Analysis
-
max time kernel
81s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 03:31
Static task
static1
Behavioral task
behavioral1
Sample
d0f205847003aab8bdb5dfc2f138a497ec56a5ab0e184bda67efebaeefa1a862.dll
Resource
win7-20240220-en
General
-
Target
d0f205847003aab8bdb5dfc2f138a497ec56a5ab0e184bda67efebaeefa1a862.dll
-
Size
677KB
-
MD5
a4de91735cad51050bc92815bee5d1aa
-
SHA1
382dcb85639c2c8282780fb2b53f47147bda7005
-
SHA256
d0f205847003aab8bdb5dfc2f138a497ec56a5ab0e184bda67efebaeefa1a862
-
SHA512
e6090d8694c83f9afc333844b74be3572ed8f65229ba980abf85ad4cbffd05cdc94db455656282b45451083e2e5f2d4c399df6ba5409577ad2fe025abe2fc3f3
-
SSDEEP
6144:/NIQzLZN4k3WvmRPLx+xXqOkyWh9ZN/c4bsXdHtVHs7ZYkJH1:/NIyZN4+Wv4PLq6Okrh9ZN/hs9DsdY41
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 10 IoCs
Processes:
resource yara_rule behavioral2/memory/2556-11-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/3472-30-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/3472-29-0x0000000000400000-0x0000000000426000-memory.dmp UPX behavioral2/memory/3472-27-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/2556-12-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/2556-10-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/2556-9-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/2556-8-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/2556-7-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral2/memory/3472-40-0x0000000000400000-0x0000000000421000-memory.dmp UPX -
Executes dropped EXE 2 IoCs
Processes:
rundll32mgr.exeWaterMark.exepid process 2556 rundll32mgr.exe 3472 WaterMark.exe -
Processes:
resource yara_rule behavioral2/memory/2556-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3472-30-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3472-29-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/3472-27-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2556-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2556-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2556-9-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2556-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2556-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2556-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3472-40-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Drops file in Program Files directory 3 IoCs
Processes:
rundll32mgr.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\px3D95.tmp rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4744 2904 WerFault.exe svchost.exe 3460 4912 WerFault.exe rundll32.exe -
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1580C91B-27A3-11EF-9519-5ABC67A14C95} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{15858DEC-27A3-11EF-9519-5ABC67A14C95} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424238565" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
WaterMark.exepid process 3472 WaterMark.exe 3472 WaterMark.exe 3472 WaterMark.exe 3472 WaterMark.exe 3472 WaterMark.exe 3472 WaterMark.exe 3472 WaterMark.exe 3472 WaterMark.exe 3472 WaterMark.exe 3472 WaterMark.exe 3472 WaterMark.exe 3472 WaterMark.exe 3472 WaterMark.exe 3472 WaterMark.exe 3472 WaterMark.exe 3472 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WaterMark.exedescription pid process Token: SeDebugPrivilege 3472 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeiexplore.exepid process 1192 iexplore.exe 3940 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 3940 iexplore.exe 3940 iexplore.exe 1192 iexplore.exe 1192 iexplore.exe 1356 IEXPLORE.EXE 1356 IEXPLORE.EXE 4692 IEXPLORE.EXE 4692 IEXPLORE.EXE 1356 IEXPLORE.EXE 1356 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
rundll32mgr.exeWaterMark.exepid process 2556 rundll32mgr.exe 3472 WaterMark.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
