Analysis
-
max time kernel
25s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/12/2024, 03:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
246631eb0bbe15e9a48a303e176e1a2e1008ee711b7265c0746d9d9453e35a7aN.dll
Resource
win7-20240903-en
windows7-x64
23 signatures
120 seconds
General
-
Target
246631eb0bbe15e9a48a303e176e1a2e1008ee711b7265c0746d9d9453e35a7aN.dll
-
Size
377KB
-
MD5
27b47180906b194cd5b9c6719a37f280
-
SHA1
b8f9a68f22c40ad76a54cb868092419eb48d577b
-
SHA256
246631eb0bbe15e9a48a303e176e1a2e1008ee711b7265c0746d9d9453e35a7a
-
SHA512
8628820a3be84f1fd52d0819c7519a93ea757538b2461a13895cd461d0eed427c1330e483742dd77a580b5f31a8ca03aadaa47ce2dfcca3416ec7b522eb2511a
-
SSDEEP
6144:uxGMku94XCzTurXzURlbDC9K69u2m+SqOWcsQQKiY4leDDGoggH/VREG6j4Gm01F:uxGCOXzURlbDC9K69u2m+SqOWcsQQKiN
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" WaterMark.exe -
Ramnit family
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" WaterMark.exe -
Executes dropped EXE 2 IoCs
pid Process 1784 rundll32mgr.exe 1616 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 2684 rundll32.exe 2684 rundll32.exe 1784 rundll32mgr.exe 1784 rundll32mgr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32mgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" WaterMark.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WaterMark.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: WaterMark.exe File opened (read-only) \??\G: WaterMark.exe File opened (read-only) \??\H: WaterMark.exe File opened (read-only) \??\I: WaterMark.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/1784-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1784-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1784-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1784-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1784-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1784-12-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/1784-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1784-27-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1784-25-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1784-18-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/1784-20-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/1784-31-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/1616-88-0x00000000026F0000-0x000000000377E000-memory.dmp upx behavioral1/memory/1616-87-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1616-108-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1616-81-0x00000000026F0000-0x000000000377E000-memory.dmp upx behavioral1/memory/1616-80-0x00000000026F0000-0x000000000377E000-memory.dmp upx behavioral1/memory/1616-78-0x00000000026F0000-0x000000000377E000-memory.dmp upx behavioral1/memory/1616-77-0x00000000026F0000-0x000000000377E000-memory.dmp upx behavioral1/memory/1616-75-0x00000000026F0000-0x000000000377E000-memory.dmp upx behavioral1/memory/1616-76-0x00000000026F0000-0x000000000377E000-memory.dmp upx behavioral1/memory/1616-74-0x00000000026F0000-0x000000000377E000-memory.dmp upx behavioral1/memory/1616-72-0x00000000026F0000-0x000000000377E000-memory.dmp upx behavioral1/memory/1784-70-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/1784-34-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/1784-30-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/1784-33-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/1784-28-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/1784-32-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/1616-141-0x00000000026F0000-0x000000000377E000-memory.dmp upx behavioral1/memory/1616-144-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1616-780-0x00000000026F0000-0x000000000377E000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\imjplm.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\wab32.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msadomd.dll svchost.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\DirectDB.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdaprst.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdasql.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\sqloledb.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe svchost.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdfmap.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll svchost.exe File opened for modification C:\Program Files\DVD Maker\Pipeline.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll svchost.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcs.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msadrh15.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadds.dll svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadce.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msaddsr.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdaprsr.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm svchost.exe File opened for modification C:\Program Files\DVD Maker\PipeTran.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.dll svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI rundll32mgr.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1784 rundll32mgr.exe 1616 WaterMark.exe 1616 WaterMark.exe 1616 WaterMark.exe 1616 WaterMark.exe 1616 WaterMark.exe 1616 WaterMark.exe 1616 WaterMark.exe 1616 WaterMark.exe 1616 WaterMark.exe 1616 WaterMark.exe 2076 svchost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1784 rundll32mgr.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 2076 svchost.exe Token: SeDebugPrivilege 1616 WaterMark.exe Token: SeDebugPrivilege 1616 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1784 rundll32mgr.exe 1616 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2684 1724 rundll32.exe 30 PID 1724 wrote to memory of 2684 1724 rundll32.exe 30 PID 1724 wrote to memory of 2684 1724 rundll32.exe 30 PID 1724 wrote to memory of 2684 1724 rundll32.exe 30 PID 1724 wrote to memory of 2684 1724 rundll32.exe 30 PID 1724 wrote to memory of 2684 1724 rundll32.exe 30 PID 1724 wrote to memory of 2684 1724 rundll32.exe 30 PID 2684 wrote to memory of 1784 2684 rundll32.exe 31 PID 2684 wrote to memory of 1784 2684 rundll32.exe 31 PID 2684 wrote to memory of 1784 2684 rundll32.exe 31 PID 2684 wrote to memory of 1784 2684 rundll32.exe 31 PID 1784 wrote to memory of 1096 1784 rundll32mgr.exe 19 PID 1784 wrote to memory of 1176 1784 rundll32mgr.exe 20 PID 1784 wrote to memory of 1204 1784 rundll32mgr.exe 21 PID 1784 wrote to memory of 884 1784 rundll32mgr.exe 25 PID 1784 wrote to memory of 1724 1784 rundll32mgr.exe 29 PID 1784 wrote to memory of 2684 1784 rundll32mgr.exe 30 PID 1784 wrote to memory of 1616 1784 rundll32mgr.exe 32 PID 1784 wrote to memory of 1616 1784 rundll32mgr.exe 32 PID 1784 wrote to memory of 1616 1784 rundll32mgr.exe 32 PID 1784 wrote to memory of 1616 1784 rundll32mgr.exe 32 PID 1616 wrote to memory of 1096 1616 WaterMark.exe 19 PID 1616 wrote to memory of 1176 1616 WaterMark.exe 20 PID 1616 wrote to memory of 1204 1616 WaterMark.exe 21 PID 1616 wrote to memory of 884 1616 WaterMark.exe 25 PID 1616 wrote to memory of 2952 1616 WaterMark.exe 33 PID 1616 wrote to memory of 2952 1616 WaterMark.exe 33 PID 1616 wrote to memory of 2952 1616 WaterMark.exe 33 PID 1616 wrote to memory of 2952 1616 WaterMark.exe 33 PID 1616 wrote to memory of 2952 1616 WaterMark.exe 33 PID 1616 wrote to memory of 2952 1616 WaterMark.exe 33 PID 1616 wrote to memory of 2952 1616 WaterMark.exe 33 PID 1616 wrote to memory of 2952 1616 WaterMark.exe 33 PID 1616 wrote to memory of 2952 1616 WaterMark.exe 33 PID 1616 wrote to memory of 2952 1616 WaterMark.exe 33 PID 1616 wrote to memory of 2076 1616 WaterMark.exe 34 PID 1616 wrote to memory of 2076 1616 WaterMark.exe 34 PID 1616 wrote to memory of 2076 1616 WaterMark.exe 34 PID 1616 wrote to memory of 2076 1616 WaterMark.exe 34 PID 1616 wrote to memory of 2076 1616 WaterMark.exe 34 PID 1616 wrote to memory of 2076 1616 WaterMark.exe 34 PID 1616 wrote to memory of 2076 1616 WaterMark.exe 34 PID 1616 wrote to memory of 2076 1616 WaterMark.exe 34 PID 1616 wrote to memory of 2076 1616 WaterMark.exe 34 PID 1616 wrote to memory of 2076 1616 WaterMark.exe 34 PID 1616 wrote to memory of 1096 1616 WaterMark.exe 19 PID 