Analysis
-
max time kernel
133s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 05:17
Static task
static1
Behavioral task
behavioral1
Sample
ffbe830db63d9aa6c99439513bc7415ddcc5fd4a74aa3089cb11a533c6f1a393.dll
Resource
win7-20240508-en
General
-
Target
ffbe830db63d9aa6c99439513bc7415ddcc5fd4a74aa3089cb11a533c6f1a393.dll
-
Size
157KB
-
MD5
65c33f336e53a2b8e132bd4121224a84
-
SHA1
7cc8cd99f20923e5c2126596019a67cecbd7ce2a
-
SHA256
ffbe830db63d9aa6c99439513bc7415ddcc5fd4a74aa3089cb11a533c6f1a393
-
SHA512
c56133e3839f0f1f4c45b0852be648107d47e8bf11b3fb29efc0181ab6ec813e4247066155105edec1a65f3ea7e1e21b595fd2e534e4f82ceeeb79d8f3ffa591
-
SSDEEP
3072:IMr6N9WfdNAbxBU69VyZhDsHYZ3rDINcQR0n6ecZdGU1QLaLNmYqhPzxm1C:IMqWfdNANO6yEYZ7DVQgsQLPzo1C
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 11 IoCs
Processes:
resource yara_rule behavioral2/memory/3596-19-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/3596-21-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/3596-20-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/3596-18-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/3596-17-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/3596-30-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/1372-52-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/1916-45-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/3036-64-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/1144-71-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/1372-89-0x0000000000400000-0x0000000000421000-memory.dmp UPX -
Executes dropped EXE 6 IoCs
Processes:
rundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exepid process 3596 rundll32mgr.exe 1916 rundll32mgrmgr.exe 1372 WaterMark.exe 3036 WaterMark.exe 1144 WaterMarkmgr.exe 4132 WaterMark.exe -
Processes:
resource yara_rule behavioral2/memory/3596-19-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3596-21-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3596-20-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3596-18-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3596-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3596-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3596-30-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1372-52-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1372-46-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/1916-45-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3036-64-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1144-71-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1372-89-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
rundll32.exerundll32mgr.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe -
Drops file in Program Files directory 10 IoCs
Processes:
WaterMarkmgr.exerundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exeWaterMark.exedescription ioc process File created C:\Program Files (x86)\Microsoft\WaterMark.exe WaterMarkmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px5582.tmp WaterMarkmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px54E6.tmp rundll32mgrmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgrmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File opened for modification C:\Program Files (x86)\Microsoft\px5479.tmp rundll32mgr.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3928 4936 WerFault.exe svchost.exe 1764 2364 WerFault.exe svchost.exe 3960 772 WerFault.exe svchost.exe -
Processes:
IEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEiexplore.exeiexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3611B573-1B1F-11EF-BCA5-C2748A3A93CE} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "194130724" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3618DD8E-1B1F-11EF-BCA5-C2748A3A93CE} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108908" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{361679B8-1B1F-11EF-BCA5-C2748A3A93CE} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108908" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "186162201" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108908" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "191162695" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "193974840" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108908" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "186162201" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "186474883" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108908" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "194130724" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108908" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "192255982" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "186630924" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "191162695" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108908" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108908" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "192255982" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108908" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "186474883" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108908" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
WaterMark.exeWaterMark.exeWaterMark.exepid process 1372 WaterMark.exe 1372 WaterMark.exe 1372 WaterMark.exe 1372 WaterMark.exe 3036 WaterMark.exe 3036 WaterMark.exe 3036 WaterMark.exe 3036 WaterMark.exe 4132 WaterMark.exe 4132 WaterMark.exe 4132 WaterMark.exe 4132 WaterMark.exe 1372 WaterMark.exe 1372 WaterMark.exe 1372 WaterMark.exe 1372 WaterMark.exe 1372 WaterMark.exe 1372 WaterMark.exe 1372 WaterMark.exe 1372 WaterMark.exe 1372 WaterMark.exe 1372 WaterMark.exe 1372 WaterMark.exe 1372 WaterMark.exe 3036 WaterMark.exe 3036 WaterMark.exe 3036 WaterMark.exe 3036 WaterMark.exe 3036 WaterMark.exe 3036 WaterMark.exe 3036 WaterMark.exe 3036 WaterMark.exe 3036 WaterMark.exe 3036 WaterMark.exe 3036 WaterMark.exe 3036 WaterMark.exe 4132 WaterMark.exe 4132 WaterMark.exe 4132 WaterMark.exe 4132 WaterMark.exe 4132 WaterMark.exe 4132 WaterMark.exe 4132 WaterMark.exe 4132 WaterMark.exe 4132 WaterMark.exe 4132 WaterMark.exe 4132 WaterMark.exe 4132 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rundll32.exeWaterMark.exeWaterMark.exeWaterMark.exedescription pid process Token: SeDebugPrivilege 4228 rundll32.exe Token: SeDebugPrivilege 1372 WaterMark.exe Token: SeDebugPrivilege 3036 WaterMark.exe Token: SeDebugPrivilege 4132 WaterMark.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
iexplore.exeiexplore.exeiexplore.exeiexplore.exepid process 3156 iexplore.exe 2056 iexplore.exe 3576 iexplore.exe 1388 iexplore.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
iexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 2056 iexplore.exe 2056 iexplore.exe 3576 iexplore.exe 3576 iexplore.exe 3156 iexplore.exe 3156 iexplore.exe 1388 iexplore.exe 1388 iexplore.exe 4448 IEXPLORE.EXE 4448 IEXPLORE.EXE 1300 IEXPLORE.EXE 1300 IEXPLORE.EXE 4764 IEXPLORE.EXE 4764 IEXPLORE.EXE 4448 IEXPLORE.EXE 4448 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 6 IoCs
Processes:
rundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exepid process 3596 rundll32mgr.exe 1916 rundll32mgrmgr.exe 1372 WaterMark.exe 3036 WaterMark.exe 1144 WaterMarkmgr.exe 4132 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exerundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exeiexplore.exeiexplore.exedescription pid process target process PID 2720 wrote to memory of 4228 2720 rundll32.exe rundll32.exe PID 2720 wrote to memory of 4228 2720 rundll32.exe rundll32.exe PID 2720 wrote to memory of 4228 2720 rundll32.exe rundll32.exe PID 4228 wrote to memory of 3596 4228 rundll32.exe rundll32mgr.exe PID 4228 wrote to memory of 3596 4228 rundll32.exe rundll32mgr.exe PID 4228 wrote to memory of 3596 4228 rundll32.exe rundll32mgr.exe PID 3596 wrote to memory of 1916 3596 rundll32mgr.exe rundll32mgrmgr.exe PID 3596 wrote to memory of 1916 3596 rundll32mgr.exe rundll32mgrmgr.exe PID 3596 wrote to memory of 1916 3596 rundll32mgr.exe rundll32mgrmgr.exe PID 3596 wrote to memory of 1372 3596 rundll32mgr.exe WaterMark.exe PID 3596 wrote to memory of 1372 3596 rundll32mgr.exe WaterMark.exe PID 3596 wrote to memory of 1372 3596 rundll32mgr.exe WaterMark.exe PID 1916 wrote to memory of 3036 1916 rundll32mgrmgr.exe WaterMark.exe PID 1916 wrote to memory of 3036 1916 rundll32mgrmgr.exe WaterMark.exe PID 1916 wrote to memory of 3036 1916 rundll32mgrmgr.exe WaterMark.exe PID 1372 wrote to memory of 1144 1372 WaterMark.exe WaterMarkmgr.exe PID 1372 wrote to memory of 1144 1372 WaterMark.exe WaterMarkmgr.exe PID 1372 wrote to memory of 1144 1372 WaterMark.exe WaterMarkmgr.exe PID 1372 wrote to memory of 2364 1372 WaterMark.exe svchost.exe PID 1372 wrote to memory of 2364 1372 WaterMark.exe svchost.exe PID 1372 wrote to memory of 2364 1372 WaterMark.exe svchost.exe PID 1372 wrote to memory of 2364 1372 WaterMark.exe svchost.exe PID 1372 