Analysis
-
max time kernel
93s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 01:42
Static task
static1
Behavioral task
behavioral1
Sample
904bf74c214e2d3f97418b03a5ff4a8df07bcc618cc22841f9e6eb97aa0dd669.dll
Resource
win7-20240903-en
General
-
Target
904bf74c214e2d3f97418b03a5ff4a8df07bcc618cc22841f9e6eb97aa0dd669.dll
-
Size
847KB
-
MD5
e39ce0a9490d34de9dcf5707efedbbae
-
SHA1
3dafc8544447630375959d8387510f33b0867dac
-
SHA256
904bf74c214e2d3f97418b03a5ff4a8df07bcc618cc22841f9e6eb97aa0dd669
-
SHA512
5a9f30c9c39b3a0d141d8ab7b03d203c54d4b3062551443831f317f393b4524ef5ac1dc8aca8b687b866150ad0e170b5369c10b987cde592606137ad9159aea6
-
SSDEEP
24576:2zb1MlCKUQyUmjtczu6Prs9pgWoopooK9kwPEs++iv:2zbKsUmjtcdPGgIwPEsriv
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 4 IoCs
pid Process 2792 rundll32mgr.exe 1204 rundll32mgrmgr.exe 1108 WaterMark.exe 2440 WaterMark.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe -
resource yara_rule behavioral2/memory/1204-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2792-25-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1204-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2792-29-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1204-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1204-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1204-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1108-50-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2440-56-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1204-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2440-62-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1108-65-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1108-64-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2440-67-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1108-73-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxC94B.tmp rundll32mgrmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgrmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgrmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\pxC94B.tmp rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 1572 1724 WerFault.exe 88 1968 4712 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgrmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "749771402" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "753052882" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "750240286" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31150318" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31150318" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31150318" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31150318" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{58558497-BCE1-11EF-91C3-468C69F2ED48} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31150318" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "750240286" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31150318" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "750083878" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "753209068" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{584E3675-BCE1-11EF-91C3-468C69F2ED48} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "749771402" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5852FB20-BCE1-11EF-91C3-468C69F2ED48} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{58555D87-BCE1-11EF-91C3-468C69F2ED48} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "753052882" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441251126" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 1108 WaterMark.exe 1108 WaterMark.exe 2440 WaterMark.exe 2440 WaterMark.exe 2440 WaterMark.exe 2440 WaterMark.exe 1108 WaterMark.exe 1108 WaterMark.exe 1108 WaterMark.exe 1108 WaterMark.exe 1108 WaterMark.exe 1108 WaterMark.exe 1108 WaterMark.exe 1108 WaterMark.exe 1108 WaterMark.exe 1108 WaterMark.exe 1108 WaterMark.exe 1108 WaterMark.exe 1108 WaterMark.exe 1108 WaterMark.exe 2440 WaterMark.exe 2440 WaterMark.exe 2440 WaterMark.exe 2440 WaterMark.exe 2440 WaterMark.exe 2440 WaterMark.exe 2440 WaterMark.exe 2440 WaterMark.exe 2440 WaterMark.exe 2440 WaterMark.exe 2440 WaterMark.exe 2440 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1108 WaterMark.exe Token: SeDebugPrivilege 2440 WaterMark.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1844 iexplore.exe 5084 iexplore.exe 3716 iexplore.exe 1804 iexplore.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 1844 iexplore.exe 1844 iexplore.exe 3716 iexplore.exe 3716 iexplore.exe 5084 iexplore.exe 5084 iexplore.exe 1804 iexplore.exe 1804 iexplore.exe 4852 IEXPLORE.EXE 4852 IEXPLORE.EXE 3556 IEXPLORE.EXE 3556 IEXPLORE.EXE 1672 IEXPLORE.EXE 1672 IEXPLORE.EXE 3720 IEXPLORE.EXE 3720 IEXPLORE.EXE 3556 IEXPLORE.EXE 3556 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 4 IoCs