1616 wrote to memory of 1176 1616 WaterMark.exe 20 PID 1616 wrote to memory of 1204 1616 WaterMark.exe 21 PID 1616 wrote to memory of 884 1616 WaterMark.exe 25 PID 1616 wrote to memory of 2952 1616 WaterMark.exe 33 PID 1616 wrote to memory of 2952 1616 WaterMark.exe 33 PID 1616 wrote to memory of 2076 1616 WaterMark.exe 34 PID 1616 wrote to memory of 2076 1616 WaterMark.exe 34 PID 2076 wrote to memory of 256 2076 svchost.exe 1 PID 2076 wrote to memory of 256 2076 svchost.exe 1 PID 2076 wrote to memory of 256 2076 svchost.exe 1 PID 2076 wrote to memory of 256 2076 svchost.exe 1 PID 2076 wrote to memory of 256 2076 svchost.exe 1 PID 2076 wrote to memory of 332 2076 svchost.exe 2 PID 2076 wrote to memory of 332 2076 svchost.exe 2 PID 2076 wrote to memory of 332 2076 svchost.exe 2 PID 2076 wrote to memory of 332 2076 svchost.exe 2 PID 2076 wrote to memory of 332 2076 svchost.exe 2 PID 2076 wrote to memory of 380 2076 svchost.exe 3 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:600
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1288
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:884
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:676
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:752
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:820
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1176
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:860
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:568
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:976
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:268
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:748
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1076
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1096
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:2036
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2220
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2436
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:396
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\246631eb0bbe15e9a48a303e176e1a2e1008ee711b7265c0746d9d9453e35a7aN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\246631eb0bbe15e9a48a303e176e1a2e1008ee711b7265c0746d9d9453e35a7aN.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1784 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1616 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2952
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181KB
MD5a8e2b051805ed3b2a6ac7ab43fbc07ea
SHA192ec0ce72cad7403f9e4845fecc7f86ed314bf79
SHA256e779e50114afcd71717e796b75028869e3f1ef5b51031d2a9d15956cd2688682
SHA5120ec0d779a5ea43a2626a28bb9146b8cf44a9740a2a51a98675e5f0dc0df8185403ab0c64b480cf19f3b586bc6eb76f9a50ec40cc4b9e1a60788b01be24a2588b
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize342KB
MD5682e110cdc2718a687074f52bb623d3d
SHA1685c60f7d1f483901a9437164c22ceaf38419fd4
SHA25652cd1bd7d2b6a979858c9f5b3c6116fdfd8163df1a86f4a84c36ea2eab724df5
SHA512157df3d5f904d200929135272e1efc5627dc911e5c4ba25cdaf0e2be5ad917d37bb60a0a8ad0ac958b4dc5d50a348994fb094dc9d784dc0663ae4bd8715dc4c7
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize338KB
MD508162e32dc6bee82b20f15616eff6ec4
SHA1b60cad69bfc49015b8a5836b4c2b4d05a8369e0d
SHA25614ea615fccafca34425198c278f5719b5dad4f85f0671e7e3a479225df0efe94
SHA5125fb516de73e0c4ec55a06b8d92edd58ee743b259e8c28fde24e2c9f2831970a428a17ef6ad6330e96cdc74a109586b4de1c17eae87eec19e2cffbea4b34bf533
-
Filesize
257B
MD5eca499086f0a2650c4c26eead39313a5
SHA1a7c48d847b20859bad5966442c4facfe995bc427
SHA256ea0c7a60219e4ac87388733642a673ec9af2a7fa9ba4aa928938f8ba2732f89c
SHA51235867bf9ec4f221ac5c5ad75238a50faecc30fdb533772d348f06aa7269ea96522d171a837ba8421bcf38036a7d05db1a03c1c5f8670e97020038144a4d8bd26
-
Filesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
Filesize
100KB
MD5d05496f0e1bbb03cb8ab3070eaf1320d
SHA12b9907bf20747c61d5f0ec99657f84700ea2dbb7
SHA256c4c1bbd93c276911a664813583ebf7f3021a26a0725ba8a884d645b1eabcf9c4
SHA512ea24bf81514cdd18c1f5a8502a2915533d989adf183edc961fe0b06841d5246ff34d6f14295c33854719fdf4ffe2d295235c8dcf133699e38fd9dc940219debb