wrote to memory of 2364 1372 WaterMark.exe svchost.exe PID 1372 wrote to memory of 2364 1372 WaterMark.exe svchost.exe PID 1372 wrote to memory of 2364 1372 WaterMark.exe svchost.exe PID 1372 wrote to memory of 2364 1372 WaterMark.exe svchost.exe PID 1372 wrote to memory of 2364 1372 WaterMark.exe svchost.exe PID 3036 wrote to memory of 772 3036 WaterMark.exe svchost.exe PID 3036 wrote to memory of 772 3036 WaterMark.exe svchost.exe PID 3036 wrote to memory of 772 3036 WaterMark.exe svchost.exe PID 3036 wrote to memory of 772 3036 WaterMark.exe svchost.exe PID 3036 wrote to memory of 772 3036 WaterMark.exe svchost.exe PID 3036 wrote to memory of 772 3036 WaterMark.exe svchost.exe PID 3036 wrote to memory of 772 3036 WaterMark.exe svchost.exe PID 3036 wrote to memory of 772 3036 WaterMark.exe svchost.exe PID 3036 wrote to memory of 772 3036 WaterMark.exe svchost.exe PID 1144 wrote to memory of 4132 1144 WaterMarkmgr.exe WaterMark.exe PID 1144 wrote to memory of 4132 1144 WaterMarkmgr.exe WaterMark.exe PID 1144 wrote to memory of 4132 1144 WaterMarkmgr.exe WaterMark.exe PID 4132 wrote to memory of 4936 4132 WaterMark.exe svchost.exe PID 4132 wrote to memory of 4936 4132 WaterMark.exe svchost.exe PID 4132 wrote to memory of 4936 4132 WaterMark.exe svchost.exe PID 4132 wrote to memory of 4936 4132 WaterMark.exe svchost.exe PID 4132 wrote to memory of 4936 4132 WaterMark.exe svchost.exe PID 4132 wrote to memory of 4936 4132 WaterMark.exe svchost.exe PID 4132 wrote to memory of 4936 4132 WaterMark.exe svchost.exe PID 4132 wrote to memory of 4936 4132 WaterMark.exe svchost.exe PID 4132 wrote to memory of 4936 4132 WaterMark.exe svchost.exe PID 1372 wrote to memory of 3156 1372 WaterMark.exe iexplore.exe PID 1372 wrote to memory of 3156 1372 WaterMark.exe iexplore.exe PID 1372 wrote to memory of 3576 1372 WaterMark.exe iexplore.exe PID 1372 wrote to memory of 3576 1372 WaterMark.exe iexplore.exe PID 3036 wrote to memory of 1388 3036 WaterMark.exe iexplore.exe PID 3036 wrote to memory of 1388 3036 WaterMark.exe iexplore.exe PID 3036 wrote to memory of 2056 3036 WaterMark.exe iexplore.exe PID 3036 wrote to memory of 2056 3036 WaterMark.exe iexplore.exe PID 4132 wrote to memory of 2156 4132 WaterMark.exe iexplore.exe PID 4132 wrote to memory of 2156 4132 WaterMark.exe iexplore.exe PID 4132 wrote to memory of 3196 4132 WaterMark.exe iexplore.exe PID 4132 wrote to memory of 3196 4132 WaterMark.exe iexplore.exe PID 2056 wrote to memory of 4448 2056 iexplore.exe IEXPLORE.EXE PID 2056 wrote to memory of 4448 2056 iexplore.exe IEXPLORE.EXE PID 2056 wrote to memory of 4448 2056 iexplore.exe IEXPLORE.EXE PID 3576 wrote to memory of 1300 3576 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ffbe830db63d9aa6c99439513bc7415ddcc5fd4a74aa3089cb11a533c6f1a393.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ffbe830db63d9aa6c99439513bc7415ddcc5fd4a74aa3089cb11a533c6f1a393.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 2047⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:17410 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:17410 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 2048⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 2046⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3156 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3576 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 772 -ip 7721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2364 -ip 23641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4936 -ip 49361⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5c41ab5352ba79baac9ac093dd7eb2500
SHA11ffb0e70f86845daba211aeda43cad539d34ffd3
SHA256558e13bb7aa293569457e9703d2db37e8365e2ab670b2c3484ada9336ed24895
SHA512ccebe3f11039e14d39d4102652669fd372d179778bf73fae0659dd01da569bbf850b273cd3a4e13dc77b3fd4fb4d84d01525ac3a0dcb23b297c733da10bc2ff0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD5824bbf7d807b829e770c3594132bc4e7
SHA1ff8e15c88e7971eb56ced27e68af41e9935c1c19
SHA256740aa3dfd8142afd1a75a836707714670aedc151aae1bbbf68584f390e8ca055
SHA5128b90e47c4e7307b9ccba2b6dbe6e82b0380d0fee800070b459e67c605e7a7b06243e70de0efd90660aea79bff62c6bb29a0f6e60d5dd652e1b590865646e6cfc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD5ddc4369da2785b2f94f00020153e6b58
SHA17aed879d7783db399266703fbf2d1cce049f8995
SHA2565bd596ff49387dab33c9cb3dbb72f85838db99412554a276a5bb8293a94da917
