Analysis
-
max time kernel
94s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 19:09
Static task
static1
Behavioral task
behavioral1
Sample
836b6139cfaf0666b37612e1cbf8578a882b01b6f4041e0d68d03dd63ab4f7fbN.dll
Resource
win7-20240903-en
General
-
Target
836b6139cfaf0666b37612e1cbf8578a882b01b6f4041e0d68d03dd63ab4f7fbN.dll
-
Size
224KB
-
MD5
f4452ffa750b695b3d921c95d4f94eb0
-
SHA1
bfb105f0c59478d15bfca22fe93ab1962000c894
-
SHA256
836b6139cfaf0666b37612e1cbf8578a882b01b6f4041e0d68d03dd63ab4f7fb
-
SHA512
5cd43273ecc00f27db4e4fc3da225c181130f7ed9c4c6937ed2578a2fa28c21fd42682d639555f5af69ded931985bb89347c130ac7251a74b2935abc06ec7c6f
-
SSDEEP
3072:ZGd5SXa28vl8juKJcXV9lCgGNlx91xaafMWtXZDPEs3K0G:0d5h7+juU8V9rGrr1xaaflpDPEs3HG
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 4 IoCs
pid Process 4604 rundll32mgr.exe 3736 rundll32mgrmgr.exe 428 WaterMark.exe 3452 WaterMark.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe -
resource yara_rule behavioral2/memory/3736-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3736-21-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/428-42-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/428-53-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/428-40-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3736-26-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4604-25-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4604-27-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3736-19-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3736-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3736-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/428-59-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3452-62-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/428-69-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px9EC0.tmp rundll32mgrmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgrmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgrmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px9ED0.tmp rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 5056 3120 WerFault.exe 90 1136 2864 WerFault.exe 81 4644 3076 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgrmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1383409906" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7DFAED68-BCAA-11EF-ADF2-FA9F886F8D04} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1383253600" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7DFFB25E-BCAA-11EF-ADF2-FA9F886F8D04} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31150263" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31150263" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7DF88B50-BCAA-11EF-ADF2-FA9F886F8D04} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1383253600" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1385441347" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31150263" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31150263" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1385441347" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31150263" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441227567" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 428 WaterMark.exe 428 WaterMark.exe 428 WaterMark.exe 428 WaterMark.exe 3452 WaterMark.exe 3452 WaterMark.exe 3452 WaterMark.exe 3452 WaterMark.exe 428 WaterMark.exe 428 WaterMark.exe 428 WaterMark.exe 428 WaterMark.exe 428 WaterMark.exe 428 WaterMark.exe 428 WaterMark.exe 428 WaterMark.exe 428 WaterMark.exe 428 WaterMark.exe 428 WaterMark.exe 428 WaterMark.exe 3452 WaterMark.exe 3452 WaterMark.exe 3452 WaterMark.exe 3452 WaterMark.exe 3452 WaterMark.exe 3452 WaterMark.exe 3452 WaterMark.exe 3452 WaterMark.exe 3452 WaterMark.exe 3452 WaterMark.exe 3452 WaterMark.exe 3452 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 428 WaterMark.exe Token: SeDebugPrivilege 3452 WaterMark.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4868 iexplore.exe 796 iexplore.exe 3392 iexplore.exe 5044 iexplore.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 4868 iexplore.exe 4868 iexplore.exe 3392 iexplore.exe 3392 iexplore.exe 5044 iexplore.exe 5044 iexplore.exe 796 iexplore.exe 796 iexplore.exe 5036 IEXPLORE.EXE 5036 IEXPLORE.EXE 1172 IEXPLORE.EXE 1172 IEXPLORE.EXE 4752 IEXPLORE.EXE 4752 IEXPLORE.EXE 3412 IEXPLORE.EXE 3412 IEXPLORE.EXE 5036 IEXPLORE.EXE 5036 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 4 IoCs
