Analysis
-
max time kernel
133s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 02:53
Static task
static1
Behavioral task
behavioral1
Sample
ceff35deb6c1159e48b44a9bc30c6ffafeb3787824de4ea03415eeb8dd3a6a30.dll
Resource
win7-20240419-en
General
-
Target
ceff35deb6c1159e48b44a9bc30c6ffafeb3787824de4ea03415eeb8dd3a6a30.dll
-
Size
157KB
-
MD5
13512ca83401d4a94f6ca2fe8bc742ca
-
SHA1
de6caf7d767d89dce94ce3f3f828742f55a82b6c
-
SHA256
ceff35deb6c1159e48b44a9bc30c6ffafeb3787824de4ea03415eeb8dd3a6a30
-
SHA512
adf6c380f633d6365c7eaf8cf32e41fb134175b5ca7c2b7b2b74cbccb7a4dae7c4b890ebed656165f536b6a0968a52743e740d8062aea311a37709bb92935d59
-
SSDEEP
3072:IMr6N9WfdNAbxBU69VyZhDsHYZ3rDINcQR0n6ecZdGU1QLaLNmYqhPzxm1xO:IMqWfdNANO6yEYZ7DVQgsQLPzo1xO
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 11 IoCs
Processes:
resource yara_rule behavioral2/memory/2216-17-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/2216-23-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/3168-62-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/1208-67-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/3380-68-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/1320-36-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/2216-22-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/2216-24-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/2216-16-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/2216-15-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/3380-84-0x0000000000400000-0x0000000000421000-memory.dmp UPX -
Executes dropped EXE 6 IoCs
Processes:
rundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exepid process 2216 rundll32mgr.exe 1320 rundll32mgrmgr.exe 3380 WaterMark.exe 1208 WaterMark.exe 3168 WaterMarkmgr.exe 5012 WaterMark.exe -
Processes:
resource yara_rule behavioral2/memory/2216-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2216-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2216-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3168-62-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1208-69-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/1208-67-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3380-68-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3168-58-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/1320-36-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2216-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2216-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2216-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2216-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3380-84-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
rundll32.exerundll32mgr.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe -
Drops file in Program Files directory 10 IoCs
Processes:
rundll32mgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exerundll32mgrmgr.exeWaterMark.exedescription ioc process File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File opened for modification C:\Program Files (x86)\Microsoft\px5748.tmp WaterMarkmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe WaterMarkmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File opened for modification C:\Program Files (x86)\Microsoft\px56BB.tmp rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px56CB.tmp rundll32mgrmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgrmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3744 5068 WerFault.exe svchost.exe 3332 3324 WerFault.exe svchost.exe 2512 2120 WerFault.exe svchost.exe -
Processes:
iexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{48A351D8-1BD4-11EF-9519-4A6FEDA150B9} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "486102605" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31109089" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109089" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "490477162" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "486102605" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109089" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "486102605" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423543378" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31109089" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "486102605" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "486258609" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109089" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31109089" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{48A303B8-1BD4-11EF-9519-4A6FEDA150B9} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109089" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109089" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