SHA512823434d6fe2e6c8ec00e296377b1be6a052a3624c40c9bce645eea89b5ba273bba536947e028bc68602a8721e6aa2d9bf5b808b556a30ef6b114cf0fb352f00e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD50575177975a4d9e70c7405169d1a23dc
SHA186e950de93cf5f7da49d2b29660a0b5caff35391
SHA2564e4fe731a368fb5da7aebed8d9bf4308e6d1e31e4e2ea8392014bdaf0f35ea23
SHA512e7a2e12d790ceda8d06fce8aa6307de2516461185a31cb8d6f4a7cc841bc68f1a7f124c5128031d64e7658c9303f9b7115b2b373cd8c5ccefbdc6717bd985321
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3618DD8E-1B1F-11EF-BCA5-C2748A3A93CE}.datFilesize
4KB
MD5d9630e55c6faa5cc7a795629293ecf85
SHA1ee7034104086a31f4088deab9e60cf1bf9c7c2aa
SHA256d219492fa9adf0ec0e993d6fdff0afccdc2cb436ef23eb1bbc50c0de67febc7f
SHA5127cc2cb0acf9fbc72ba8da48bdd21243485dd94fcb5856bf1e09c4ed90f5b0e9182078be00f6beaf14bc2dec12a824abc8a170e947a5d3dbcb6e62aa1a6925dda
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3618DD8E-1B1F-11EF-BCA5-C2748A3A93CE}.datFilesize
3KB
MD56d973be15be9247194ae06b30fbc4525
SHA179fe7cb80f3d76bc4271c5924e20a20391a2a694
SHA2566b208334737430a398a29c1c2c2128df313222ab75d2e541ec1556f313ffd173
SHA5126bd515e525c4bb945ca7532cc4cad95f05bd888be003b63755fbe12bfc2ebdc6d2146493bea6ab42c2c39d3edc85b9bcfc3457593d41cb53f9cd5e4104b9f2d4
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3618DD8E-1B1F-11EF-BCA5-C2748A3A93CE}.datFilesize
5KB
MD5f410adc7f0d1824236c26e1e9d8856ce
SHA1c77deeb0447d749e97fa5f6cb508e1df697e0d1a
SHA256a3e2d70edcbbdb372ab70ffe6e201735b90b4a668545111874572b9b5f9ebae7
SHA5126d6f37bb711956792d6d89de41f554dd0f79afe48bdbb2d229ae8db2d1a8abf74c3f6c1e80b02562a822e49563c2f8541422d0e6cc6cafabf2ce309b15fe9a99
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{361B3EA2-1B1F-11EF-BCA5-C2748A3A93CE}.datFilesize
5KB
MD52bbc0a3e5f048d53a6613bb1d0b34d48
SHA1c3a8b042615b4a1762a78fc3c49a84cf01ff1b7e
SHA2565c384fd2e35fba38b4b8c3a499e614d1a0c0523feaa10762879330c2d3663701
SHA512122b36c7b005474ba7f20627b69a8658dbd83124bcc717123d43de1ef2e6068daca6da7b17437b412e3746a26cb32e0b6eeddba556c9b26c72792f0a2e5006e7
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verDBAB.tmpFilesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOWSKSPC\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
122KB
MD5c5255edf109342e3e1d1eb0990b2d094
SHA1ba029b47b9b3a5ccccae3038d90382ec68a1dd44
SHA256ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5
SHA5126b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3
-
C:\Windows\SysWOW64\rundll32mgrmgr.exeFilesize
59KB
MD5f2c8b7e238a07cce22920efb1c8645a6
SHA1cd2af4b30add747e222f938206b78d7730fdf346
SHA2566b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e
SHA512c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699
-
memory/1144-71-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1372-89-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1372-53-0x0000000077312000-0x0000000077313000-memory.dmpFilesize
4KB
-
memory/1372-81-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB
-
memory/1372-46-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1372-51-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/1372-52-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1916-13-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1916-45-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3036-54-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3036-64-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3036-63-0x0000000000430000-0x0000000000431000-memory.dmpFilesize
4KB
-
memory/3596-16-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3596-17-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3596-4-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3596-38-0x0000000000401000-0x0000000000405000-memory.dmpFilesize
16KB
-
memory/3596-25-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/3596-14-0x0000000000401000-0x0000000000405000-memory.dmpFilesize
16KB
-
memory/3596-15-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3596-30-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3596-18-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3596-20-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3596-21-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3596-19-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4228-3-0x0000000010000000-0x000000001002B000-memory.dmpFilesize
172KB
-
memory/4228-7-0x0000000003320000-0x0000000003321000-memory.dmpFilesize
4KB
-
memory/4228-8-0x0000000077312000-0x0000000077313000-memory.dmpFilesize
4KB
-
memory/4228-5-0x0000000003210000-0x0000000003211000-memory.dmpFilesize
4KB