Analysis
-
max time kernel
28s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-01-2025 05:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dfb2357c0b524dc7b1b6a5330bd95cefab6f082ef2472dfe146166c4f5334406.dll
Resource
win7-20240903-en
windows7-x64
23 signatures
150 seconds
General
-
Target
dfb2357c0b524dc7b1b6a5330bd95cefab6f082ef2472dfe146166c4f5334406.dll
-
Size
548KB
-
MD5
b0ddab201ff4b2d4a17269fc1ce55584
-
SHA1
3dc2a28caaa07c4003954cdfc5a7be83724e4954
-
SHA256
dfb2357c0b524dc7b1b6a5330bd95cefab6f082ef2472dfe146166c4f5334406
-
SHA512
74282f5891834d6cc48bdfe6853c9acecb32a54e43f41b169afae430f1a5e348090e3d4116f60a3ddf31e687b270a74ed1c94dd2b77db4e90e1f0266a9a92b76
-
SSDEEP
12288:0ehnaNPpSVZmNxRCwnwm3W3OHIIf5kJXaPTgpn:0eh0PpS6NxNnwYeOHX0XaPc5
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" IEXPLORE.EXE Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" IEXPLORE.EXE Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" IEXPLORE.EXE -
Ramnit family
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" IEXPLORE.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" IEXPLORE.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" IEXPLORE.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" IEXPLORE.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" IEXPLORE.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" IEXPLORE.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32.exe -
Executes dropped EXE 2 IoCs
pid Process 1212 rundll32mgr.exe 3988 WaterMark.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: IEXPLORE.EXE File opened (read-only) \??\G: IEXPLORE.EXE -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
resource yara_rule behavioral2/memory/1212-6-0x0000000003150000-0x00000000041DE000-memory.dmp upx behavioral2/memory/1212-16-0x0000000003150000-0x00000000041DE000-memory.dmp upx behavioral2/memory/1212-17-0x0000000003150000-0x00000000041DE000-memory.dmp upx behavioral2/memory/3988-57-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1212-42-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1212-41-0x0000000003150000-0x00000000041DE000-memory.dmp upx behavioral2/memory/1212-19-0x0000000003150000-0x00000000041DE000-memory.dmp upx behavioral2/memory/1212-32-0x0000000003150000-0x00000000041DE000-memory.dmp upx behavioral2/memory/1212-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1212-21-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1212-18-0x0000000003150000-0x00000000041DE000-memory.dmp upx behavioral2/memory/1212-8-0x0000000003150000-0x00000000041DE000-memory.dmp upx behavioral2/memory/1212-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1212-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1212-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1212-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1212-9-0x0000000003150000-0x00000000041DE000-memory.dmp upx behavioral2/memory/3988-64-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/376-73-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/376-72-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/376-76-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/376-75-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/376-74-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/376-71-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/376-69-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/376-70-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/376-67-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/376-77-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/376-78-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx behavioral2/memory/376-80-0x0000000002BA0000-0x0000000003C2E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px9EEF.tmp rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI rundll32mgr.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 712 376 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9FC6EAD4-C8CB-11EF-B319-DA61A5E71E4E} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 1212 rundll32mgr.exe 1212 rundll32mgr.exe 3988 WaterMark.exe 3988 WaterMark.exe 3988 WaterMark.exe 3988 WaterMark.exe 3988 WaterMark.exe 3988 WaterMark.exe 3988 WaterMark.exe 3988 WaterMark.exe 3988 WaterMark.exe 3988 WaterMark.exe 3988 WaterMark.exe 3988 WaterMark.exe 3988 WaterMark.exe 3988 WaterMark.exe 3988 WaterMark.exe 3988 WaterMark.exe 376 rundll32.exe 376 rundll32.exe 1676 IEXPLORE.EXE 1676 IEXPLORE.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe Token: SeDebugPrivilege 1212 rundll32mgr.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4364 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4364 iexplore.exe 4364 iexplore.exe 1676 IEXPLORE.EXE 1676 IEXPLORE.EXE 1676 IEXPLORE.EXE 1676 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1212 rundll32mgr.exe 3988 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 376 2372 rundll32.exe 83 PID 2372 wrote to memory of 376 2372 rundll32.exe 83 PID 2372 wrote to memory of 376 2372 rundll32.exe 83 PID 376 wrote to memory of 1212 376 rundll32.exe 84 PID 376 wrote to memory of 1212 376 rundll32.exe 84 PID 376 wrote to memory of 1212 376 rundll32.exe 84 PID 1212 wrote to memory of 776 1212 rundll32mgr.exe 8 PID 1212 wrote to memory of 784 1212 rundll32mgr.exe 9 PID 1212 wrote to memory of 316 1212 rundll32mgr.exe 13 PID 1212 wrote to memory of 2616 1212 rundll32mgr.exe 44 PID 1212 wrote to memory of 2644 1212 rundll32mgr.exe 45 PID 1212 wrote to memory of 2796 1212 rundll32mgr.exe 47 PID 1212 wrote to memory of 3584 1212 rundll32mgr.exe 56 PID 1212 wrote to memory of 3700 1212 rundll32mgr.exe 57 PID 1212 wrote to memory of 3904 1212 