WaterMark.exeWaterMark.exeWaterMark.exepid process 1208 WaterMark.exe 1208 WaterMark.exe 1208 WaterMark.exe 1208 WaterMark.exe 3380 WaterMark.exe 3380 WaterMark.exe 3380 WaterMark.exe 3380 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 3380 WaterMark.exe 1208 WaterMark.exe 1208 WaterMark.exe 3380 WaterMark.exe 1208 WaterMark.exe 3380 WaterMark.exe 1208 WaterMark.exe 3380 WaterMark.exe 3380 WaterMark.exe 3380 WaterMark.exe 1208 WaterMark.exe 1208 WaterMark.exe 3380 WaterMark.exe 1208 WaterMark.exe 3380 WaterMark.exe 1208 WaterMark.exe 3380 WaterMark.exe 3380 WaterMark.exe 3380 WaterMark.exe 3380 WaterMark.exe 1208 WaterMark.exe 1208 WaterMark.exe 1208 WaterMark.exe 1208 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rundll32.exeWaterMark.exeWaterMark.exeWaterMark.exedescription pid process Token: SeDebugPrivilege 4020 rundll32.exe Token: SeDebugPrivilege 1208 WaterMark.exe Token: SeDebugPrivilege 3380 WaterMark.exe Token: SeDebugPrivilege 5012 WaterMark.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
iexplore.exeiexplore.exeiexplore.exeiexplore.exepid process 3060 iexplore.exe 4812 iexplore.exe 2324 iexplore.exe 2612 iexplore.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
iexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 4812 iexplore.exe 4812 iexplore.exe 3060 iexplore.exe 3060 iexplore.exe 2612 iexplore.exe 2612 iexplore.exe 2324 iexplore.exe 2324 iexplore.exe 1468 IEXPLORE.EXE 1468 IEXPLORE.EXE 212 IEXPLORE.EXE 212 IEXPLORE.EXE 1056 IEXPLORE.EXE 1056 IEXPLORE.EXE 4492 IEXPLORE.EXE 4492 IEXPLORE.EXE 1056 IEXPLORE.EXE 1056 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 6 IoCs
Processes:
rundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exepid process 2216 rundll32mgr.exe 1320 rundll32mgrmgr.exe 1208 WaterMark.exe 3380 WaterMark.exe 3168 WaterMarkmgr.exe 5012 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exerundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exeWaterMark.exeiexplore.exeiexplore.exedescription pid process target process PID 3576 wrote to memory of 4020 3576 rundll32.exe rundll32.exe PID 3576 wrote to memory of 4020 3576 rundll32.exe rundll32.exe PID 3576 wrote to memory of 4020 3576 rundll32.exe rundll32.exe PID 4020 wrote to memory of 2216 4020 rundll32.exe rundll32mgr.exe PID 4020 wrote to memory of 2216 4020 rundll32.exe rundll32mgr.exe PID 4020 wrote to memory of 2216 4020 rundll32.exe rundll32mgr.exe PID 2216 wrote to memory of 1320 2216 rundll32mgr.exe rundll32mgrmgr.exe PID 2216 wrote to memory of 1320 2216 rundll32mgr.exe rundll32mgrmgr.exe PID 2216 wrote to memory of 1320 2216 rundll32mgr.exe rundll32mgrmgr.exe PID 2216 wrote to memory of 3380 2216 rundll32mgr.exe WaterMark.exe PID 2216 wrote to memory of 3380 2216 rundll32mgr.exe WaterMark.exe PID 2216 wrote to memory of 3380 2216 rundll32mgr.exe WaterMark.exe PID 1320 wrote to memory of 1208 1320 rundll32mgrmgr.exe WaterMark.exe PID 1320 wrote to memory of 1208 1320 rundll32mgrmgr.exe WaterMark.exe PID 1320 wrote to memory of 1208 1320 rundll32mgrmgr.exe WaterMark.exe PID 3380 wrote to memory of 3168 3380 WaterMark.exe WaterMarkmgr.exe PID 3380 wrote to memory of 3168 3380 WaterMark.exe WaterMarkmgr.exe PID 3380 wrote to memory of 3168 3380 WaterMark.exe WaterMarkmgr.exe PID 3168 wrote to memory of 5012 3168 WaterMarkmgr.exe WaterMark.exe PID 3168 wrote to memory of 5012 3168 WaterMarkmgr.exe WaterMark.exe PID 3168 wrote to memory of 5012 3168 WaterMarkmgr.exe WaterMark.exe PID 1208 wrote to memory of 3324 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 3324 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 3324 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 3324 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 3324 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 3324 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 3324 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 3324 1208 WaterMark.exe svchost.exe PID 1208 wrote to memory of 3324 1208 WaterMark.exe svchost.exe PID 3380 wrote to memory of 5068 3380 WaterMark.exe svchost.exe PID 3380 wrote to memory of 5068 3380 WaterMark.exe svchost.exe PID 3380 wrote to memory of 5068 3380 WaterMark.exe svchost.exe PID 3380 wrote to memory of 5068 3380 WaterMark.exe svchost.exe PID 3380 wrote to memory of 5068 3380 WaterMark.exe svchost.exe PID 3380 wrote to memory of 5068 3380 WaterMark.exe svchost.exe PID 3380 wrote to memory of 5068 3380 WaterMark.exe svchost.exe PID 3380 wrote to memory of 5068 3380 WaterMark.exe svchost.exe PID 3380 wrote to memory of 5068 3380 WaterMark.exe svchost.exe PID 5012 wrote to memory of 2120 5012 WaterMark.exe svchost.exe PID 5012 wrote to memory of 2120 5012 WaterMark.exe svchost.exe PID 5012 wrote to memory of 2120 5012 WaterMark.exe svchost.exe PID 5012 wrote to memory of 2120 5012 WaterMark.exe svchost.exe PID 5012 wrote to memory of 2120 5012 WaterMark.exe svchost.exe PID 5012 wrote to memory of 2120 5012 WaterMark.exe svchost.exe PID 5012 wrote to memory of 2120 5012 WaterMark.exe svchost.exe PID 5012 wrote to memory of 2120 5012 WaterMark.exe svchost.exe PID 5012 wrote to memory of 2120 5012 WaterMark.exe svchost.exe PID 3380 wrote to memory of 2612 3380 WaterMark.exe iexplore.exe PID 3380 wrote to memory of 2612 3380 WaterMark.exe iexplore.exe PID 1208 wrote to memory of 2324 1208 WaterMark.exe iexplore.exe PID 1208 wrote to memory of 2324 1208 WaterMark.exe iexplore.exe PID 3380 wrote to memory of 3060 3380 WaterMark.exe iexplore.exe PID 3380 wrote to memory of 3060 3380 WaterMark.exe iexplore.exe PID 1208 wrote to memory of 4812 1208 WaterMark.exe iexplore.exe PID 1208 wrote to memory of 4812 1208 WaterMark.exe iexplore.exe PID 5012 wrote to memory of 3684 5012 WaterMark.exe iexplore.exe PID 5012 wrote to memory of 3684 5012 WaterMark.exe iexplore.exe PID 5012 wrote to memory of 3864 5012 WaterMark.exe iexplore.exe PID 5012 wrote to memory of 3864 5012 WaterMark.exe iexplore.exe PID 4812 wrote to memory of 212 4812 iexplore.exe IEXPLORE.EXE PID 4812 wrote to memory of 212 4812 iexplore.exe IEXPLORE.EXE PID 4812 wrote to memory of 212 4812 iexplore.exe IEXPLORE.EXE PID 3060 wrote to memory of 1468 3060 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ceff35deb6c1159e48b44a9bc30c6ffafeb3787824de4ea03415eeb8dd3a6a30.