pid Process 3736 rundll32mgrmgr.exe 4604 rundll32mgr.exe 428 WaterMark.exe 3452 WaterMark.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 2144 wrote to memory of 2864 2144 rundll32.exe 81 PID 2144 wrote to memory of 2864 2144 rundll32.exe 81 PID 2144 wrote to memory of 2864 2144 rundll32.exe 81 PID 2864 wrote to memory of 4604 2864 rundll32.exe 82 PID 2864 wrote to memory of 4604 2864 rundll32.exe 82 PID 2864 wrote to memory of 4604 2864 rundll32.exe 82 PID 4604 wrote to memory of 3736 4604 rundll32mgr.exe 83 PID 4604 wrote to memory of 3736 4604 rundll32mgr.exe 83 PID 4604 wrote to memory of 3736 4604 rundll32mgr.exe 83 PID 3736 wrote to memory of 428 3736 rundll32mgrmgr.exe 85 PID 3736 wrote to memory of 428 3736 rundll32mgrmgr.exe 85 PID 3736 wrote to memory of 428 3736 rundll32mgrmgr.exe 85 PID 4604 wrote to memory of 3452 4604 rundll32mgr.exe 86 PID 4604 wrote to memory of 3452 4604 rundll32mgr.exe 86 PID 4604 wrote to memory of 3452 4604 rundll32mgr.exe 86 PID 428 wrote to memory of 3076 428 WaterMark.exe 88 PID 428 wrote to memory of 3076 428 WaterMark.exe 88 PID 428 wrote to memory of 3076 428 WaterMark.exe 88 PID 428 wrote to memory of 3076 428 WaterMark.exe 88 PID 428 wrote to memory of 3076 428 WaterMark.exe 88 PID 428 wrote to memory of 3076 428 WaterMark.exe 88 PID 428 wrote to memory of 3076 428 WaterMark.exe 88 PID 428 wrote to memory of 3076 428 WaterMark.exe 88 PID 428 wrote to memory of 3076 428 WaterMark.exe 88 PID 3452 wrote to memory of 3120 3452 WaterMark.exe 90 PID 3452 wrote to memory of 3120 3452 WaterMark.exe 90 PID 3452 wrote to memory of 3120 3452 WaterMark.exe 90 PID 3452 wrote to memory of 3120 3452 WaterMark.exe 90 PID 3452 wrote to memory of 3120 3452 WaterMark.exe 90 PID 3452 wrote to memory of 3120 3452 WaterMark.exe 90 PID 3452 wrote to memory of 3120 3452 WaterMark.exe 90 PID 3452 wrote to memory of 3120 3452 WaterMark.exe 90 PID 3452 wrote to memory of 3120 3452 WaterMark.exe 90 PID 428 wrote to memory of 3392 428 WaterMark.exe 96 PID 428 wrote to memory of 3392 428 WaterMark.exe 96 PID 428 wrote to memory of 5044 428 WaterMark.exe 97 PID 428 wrote to memory of 5044 428 WaterMark.exe 97 PID 3452 wrote to memory of 796 3452 WaterMark.exe 98 PID 3452 wrote to memory of 796 3452 WaterMark.exe 98 PID 3452 wrote to memory of 4868 3452 WaterMark.exe 99 PID 3452 wrote to memory of 4868 3452 WaterMark.exe 99 PID 4868 wrote to memory of 5036 4868 iexplore.exe 100 PID 4868 wrote to memory of 5036 4868 iexplore.exe 100 PID 4868 wrote to memory of 5036 4868 iexplore.exe 100 PID 3392 wrote to memory of 4752 3392 iexplore.exe 101 PID 3392 wrote to memory of 4752 3392 iexplore.exe 101 PID 3392 wrote to memory of 4752 3392 iexplore.exe 101 PID 5044 wrote to memory of 3412 5044 iexplore.exe 102 PID 5044 wrote to memory of 3412 5044 iexplore.exe 102 PID 5044 wrote to memory of 3412 5044 iexplore.exe 102 PID 796 wrote to memory of 1172 796 iexplore.exe 103 PID 796 wrote to memory of 1172 796 iexplore.exe 103 PID 796 wrote to memory of 1172 796 iexplore.exe 103
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\836b6139cfaf0666b37612e1cbf8578a882b01b6f4041e0d68d03dd63ab4f7fbN.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\836b6139cfaf0666b37612e1cbf8578a882b01b6f4041e0d68d03dd63ab4f7fbN.dll,#12⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵PID:3076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 2047⤵