pid Process 1204 rundll32mgrmgr.exe 2792 rundll32mgr.exe 1108 WaterMark.exe 2440 WaterMark.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 3712 wrote to memory of 2972 3712 rundll32.exe 83 PID 3712 wrote to memory of 2972 3712 rundll32.exe 83 PID 3712 wrote to memory of 2972 3712 rundll32.exe 83 PID 2972 wrote to memory of 2792 2972 rundll32.exe 84 PID 2972 wrote to memory of 2792 2972 rundll32.exe 84 PID 2972 wrote to memory of 2792 2972 rundll32.exe 84 PID 2792 wrote to memory of 1204 2792 rundll32mgr.exe 85 PID 2792 wrote to memory of 1204 2792 rundll32mgr.exe 85 PID 2792 wrote to memory of 1204 2792 rundll32mgr.exe 85 PID 1204 wrote to memory of 1108 1204 rundll32mgrmgr.exe 86 PID 1204 wrote to memory of 1108 1204 rundll32mgrmgr.exe 86 PID 1204 wrote to memory of 1108 1204 rundll32mgrmgr.exe 86 PID 2792 wrote to memory of 2440 2792 rundll32mgr.exe 87 PID 2792 wrote to memory of 2440 2792 rundll32mgr.exe 87 PID 2792 wrote to memory of 2440 2792 rundll32mgr.exe 87 PID 1108 wrote to memory of 1724 1108 WaterMark.exe 88 PID 1108 wrote to memory of 1724 1108 WaterMark.exe 88 PID 1108 wrote to memory of 1724 1108 WaterMark.exe 88 PID 1108 wrote to memory of 1724 1108 WaterMark.exe 88 PID 1108 wrote to memory of 1724 1108 WaterMark.exe 88 PID 1108 wrote to memory of 1724 1108 WaterMark.exe 88 PID 1108 wrote to memory of 1724 1108 WaterMark.exe 88 PID 1108 wrote to memory of 1724 1108 WaterMark.exe 88 PID 1108 wrote to memory of 1724 1108 WaterMark.exe 88 PID 2440 wrote to memory of 4712 2440 WaterMark.exe 89 PID 2440 wrote to memory of 4712 2440 WaterMark.exe 89 PID 2440 wrote to memory of 4712 2440 WaterMark.exe 89 PID 2440 wrote to memory of 4712 2440 WaterMark.exe 89 PID 2440 wrote to memory of 4712 2440 WaterMark.exe 89 PID 2440 wrote to memory of 4712 2440 WaterMark.exe 89 PID 2440 wrote to memory of 4712 2440 WaterMark.exe 89 PID 2440 wrote to memory of 4712 2440 WaterMark.exe 89 PID 2440 wrote to memory of 4712 2440 WaterMark.exe 89 PID 1108 wrote to memory of 3716 1108 WaterMark.exe 96 PID 1108 wrote to memory of 3716 1108 WaterMark.exe 96 PID 1108 wrote to memory of 1844 1108 WaterMark.exe 97 PID 1108 wrote to memory of 1844 1108 WaterMark.exe 97 PID 2440 wrote to memory of 5084 2440 WaterMark.exe 98 PID 2440 wrote to memory of 5084 2440 WaterMark.exe 98 PID 2440 wrote to memory of 1804 2440 WaterMark.exe 99 PID 2440 wrote to memory of 1804 2440 WaterMark.exe 99 PID 5084 wrote to memory of 3556 5084 iexplore.exe 101 PID 5084 wrote to memory of 3556 5084 iexplore.exe 101 PID 5084 wrote to memory of 3556 5084 iexplore.exe 101 PID 1844 wrote to memory of 4852 1844 iexplore.exe 103 PID 1844 wrote to memory of 4852 1844 iexplore.exe 103 PID 1844 wrote to memory of 4852 1844 iexplore.exe 103 PID 3716 wrote to memory of 1672 3716 iexplore.exe 102 PID 3716 wrote to memory of 1672 3716 iexplore.exe 102 PID 3716 wrote to memory of 1672 3716 iexplore.exe 102 PID 1804 wrote to memory of 3720 1804 iexplore.exe 104 PID 1804 wrote to memory of 3720 1804 iexplore.exe 104 PID 1804 wrote to memory of 3720 1804 iexplore.exe 104
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\904bf74c214e2d3f97418b03a5ff4a8df07bcc618cc22841f9e6eb97aa0dd669.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\904bf74c214e2d3f97418b03a5ff4a8df07bcc618cc22841f9e6eb97aa0dd669.dll,#12⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵PID:1724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 767⤵
- Program crash
PID:1572
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3716 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1672
