/memory/4132-27-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/1544-24-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/4132-28-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/1544-22-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/1544-16-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/1544-15-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/1544-14-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/4940-53-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/1692-60-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/4940-95-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/4940-97-0x0000000000400000-0x0000000000421000-memory.dmp UPX -
Executes dropped EXE 7 IoCs
Processes:
rundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exepid process 1544 rundll32mgr.exe 4132 rundll32mgrmgr.exe 4940 WaterMark.exe 1692 WaterMarkmgr.exe 3688 WaterMark.exe 3076 WaterMarkmgr.exe 1252 WaterMark.exe -
Processes:
resource yara_rule behavioral2/memory/4132-27-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1544-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4132-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1544-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1544-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1544-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1544-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1544-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4940-53-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3076-78-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/1692-60-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4940-95-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4940-97-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
rundll32.exerundll32mgr.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe -
Drops file in Program Files directory 12 IoCs
Processes:
rundll32mgr.exeWaterMarkmgr.exeWaterMark.exeWaterMarkmgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\px46AE.tmp rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px4759.tmp WaterMarkmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe WaterMarkmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File opened for modification C:\Program Files (x86)\Microsoft\px47A8.tmp WaterMarkmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe WaterMarkmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px46BD.tmp rundll32mgrmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgrmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3656 3952 WerFault.exe svchost.exe 1552 2112 WerFault.exe svchost.exe 4592 1804 WerFault.exe svchost.exe -
Processes:
iexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8F5FFF12-1B09-11EF-A084-FE55E2F65CCF} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423456309" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1673684038" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1676496559" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108886" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108886" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1673684038" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108886" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
WaterMark.exeWaterMark.exeWaterMark.exepid process 4940 WaterMark.exe 4940 WaterMark.exe 4940 WaterMark.exe 4940 WaterMark.exe 3688 WaterMark.exe 3688 WaterMark.exe 3688 WaterMark.exe 3688 WaterMark.exe 1252 WaterMark.exe 1252 WaterMark.exe 1252 WaterMark.exe 1252 WaterMark.exe 4940 WaterMark.exe 4940 WaterMark.exe 4940 WaterMark.exe 4940 WaterMark.exe 4940 WaterMark.exe 4940 WaterMark.exe 4940 WaterMark.exe 4940 WaterMark.exe 4940 WaterMark.exe 4940 WaterMark.exe 4940 WaterMark.exe 4940 WaterMark.exe 3688 WaterMark.exe 3688 WaterMark.exe 3688 WaterMark.exe 3688 WaterMark.exe 3688 WaterMark.exe 3688 WaterMark.exe 3688 WaterMark.exe 3688 WaterMark.exe 3688 WaterMark.exe 3688 WaterMark.exe 3688 WaterMark.exe 3688 WaterMark.exe 1252 WaterMark.exe 1252 WaterMark.exe 1252 WaterMark.exe 1252 WaterMark.exe 1252 WaterMark.exe 1252 WaterMark.exe 1252 WaterMark.exe 1252 WaterMark.exe 1252 WaterMark.exe 1252 WaterMark.exe 1252 WaterMark.exe 1252 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rundll32.exeWaterMark.exeWaterMark.exeWaterMark.exedescription pid process Token: SeDebugPrivilege 4816 rundll32.exe Token: SeDebugPrivilege 4940 WaterMark.exe Token: SeDebugPrivilege 3688 WaterMark.exe Token: SeDebugPrivilege 1252 WaterMark.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 4092 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 4092 iexplore.exe 4092 iexplore.exe 2148 IEXPLORE.EXE 2148 IEXPLORE.EXE 2148 IEXPLORE.EXE 2148 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 7 IoCs