rundll32mgr.exe 58 PID 1212 wrote to memory of 4028 1212 rundll32mgr.exe 59 PID 1212 wrote to memory of 4088 1212 rundll32mgr.exe 60 PID 1212 wrote to memory of 3008 1212 rundll32mgr.exe 61 PID 1212 wrote to memory of 4064 1212 rundll32mgr.exe 62 PID 1212 wrote to memory of 4484 1212 rundll32mgr.exe 64 PID 1212 wrote to memory of 1988 1212 rundll32mgr.exe 75 PID 1212 wrote to memory of 2476 1212 rundll32mgr.exe 81 PID 1212 wrote to memory of 2372 1212 rundll32mgr.exe 82 PID 1212 wrote to memory of 376 1212 rundll32mgr.exe 83 PID 1212 wrote to memory of 376 1212 rundll32mgr.exe 83 PID 1212 wrote to memory of 640 1212 rundll32mgr.exe PID 1212 wrote to memory of 3988 1212 rundll32mgr.exe 87 PID 1212 wrote to memory of 3988 1212 rundll32mgr.exe 87 PID 1212 wrote to memory of 3988 1212 rundll32mgr.exe 87 PID 3988 wrote to memory of 4292 3988 WaterMark.exe 89 PID 3988 wrote to memory of 4292 3988 WaterMark.exe 89 PID 3988 wrote to memory of 4292 3988 WaterMark.exe 89 PID 3988 wrote to memory of 4292 3988 WaterMark.exe 89 PID 3988 wrote to memory of 4292 3988 WaterMark.exe 89 PID 3988 wrote to memory of 4292 3988 WaterMark.exe 89 PID 3988 wrote to memory of 4292 3988 WaterMark.exe 89 PID 3988 wrote to memory of 4292 3988 WaterMark.exe 89 PID 3988 wrote to memory of 4292 3988 WaterMark.exe 89 PID 3988 wrote to memory of 4364 3988 WaterMark.exe 90 PID 3988 wrote to memory of 4364 3988 WaterMark.exe 90 PID 3988 wrote to memory of 3536 3988 WaterMark.exe 91 PID 3988 wrote to memory of 3536 3988 WaterMark.exe 91 PID 4364 wrote to memory of 1676 4364 iexplore.exe 92 PID 4364 wrote to memory of 1676 4364 iexplore.exe 92 PID 4364 wrote to memory of 1676 4364 iexplore.exe 92 PID 376 wrote to memory of 776 376 rundll32.exe 8 PID 376 wrote to memory of 784 376 rundll32.exe 9 PID 376 wrote to memory of 316 376 rundll32.exe 13 PID 376 wrote to memory of 2616 376 rundll32.exe 44 PID 376 wrote to memory of 2644 376 rundll32.exe 45 PID 376 wrote to memory of 2796 376 rundll32.exe 47 PID 376 wrote to memory of 3584 376 rundll32.exe 56 PID 376 wrote to memory of 3700 376 rundll32.exe 57 PID 376 wrote to memory of 3904 376 rundll32.exe 58 PID 376 wrote to memory of 4028 376 rundll32.exe 59 PID 376 wrote to memory of 4088 376 rundll32.exe 60 PID 376 wrote to memory of 3008 376 rundll32.exe 61 PID 376 wrote to memory of 4064 376 rundll32.exe 62 PID 376 wrote to memory of 4484 376 rundll32.exe 64 PID 376 wrote to memory of 1988 376 rundll32.exe 75 PID 376 wrote to memory of 2372 376 rundll32.exe 82 PID 376 wrote to memory of 4364 376 rundll32.exe 90 PID 376 wrote to memory of 1676 376 rundll32.exe 92 PID 376 wrote to memory of 1676 376 rundll32.exe 92 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2644
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2796
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3584
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dfb2357c0b524dc7b1b6a5330bd95cefab6f082ef2472dfe146166c4f5334406.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dfb2357c0b524dc7b1b6a5330bd95cefab6f082ef2472dfe146166c4f5334406.dll,#13⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:376 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1212 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵PID:4292
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4364 CREDAT:17410 /prefetch:27⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1676
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
PID:3536
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 6084⤵
- Program crash
PID:712
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3700
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3904
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4028
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4088
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3008
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4064
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4484
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1988
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2476
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 376 -ip 3761⤵PID:1432
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:4384
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵PID:4332
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD530f59b20e935520badc298242cb4cff1
SHA100622b2054eb148a8459c2ccd0b22606c2d5c7f6
SHA2564a981d199e551f2b8c8fa22f0e3fbc264e876e5ed243d83331b2a6083a753e3c
SHA512f22ca09eb3266cee3f363e4f3f955745382679d136d61e7c27f81081cd77efa5f82f82220526928f73049e692b7c060f64032dfae0f967c579c6e6acfd2e8d21
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5178a00f6bbffece29c9cfa9a4f541047
SHA17dd363ab22b24053d5a9d72ba457477de89258a4
SHA2569f9a1f8f9de72b9634cf731dfa36b8d6bcc2c06463486c115b33354e3ebfacc6
SHA5121975718118e73b867b4f45d0bf4715d11fa687a9f45651e30ee9d65e050ed1de80efb746fe6c3bb70c69ddc98e70cecafe97af5a8a0b6748f99b1215deb8b471
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
257B
MD57404db6ef6083dbd7ee6a501e502501d
SHA15ad2649d88d2e75e1495b41d73db1a7c5fb20d07
SHA256cf7f1a70bdbe344aec7890643a3966510676b8ae818db75c3536ec6c92dd329d
SHA512ed98d98a263a2ec76636308786b3be58cfb16827d77c3f367e670d683b883e05036ba341b9a967a0239bfcd3488751eb2983bdfe11e14c0176eaa4e83a709369
-
Filesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
Filesize
100KB
MD5648948ef8704646e58810e8f2861080c
SHA1ddd349b69855696ad787ddfcc81c121e0e523ed8
SHA2569589ac823da061355f932b68a84c5040cda01bf953f567b8686f908c39dfa4b0
SHA51214c1cb6a286f77f1e6118bc6784b700c8c2742b8d2243ce4bcf94db10a0d72719af2d756a02d6097991f0fabf94949f2ddddb92be6bb68de268e3688a6e58789