- Program crash
PID:4644
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3392 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4752
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5044 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3412
-
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:3120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 2046⤵
- Program crash
PID:5056
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:796 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1172
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4868 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5036
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 6083⤵
- Program crash
PID:1136
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2864 -ip 28641⤵PID:4848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3076 -ip 30761⤵PID:4500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3120 -ip 31201⤵PID:1604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5641fd00a680e2a2b7c46da9f49d4ac01
SHA191342c03f46164a5ffba758b6201387912e09026
SHA25669b70d73aed768e709b4e26268d4bfbb349d3ed2d7fc7bba042a347b29f1062d
SHA512004e47e9e0623bf782ad71418257088902bec47d213027287c46393d7a413d69a69fd213df1781d3c49ddde689943d5c5f3ff844fb9cc81c7eeaf331b8a4344f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD51e89fc85db229b706aaadc2c22bb018f
SHA12260b28f1946f22f5ef6439599312dc1bb1a39fd
SHA256fc7f03cbc6d91fcd15ca5087de39d39b308c30a998944fca9602ce6b21b354b3
SHA5125f070e0d410f80b513d26f1580d009f521e5aaf4c60bdfa5d6227e48dfae59a8df8400ca3347adc9fb1e29262e46aff5e9f65c838906ed407dfde80c470ca3d1
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7DF88B50-BCAA-11EF-ADF2-FA9F886F8D04}.dat
Filesize3KB
MD5f295aedb34460c1c50615770915b7afd
SHA1be88acc005b1a695192c8afbd4e17ff78dbd3fca
SHA2561eced7aaea87efd28bf78aa81b0458d28f6862ed1ad48be349d1ce91d96dd6c1
SHA5127f2c64f2599d5225f8b3694def1a51decbee4956c84e87513bdde2aec547c20353bf31fee3d70ba580798e9df4fd42e0bf82de8501e958143059e920a499cb17
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7DF88B50-BCAA-11EF-ADF2-FA9F886F8D04}.dat
Filesize5KB
MD59c16cf9f4ab81dd6dee0f3e5ff0789c2
SHA138acad0a964712d5dbc1b06434bf2733d0ed04cf
SHA256be1a485a13e077d1b4ef6ed50eb94001755ee88f75419bdd1d60dc68b8232741
SHA51214f62856415be67e647d04f51cbdba7ba9347941cdc31b6f81a45142d0cd6a241c2abc0299ecb8bbb4619438ce084096aeadb2f2e4d21ad547f19a87b609785f
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7DFAED68-BCAA-11EF-ADF2-FA9F886F8D04}.dat
Filesize3KB
MD51e8b6d7d6cb455a5664e36cff87395c7
SHA1fa4faf60179d48ac2e5d59e31eb850eef21dc226
SHA2564277b6690797efa62be13bd7bf6c6296f1c288ab8d5615db2780a453fd5c1294
SHA512166bdb22e6def3fcbaa0bf0c3a7b1d823f590edd62086569af40b6ac6e138e30bb0fd1ca32904c3f9e8ff673d75e61a2c1f4c6955bf45c02187ca67fec475e10
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7DFFD96E-BCAA-11EF-ADF2-FA9F886F8D04}.dat
Filesize5KB
MD52d3685997d82853dc580606dec64e74a
SHA17ab90556eac68fbc9cfdd54d4245f561c7ede051
SHA2567f7ebe0ac7e1a93d49afe4579b0c6edc776a678534f5bd53f60a439fc451321b
SHA512b81097fd9b3e35cf43210f4c41abc7270d87f0bfa996ecb357b1f6ac4744f005da42aceaba13bef441f408648d1fa577d21d2c2a168768c314e99326e835d0f1
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
185KB
MD5a1ada298faa9819dca0eab0165d978d9
SHA150d7bd60790cc2370d4c3a2382e3e7248b95ef6e
SHA2563f2af8dff9eb0ee18e38ce952c51bf1b461094fd03e71e137a61219c595cc742
SHA512672a5f15f704932ae0dab2562238be9ca91743ce6885b79fe0bbf000ee1a8e9389278591221dcb6ee5d488faaf374d0603a985a62cb1b639ba27b0e774e25978
-
Filesize
91KB
MD5c56eab01a1504045b4e4b4376630e35d
SHA11586025ddf036c2ce35601e6021fad5df2814963
SHA256e41b8af9b477ee81e0c2fa21b6a3a5a598a43874128ba117f287ce99471d8631
SHA5121f1034f40beeb52e92524dc17984f45f12a911d5364d36ca43ef197b89348d7a3c373ca4ebee20b260693028151df1475d472d3432eed02cce6b2e3ac3d12d71