Processes:
rundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exepid process 1544 rundll32mgr.exe 4132 rundll32mgrmgr.exe 4940 WaterMark.exe 1692 WaterMarkmgr.exe 3688 WaterMark.exe 3076 WaterMarkmgr.exe 1252 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exerundll32mgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exeiexplore.exedescription pid process target process PID 4468 wrote to memory of 4816 4468 rundll32.exe rundll32.exe PID 4468 wrote to memory of 4816 4468 rundll32.exe rundll32.exe PID 4468 wrote to memory of 4816 4468 rundll32.exe rundll32.exe PID 4816 wrote to memory of 1544 4816 rundll32.exe rundll32mgr.exe PID 4816 wrote to memory of 1544 4816 rundll32.exe rundll32mgr.exe PID 4816 wrote to memory of 1544 4816 rundll32.exe rundll32mgr.exe PID 1544 wrote to memory of 4132 1544 rundll32mgr.exe rundll32mgrmgr.exe PID 1544 wrote to memory of 4132 1544 rundll32mgr.exe rundll32mgrmgr.exe PID 1544 wrote to memory of 4132 1544 rundll32mgr.exe rundll32mgrmgr.exe PID 1544 wrote to memory of 4940 1544 rundll32mgr.exe WaterMark.exe PID 1544 wrote to memory of 4940 1544 rundll32mgr.exe WaterMark.exe PID 1544 wrote to memory of 4940 1544 rundll32mgr.exe WaterMark.exe PID 4940 wrote to memory of 1692 4940 WaterMark.exe WaterMarkmgr.exe PID 4940 wrote to memory of 1692 4940 WaterMark.exe WaterMarkmgr.exe PID 4940 wrote to memory of 1692 4940 WaterMark.exe WaterMarkmgr.exe PID 1692 wrote to memory of 3688 1692 WaterMarkmgr.exe WaterMark.exe PID 1692 wrote to memory of 3688 1692 WaterMarkmgr.exe WaterMark.exe PID 1692 wrote to memory of 3688 1692 WaterMarkmgr.exe WaterMark.exe PID 4940 wrote to memory of 3952 4940 WaterMark.exe svchost.exe PID 4940 wrote to memory of 3952 4940 WaterMark.exe svchost.exe PID 4940 wrote to memory of 3952 4940 WaterMark.exe svchost.exe PID 4940 wrote to memory of 3952 4940 WaterMark.exe svchost.exe PID 4940 wrote to memory of 3952 4940 WaterMark.exe svchost.exe PID 4940 wrote to memory of 3952 4940 WaterMark.exe svchost.exe PID 4940 wrote to memory of 3952 4940 WaterMark.exe svchost.exe PID 4940 wrote to memory of 3952 4940 WaterMark.exe svchost.exe PID 4940 wrote to memory of 3952 4940 WaterMark.exe svchost.exe PID 3688 wrote to memory of 3076 3688 WaterMark.exe WaterMarkmgr.exe PID 3688 wrote to memory of 3076 3688 WaterMark.exe WaterMarkmgr.exe PID 3688 wrote to memory of 3076 3688 WaterMark.exe WaterMarkmgr.exe PID 3076 wrote to memory of 1252 3076 WaterMarkmgr.exe WaterMark.exe PID 3076 wrote to memory of 1252 3076 WaterMarkmgr.exe WaterMark.exe PID 3076 wrote to memory of 1252 3076 WaterMarkmgr.exe WaterMark.exe PID 3688 wrote to memory of 2112 3688 WaterMark.exe svchost.exe PID 3688 wrote to memory of 2112 3688 WaterMark.exe svchost.exe PID 3688 wrote to memory of 2112 3688 WaterMark.exe svchost.exe PID 3688 wrote to memory of 2112 3688 WaterMark.exe svchost.exe PID 3688 wrote to memory of 2112 3688 WaterMark.exe svchost.exe PID 3688 wrote to memory of 2112 3688 WaterMark.exe svchost.exe PID 3688 wrote to memory of 2112 3688 WaterMark.exe svchost.exe PID 3688 wrote to memory of 2112 3688 WaterMark.exe svchost.exe PID 3688 wrote to memory of 2112 3688 WaterMark.exe svchost.exe PID 1252 wrote to memory of 1804 1252 WaterMark.exe svchost.exe PID 1252 wrote to memory of 1804 1252 WaterMark.exe svchost.exe PID 1252 wrote to memory of 1804 1252 WaterMark.exe svchost.exe PID 1252 wrote to memory of 1804 1252 WaterMark.exe svchost.exe PID 1252 wrote to memory of 1804 1252 WaterMark.exe svchost.exe PID 1252 wrote to memory of 1804 1252 WaterMark.exe svchost.exe PID 1252 wrote to memory of 1804 1252 WaterMark.exe svchost.exe PID 1252 wrote to memory of 1804 1252 WaterMark.exe svchost.exe PID 1252 wrote to memory of 1804 1252 WaterMark.exe svchost.exe PID 4940 wrote to memory of 4092 4940 WaterMark.exe iexplore.exe PID 4940 wrote to memory of 4092 4940 WaterMark.exe iexplore.exe PID 4940 wrote to memory of 3992 4940 WaterMark.exe iexplore.exe PID 4940 wrote to memory of 3992 4940 WaterMark.exe iexplore.exe PID 3688 wrote to memory of 4800 3688 WaterMark.exe iexplore.exe PID 3688 wrote to memory of 4800 3688 WaterMark.exe iexplore.exe PID 3688 wrote to memory of 2484 3688 WaterMark.exe iexplore.exe PID 3688 wrote to memory of 2484 3688 WaterMark.exe iexplore.exe PID 1252 wrote to memory of 4960 1252 WaterMark.exe iexplore.exe PID 1252 wrote to memory of 4960 1252 WaterMark.exe iexplore.exe PID 4092 wrote to memory of 2148 4092 iexplore.exe IEXPLORE.EXE PID 4092 wrote to memory of 2148 4092 iexplore.exe IEXPLORE.EXE PID 4092 wrote to memory of 2148 4092 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c39a02d65e046ab3f46ee1f2315e17b8bf3b748af294d68d0d1a7d8c2f3252d8.