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1844 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4852
-
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:4712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 2046⤵
- Program crash
PID:1968
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5084 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3556
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1804 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3720
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1724 -ip 17241⤵PID:4996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4712 -ip 47121⤵PID:2588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5641fd00a680e2a2b7c46da9f49d4ac01
SHA191342c03f46164a5ffba758b6201387912e09026
SHA25669b70d73aed768e709b4e26268d4bfbb349d3ed2d7fc7bba042a347b29f1062d
SHA512004e47e9e0623bf782ad71418257088902bec47d213027287c46393d7a413d69a69fd213df1781d3c49ddde689943d5c5f3ff844fb9cc81c7eeaf331b8a4344f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5c0830253a2d8e42277495a83bf033787
SHA157efb34f6e615708cd33bbce5b3de6354893f911
SHA256842358cd219a176e1a4e9868123fb0d7e4a55dee5b44323dccbd982f7ed10500
SHA512ace000dca52d7435c5c0a2f8b2aac163b8c46fa65ebbab683acf397a49bf147c79bba77858ed2ac9873e554c9d76fb4315c02e8b99c1cd02a85765960d3119ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5cc408022af32c1be8006ae27d6a60523
SHA12ae1fab8584d02e1a4cfecef69d6896c3103b3be
SHA2569f995ca28dd92e0159a36726dcec23fb52b98cfbf66b5da068bc5a532322b5a8
SHA512c206e27421ddda17aced87d82d57306ee9d10061868c3a20d68759c84a4e40906f8714a7005639907c07498264e82bff85e46f1cfcb2e52b41e9387384f27cac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD54918469e436edd2e0a23c59b3070a6e7
SHA10a796dfb5459a27295f174af3f723161ff4a9daa
SHA2560766141069f2f012c78f90664af50569e93904b058bdd8e4f8bf055e9f2137c1
SHA512538d319bded8c168df9963ea319551bca0421de1a0e8ca5eea1c92b7542c51be387a354d91f75ffbf917bb298a6ff0e4a2a88a47e4e5876115b4c9a5d43c2ff6
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{584E3675-BCE1-11EF-91C3-468C69F2ED48}.dat
Filesize3KB
MD5afcc0be78cd560d0f443ce673d710a76
SHA1a38d0af64ec8e6b5359a06675809085eb897e293
SHA256d6acbc8b9d19b87b2bd209ac0102899470974d25744f4dcdcd78437fb5c45be3
SHA512b8222a6f6f375f094faf40859cedc0ec6c33a21eef83ad72aaad9b1047dc2c7aaa0b3df9b380ea2b09238f87fde4f808abb55fa0409f3d984ba336c7584151ab
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5852FB20-BCE1-11EF-91C3-468C69F2ED48}.dat
Filesize5KB
MD539902b885819f97fbd127ece5bd9346f
SHA1ccd1de9b135a08105418b617431647256aebaab6
SHA256bc0a7bc8521bb0a707e65e1d44ba0d5ebb13890170575a8fdbd10494299715f7
SHA5124ce8be451edfd4b6ffeb4aee9bb8351428c89ff9803c0d1ffee0157240d67808a37e3a2aad3168f4e9c370db63d947fa7ce2a5e996063b032fcf757ccf407781
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{58555D87-BCE1-11EF-91C3-468C69F2ED48}.dat
Filesize5KB
MD5525453ea689c6a87a981176ff503ce18
SHA1ee7a218bed8b7d05b956af7eaf8993c8f899cdaa
SHA256a08e213d6025a40736368100ec74e2b0b708e525283a67a844c1dd50b0210a44
SHA512f416dcf7097fd01854724e05406520583dd6364e16a88453c2a3f6e2ffad4d9c2abdc7874cb0217ed9e85fa040cac1cfd0ceb502be4c362252e5758d07963a46
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{58558497-BCE1-11EF-91C3-468C69F2ED48}.dat
Filesize3KB
MD51dbf205338e92c5613c5593e85f3527b
SHA17839651bd623113ac59b354999700767268aaade
SHA2560c03cfa6fa91c86f9a10b926db96cc1f88b9afb9253930dd889f62a182856d55
SHA512576f504c09d203e8ada2b92f129c43ad485e055d135bbf494317ff8a91868bfb68d3ed2c118b7333436fb329a5a4b6ed2978858a814d6c12715b8699567f2847
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
189KB
MD5099e4698fcd0d07e187674a28d6f0753
SHA12d8f6796eb9481e50527192c28d4bb0b35ccf9fd
SHA256250f98faf04cfac9aecdc1aac8014c8586b0f08564ad0ca782b17c7703fb6469
SHA51294ce6c87edea0678d459d10bd1d5e19e1eba0a9fc54e2e8884c64fe5c67921b80b054b430dcb6b9102385587c48c93a6ac44c4dd77ba1cbdf378171ff8d0ea69
-
Filesize
93KB
MD535c2f27961e27275564493d459b6213e
SHA1d8a65a578457493161262c77d6c76ed7876b6a8d
SHA2561a1b741ef968cb4cb2e5a5404366a66cd69b025a5b38814792e2f51d43b2d60d
SHA512b15bb1a4a5158bb4103d6f62cd64a8ac2df398f2990995a99898bf207fc653a0b877d5904689c106634d2bdb4efb38e55adafd4b07bb199c1875d4a1028ab557