rundll32.exerundll32.exerundll32mgr.exeWaterMark.exeiexplore.exeiexplore.exedescription pid process target process PID 3200 wrote to memory of 4912 3200 rundll32.exe rundll32.exe PID 3200 wrote to memory of 4912 3200 rundll32.exe rundll32.exe PID 3200 wrote to memory of 4912 3200 rundll32.exe rundll32.exe PID 4912 wrote to memory of 2556 4912 rundll32.exe rundll32mgr.exe PID 4912 wrote to memory of 2556 4912 rundll32.exe rundll32mgr.exe PID 4912 wrote to memory of 2556 4912 rundll32.exe rundll32mgr.exe PID 2556 wrote to memory of 3472 2556 rundll32mgr.exe WaterMark.exe PID 2556 wrote to memory of 3472 2556 rundll32mgr.exe WaterMark.exe PID 2556 wrote to memory of 3472 2556 rundll32mgr.exe WaterMark.exe PID 3472 wrote to memory of 2904 3472 WaterMark.exe svchost.exe PID 3472 wrote to memory of 2904 3472 WaterMark.exe svchost.exe PID 3472 wrote to memory of 2904 3472 WaterMark.exe svchost.exe PID 3472 wrote to memory of 2904 3472 WaterMark.exe svchost.exe PID 3472 wrote to memory of 2904 3472 WaterMark.exe svchost.exe PID 3472 wrote to memory of 2904 3472 WaterMark.exe svchost.exe PID 3472 wrote to memory of 2904 3472 WaterMark.exe svchost.exe PID 3472 wrote to memory of 2904 3472 WaterMark.exe svchost.exe PID 3472 wrote to memory of 2904 3472 WaterMark.exe svchost.exe PID 3472 wrote to memory of 3940 3472 WaterMark.exe iexplore.exe PID 3472 wrote to memory of 3940 3472 WaterMark.exe iexplore.exe PID 3472 wrote to memory of 1192 3472 WaterMark.exe iexplore.exe PID 3472 wrote to memory of 1192 3472 WaterMark.exe iexplore.exe PID 1192 wrote to memory of 4692 1192 iexplore.exe IEXPLORE.EXE PID 1192 wrote to memory of 4692 1192 iexplore.exe IEXPLORE.EXE PID 1192 wrote to memory of 4692 1192 iexplore.exe IEXPLORE.EXE PID 3940 wrote to memory of 1356 3940 iexplore.exe IEXPLORE.EXE PID 3940 wrote to memory of 1356 3940 iexplore.exe IEXPLORE.EXE PID 3940 wrote to memory of 1356 3940 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d0f205847003aab8bdb5dfc2f138a497ec56a5ab0e184bda67efebaeefa1a862.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d0f205847003aab8bdb5dfc2f138a497ec56a5ab0e184bda67efebaeefa1a862.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:2904
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 2046⤵
- Program crash
PID:4744 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3940 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1356 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4692 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 6083⤵
- Program crash
PID:3460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4912 -ip 49121⤵PID:2448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2904 -ip 29041⤵PID:4184
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1580C91B-27A3-11EF-9519-5ABC67A14C95}.dat
Filesize3KB
MD5ac64751a513a4951f741986ae8f2eb37
SHA1972b7df70e8fea1490726f7766e4019f63c2d624
SHA25643b09f29cbe78cb5d9ceb517f1dd08162218d421448fa5decb7f0ecb9288cea4
SHA5126b72b7bb317f78399b7b9a260b4db9abc8871db170178d28b8c56a81b1de61fbb67a1f5dc0e392ada10e3c68fa20d45c2912368ab2f649a0de663f0628baf5a6
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{15858DEC-27A3-11EF-9519-5ABC67A14C95}.dat
Filesize5KB
MD54d70946c281275ef314e353f83923880
SHA156ebe79fcdc34b84f2261406c547845c01b9a967
SHA2562468c92d76e77c3db8df6183987b8af8b19be90a8ed30bc398c6557767bf41bd
SHA512d95776e65d6d5247cb2b3bdf5e9fc604b877dd9c546c6e7c46bb519e0b0717a4686cb0f74f4211508242701fd76aa7dd02a12533257ee89d0d858659d3438951
-
Filesize
92KB
MD58499caf4ab80f33508daa32513cc1c7e
SHA1d252d6bad7adce4ffe5c2795fb1e5e6fcca7cbd2
SHA25622a4a2fab776db0d00df29a577b354ba8d775c434b1e88ce4835c6f2e5b4cbd1
SHA512cea57e7540550dc1a88933f5e37a473266892a00da754e8d86519cda4a15cde78915cfe619f9b52d48569627ee8fec51eba4b64bf5ca316874c970113e8a0873