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c39a02d65e046ab3f46ee1f2315e17b8bf3b748af294d68d0d1a7d8c2f3252d8.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 20410⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 2048⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 2046⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4092 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2112 -ip 21121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1804 -ip 18041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3952 -ip 39521⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5c41ab5352ba79baac9ac093dd7eb2500
SHA11ffb0e70f86845daba211aeda43cad539d34ffd3
SHA256558e13bb7aa293569457e9703d2db37e8365e2ab670b2c3484ada9336ed24895
SHA512ccebe3f11039e14d39d4102652669fd372d179778bf73fae0659dd01da569bbf850b273cd3a4e13dc77b3fd4fb4d84d01525ac3a0dcb23b297c733da10bc2ff0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD5c43fcd026151e6262e3faa8b26461505
SHA10477bd98ed8575997735d2f5347fdce1dadacdf4
SHA256d759c80c98a16a4d48a4268e440766869a8cf28ea3a2327e1d17c197e9dc95d1
SHA5124a8b7f0f92ac30d28b1f547b8bf3af190b359126b946c0adc9e8fb30dd938ecdd5cb72d6481b5548f57dcc941f2c3a377603ea2c81fe0efac6cc203acfdb2866
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
122KB
MD5c5255edf109342e3e1d1eb0990b2d094
SHA1ba029b47b9b3a5ccccae3038d90382ec68a1dd44
SHA256ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5
SHA5126b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3
-
C:\Windows\SysWOW64\rundll32mgrmgr.exeFilesize
59KB
MD5f2c8b7e238a07cce22920efb1c8645a6
SHA1cd2af4b30add747e222f938206b78d7730fdf346
SHA2566b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e
SHA512c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699
-
memory/1252-90-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/1544-10-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1544-15-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1544-13-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1544-25-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/1544-24-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1544-14-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1544-22-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1544-16-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1692-60-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3076-78-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3688-71-0x0000000000430000-0x0000000000431000-memory.dmpFilesize
4KB
-
memory/3952-76-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/3952-77-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/4132-27-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4132-32-0x0000000000401000-0x0000000000416000-memory.dmpFilesize
84KB
-
memory/4132-12-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/4132-31-0x0000000000416000-0x0000000000420000-memory.dmpFilesize
40KB
-
memory/4132-28-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4816-6-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/4816-11-0x0000000077B12000-0x0000000077B13000-memory.dmpFilesize
4KB
-
memory/4816-5-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/4816-1-0x0000000010000000-0x000000001002B000-memory.dmpFilesize
172KB
-
memory/4940-53-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4940-48-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/4940-92-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB
-
memory/4940-95-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4940-96-0x0000000000401000-0x0000000000416000-memory.dmpFilesize
84KB
-
memory/4940-97-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4940-98-0x0000000000401000-0x0000000000416000-memory.dmpFilesize
84KB
-
memory/4940-59-0x0000000000401000-0x0000000000416000-memory.dmpFilesize
84KB
-
memory/4940-61-0x0000000077B12000-0x0000000077B13000-memory.dmpFilesize
4KB
-
memory/4940-36-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB