Analysis
-
max time kernel
32s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-01-2025 16:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
82625d3ec756ae606b729ab6e90c706dd57a83e807e87b06dd3205bdd3638752.dll
Resource
win7-20240903-en
windows7-x64
23 signatures
150 seconds
General
-
Target
82625d3ec756ae606b729ab6e90c706dd57a83e807e87b06dd3205bdd3638752.dll
-
Size
564KB
-
MD5
93372c9ac519f7fdc0a9aa967c01cf59
-
SHA1
87434cbe70d2eecd737912a529bbf0e2599ceb45
-
SHA256
82625d3ec756ae606b729ab6e90c706dd57a83e807e87b06dd3205bdd3638752
-
SHA512
c39a4311cfd80df56a906d931362603f7bbeceab5c424d78593214325902017385a3ac552bdbd433b0cf11d8c89f83eab9a2d89f56f1ed585d75b02ebbfcdbc5
-
SSDEEP
12288:tehnaNPpSVZmNxRCwnwm3W3OHIIf5m9RhWFVg:teh0PpS6NxNnwYeOHXAhWTg
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svchost.exe -
Ramnit family
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2840 rundll32mgr.exe 2720 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 316 rundll32.exe 316 rundll32.exe 2840 rundll32mgr.exe 2840 rundll32mgr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32mgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WaterMark.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32mgr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: WaterMark.exe File opened (read-only) \??\L: WaterMark.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\I: WaterMark.exe File opened (read-only) \??\M: WaterMark.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\E: WaterMark.exe File opened (read-only) \??\K: WaterMark.exe File opened (read-only) \??\N: WaterMark.exe File opened (read-only) \??\H: WaterMark.exe File opened (read-only) \??\J: WaterMark.exe File opened (read-only) \??\I: svchost.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/2840-13-0x0000000002680000-0x000000000370E000-memory.dmp upx behavioral1/memory/2840-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2840-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2840-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2840-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2840-25-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2840-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2840-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2840-22-0x0000000002680000-0x000000000370E000-memory.dmp upx behavioral1/memory/2840-27-0x0000000002680000-0x000000000370E000-memory.dmp upx behavioral1/memory/2840-20-0x0000000002680000-0x000000000370E000-memory.dmp upx behavioral1/memory/2840-21-0x0000000002680000-0x000000000370E000-memory.dmp upx behavioral1/memory/2840-30-0x0000000002680000-0x000000000370E000-memory.dmp upx behavioral1/memory/2840-32-0x0000000002680000-0x000000000370E000-memory.dmp upx behavioral1/memory/2840-23-0x0000000002680000-0x000000000370E000-memory.dmp upx behavioral1/memory/2840-31-0x0000000002680000-0x000000000370E000-memory.dmp upx behavioral1/memory/2840-54-0x0000000002680000-0x000000000370E000-memory.dmp upx behavioral1/memory/2720-78-0x0000000002A60000-0x0000000003AEE000-memory.dmp upx behavioral1/memory/2720-120-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2720-119-0x0000000002A60000-0x0000000003AEE000-memory.dmp upx behavioral1/memory/2720-77-0x0000000002A60000-0x0000000003AEE000-memory.dmp upx behavioral1/memory/2720-68-0x0000000002A60000-0x0000000003AEE000-memory.dmp upx behavioral1/memory/2720-423-0x0000000002A60000-0x0000000003AEE000-memory.dmp upx behavioral1/memory/2720-656-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2720-710-0x0000000002A60000-0x0000000003AEE000-memory.dmp upx behavioral1/memory/2720-709-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msxactps.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msadrh15.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcor.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\optimization_guide_internal.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msadox.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msader15.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdatl3.dll svchost.exe File opened for modification C:\Program Files\DVD Maker\PipeTran.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\sqloledb.dll svchost.exe File opened for modification C:\Program Files\DVD Maker\WMM2CLIP.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msador15.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\wab32res.dll svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm svchost.exe File opened for modification C:\Program Files\DVD Maker\OmdBase.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdaprsr.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdaosp.dll svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\imjplm.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcer.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadds.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL svchost.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\mojo_core.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdasql.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdfmap.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL svchost.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadco.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\vulkan-1.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msaddsr.dll svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI rundll32mgr.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2840 rundll32mgr.exe 2720 WaterMark.exe 2720 WaterMark.exe 2720 WaterMark.exe 2720 WaterMark.exe 2720 WaterMark.exe 2720 WaterMark.exe 2720 WaterMark.exe 2720 WaterMark.exe 2720 WaterMark.exe 1420 svchost.exe 1420 svchost.exe 2720 WaterMark.exe 1420 svchost.exe 1420 svchost.exe 2348 svchost.exe 1420 svchost.exe 1420 svchost.exe 2348 svchost.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2840 rundll32mgr.exe Token: SeDebugPrivilege 2840 rundll32mgr.exe Token: SeDebugPrivilege 2840 rundll32mgr.exe Token: SeDebugPrivilege 2840 rundll32mgr.exe Token: SeDebugPrivilege 2840 rundll32mgr.exe Token: SeDebugPrivilege 2840 rundll32mgr.exe Token: SeDebugPrivilege 2840 rundll32mgr.exe Token: SeDebugPrivilege 2840 rundll32mgr.exe Token: SeDebugPrivilege 2840 rundll32mgr.exe Token: SeDebugPrivilege 2840 rundll32mgr.exe Token: SeDebugPrivilege 2840 rundll32mgr.exe Token: SeDebugPrivilege 2840 rundll32mgr.exe Token: SeDebugPrivilege 2840 rundll32mgr.exe Token: SeDebugPrivilege 2840 rundll32mgr.exe Token: SeDebugPrivilege 2840 rundll32mgr.exe Token: SeDebugPrivilege 2840 rundll32mgr.exe Token: SeDebugPrivilege 2840 rundll32mgr.exe Token: SeDebugPrivilege 2840 rundll32mgr.exe Token: SeDebugPrivilege 2840 rundll32mgr.exe Token: SeDebugPrivilege 2840 rundll32mgr.exe Token: SeDebugPrivilege 2720 WaterMark.exe Token: SeDebugPrivilege 2720 WaterMark.exe Token: SeDebugPrivilege 2720 WaterMark.exe Token: SeDebugPrivilege 1420 svchost.exe Token: SeDebugPrivilege 2720 WaterMark.exe Token: SeDebugPrivilege 2720 WaterMark.exe Token: SeDebugPrivilege 2348 svchost.exe Token: SeDebugPrivilege 2348 svchost.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2840 rundll32mgr.exe 2720 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1808 wrote to memory of 316 1808 rundll32.exe 28 PID 1808 wrote to memory of 316 1808 rundll32.exe 28 PID 1808 wrote to memory of 316 1808 rundll32.exe 28 PID 1808 wrote to memory of 316 1808 rundll32.exe 28 PID 1808 wrote to memory of 316 1808 rundll32.exe 28 PID 1808 wrote to memory of 316 1808 rundll32.exe 28 PID 1808 wrote to memory of 316 1808 rundll32.exe 28 PID 316 wrote to memory of 2840 316 rundll32.exe 29 PID 316 wrote to memory of 2840 316 rundll32.exe 29 PID 316 wrote to memory of 2840 316 rundll32.exe 29 PID 316 wrote to memory of 2840 316 rundll32.exe 29 PID 2840 wrote to memory of 1072 2840 rundll32mgr.exe 18 PID 2840 wrote to memory of 1120 2840 rundll32mgr.exe 19 PID 2840 wrote to memory of 1184 2840 rundll32mgr.exe 21 PID 2840 wrote to memory of 324 2840 rundll32mgr.exe 23 PID 2840 wrote to memory of 2720 2840 rundll32mgr.exe 30 PID 2840 wrote to memory of 2720 2840 rundll32mgr.exe 30 PID 2840 wrote to memory of 2720 2840 rundll32mgr.exe 30 PID 2840 wrote to memory of 2720 2840 rundll32mgr.exe 30 PID 2720 wrote to memory of 2348 2720 WaterMark.exe 31 PID 2720 wrote to memory of 2348 2720 WaterMark.exe 31 PID 2720 wrote to memory of 2348 2720 WaterMark.exe 31 PID 2720 wrote to memory of 2348 2720 WaterMark.exe 31 PID 2720 wrote to memory of 2348 2720 WaterMark.exe 31 PID 2720 wrote to memory of 2348 2720 WaterMark.exe 31 PID 2720 wrote to memory of 2348 2720 WaterMark.exe 31 PID 2720 wrote to memory of 2348 2720 WaterMark.exe 31 PID 2720 wrote to memory of 2348 2720 WaterMark.exe 31 PID 2720 wrote to memory of 2348 2720 WaterMark.exe 31 