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ceff35deb6c1159e48b44a9bc30c6ffafeb3787824de4ea03415eeb8dd3a6a30.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 2047⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:17410 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4812 CREDAT:17410 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 2048⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 2046⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3060 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5068 -ip 50681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3324 -ip 33241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2120 -ip 21201⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{48A303B8-1BD4-11EF-9519-4A6FEDA150B9}.datFilesize
4KB
MD5b90c23de4902765bde451588ae1d9d90
SHA1ab4672f112d5787aa8172b07d7abb5bd8c6712ef
SHA256029f20c1d2258bf9067c04d6c7faf2c07e163634da6e8d71cd36ce5cede4c120
SHA5128c9b6e34e28f60be97d850124b1fc26d5e51f94b300ba60fff92ae513b5f9c4a5162d51f095b538b2e0fd5059bbe54d50d86839cf3241ea3918ad1a593e26c9c
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{48A32AC8-1BD4-11EF-9519-4A6FEDA150B9}.datFilesize
5KB
MD5d206156428779c1dfff25fe432861222
SHA1849980e6373078bb3b3724d18dd0d5ca71aa1771
SHA256dcd377fe5a11df795be74b835ae18c7615755ecbf4222acab48a806615d8aba8
SHA5122e0c044c2f7ae624f3a65bf7839d3eff4a349380a82dc4298c540ff50e88de4e8ab5e3fe5e3f56bd1cfd129c0187d5bd80dbfff5cc1585ab55fbdb2482d56add
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{48A32AC8-1BD4-11EF-9519-4A6FEDA150B9}.datFilesize
5KB
MD5185cb9c1003e6146241816c146b3367b
SHA1c817736af7a3d53f1556533ac6b30189edde80d4
SHA2560acf6f1d6114c16137660d74f0ea066a918cd9089708f970748a44dd3e7f3983
SHA512d32996df24ffbe7659e4e0bcc7ce658ae9c7fc0bff659e113636932d959595ee49040d8e1fb2d7572c3adde8920c6acc64673da89b56accd67bac63f2c1aa4bb
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{48A351D8-1BD4-11EF-9519-4A6FEDA150B9}.datFilesize
5KB
MD5abe1cb786ca32fc3b8e8e676854909af
SHA1a9a443e47d85460b07c41a15b6cbb37da629369e
SHA2564550169d76c1965841902d095abddb690684c5fbf9ef574168c6e57bca2ef82a
SHA51263c8e8ce50f4d0c1c1b1ea6d4c86379ceb32144c5459ec68685dfb44a42ead4ccc1dd1b74539c9890cd42129de58700a9a72e00736f7defe7d2a06f36638c43f
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verD939.tmpFilesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2IX84YPE\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
122KB
MD5c5255edf109342e3e1d1eb0990b2d094
SHA1ba029b47b9b3a5ccccae3038d90382ec68a1dd44
SHA256ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5
SHA5126b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3
-
C:\Windows\SysWOW64\rundll32mgrmgr.exeFilesize
59KB
MD5f2c8b7e238a07cce22920efb1c8645a6
SHA1cd2af4b30add747e222f938206b78d7730fdf346
SHA2566b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e
SHA512c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699
-
memory/1208-67-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1208-53-0x0000000000430000-0x0000000000431000-memory.dmpFilesize
4KB
-
memory/1208-69-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1320-12-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1320-36-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2216-17-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2216-16-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2216-7-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2216-14-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2216-23-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2216-15-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2216-22-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2216-25-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/2216-24-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3168-62-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3168-58-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3380-68-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3380-38-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3380-77-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB
-
memory/3380-39-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3380-84-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4020-1-0x0000000010000000-0x000000001002B000-memory.dmpFilesize
172KB
-
memory/4020-5-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/4020-8-0x00000000777B2000-0x00000000777B3000-memory.dmpFilesize
4KB
-
memory/4020-6-0x00000000026D0000-0x00000000026D1000-memory.dmpFilesize
4KB