PID 2720 wrote to memory of 1072 2720 WaterMark.exe 18 PID 2720 wrote to memory of 1120 2720 WaterMark.exe 19 PID 2720 wrote to memory of 1184 2720 WaterMark.exe 21 PID 2720 wrote to memory of 324 2720 WaterMark.exe 23 PID 2720 wrote to memory of 1420 2720 WaterMark.exe 32 PID 2720 wrote to memory of 1420 2720 WaterMark.exe 32 PID 2720 wrote to memory of 1420 2720 WaterMark.exe 32 PID 2720 wrote to memory of 1420 2720 WaterMark.exe 32 PID 2720 wrote to memory of 1420 2720 WaterMark.exe 32 PID 2720 wrote to memory of 1420 2720 WaterMark.exe 32 PID 2720 wrote to memory of 1420 2720 WaterMark.exe 32 PID 2720 wrote to memory of 1420 2720 WaterMark.exe 32 PID 2720 wrote to memory of 1420 2720 WaterMark.exe 32 PID 2720 wrote to memory of 1420 2720 WaterMark.exe 32 PID 1420 wrote to memory of 256 1420 svchost.exe 1 PID 1420 wrote to memory of 256 1420 svchost.exe 1 PID 1420 wrote to memory of 256 1420 svchost.exe 1 PID 1420 wrote to memory of 256 1420 svchost.exe 1 PID 1420 wrote to memory of 256 1420 svchost.exe 1 PID 1420 wrote to memory of 332 1420 svchost.exe 2 PID 1420 wrote to memory of 332 1420 svchost.exe 2 PID 1420 wrote to memory of 332 1420 svchost.exe 2 PID 1420 wrote to memory of 332 1420 svchost.exe 2 PID 1420 wrote to memory of 332 1420 svchost.exe 2 PID 1420 wrote to memory of 384 1420 svchost.exe 3 PID 1420 wrote to memory of 384 1420 svchost.exe 3 PID 1420 wrote to memory of 384 1420 svchost.exe 3 PID 1420 wrote to memory of 384 1420 svchost.exe 3 PID 1420 wrote to memory of 384 1420 svchost.exe 3 PID 1420 wrote to memory of 392 1420 svchost.exe 4 PID 1420 wrote to memory of 392 1420 svchost.exe 4 PID 1420 wrote to memory of 392 1420 svchost.exe 4 PID 1420 wrote to memory of 392 1420 svchost.exe 4 PID 1420 wrote to memory of 392 1420 svchost.exe 4 PID 1420 wrote to memory of 424 1420 svchost.exe 5 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:384
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:392
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:324
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:556
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:672
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:748
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:824
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1120
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:860
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2068
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:972
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:268
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:328
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1072
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1140
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:3068
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2404
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:424
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1184
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\82625d3ec756ae606b729ab6e90c706dd57a83e807e87b06dd3205bdd3638752.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\82625d3ec756ae606b729ab6e90c706dd57a83e807e87b06dd3205bdd3638752.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2840 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2720 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181KB
MD56711d0236ff32e20c136b2873776b48d
SHA15f3f4e4f456f2a9dbc28785506d6cc07c02a8a6d
SHA2569fbe89bc6a0a2901f8b126405e5f4d55d3a4734bc79d722bc6a3561cc9d7f686
SHA512dd8c7cd42905cb8a21662bf2ece21e887315aa69fd71cd761f3518441860bac6a027af4d6d52ec4f3d37bb4780fe07ad2e0ab45f14555e0af7895c2b381d0d0c
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize342KB
MD54c0993c041a25264e3fb83325c94afec
SHA11525c0645c0321bebe509890550773cbb717332b
SHA2563c7b77b43782463132f59ae34080269c9ed112a5d8078c576e5152bf988ffadc
SHA5123cc771f51e866b7cbdc0a5da3cc55b096de926030c35662a0948feb5d5926dd7c79a7b559d293a76d29bef6b0a6fca69af2aad481aef1c48f0df699f265313d5
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize338KB
MD5e64752bf0b944f9b44a22966ca16d0b8
SHA1fbaf289414685c66bba2dba96cf3476229bfacb9
SHA256ea777914cb0951aeccf49c767f01509989fa20d0b58980c75e961a4b8788ad4f
SHA51212e8ae5f3ea39870e65ca6f7a9096b1b4bebde56e69201d130e1d97e602c96a1878462ba94c9baa4063652314e65aa4369500490b10845e35643e3f5c9367f4d
-
Filesize
257B
MD59d6c2708e78bc815fc02e9456effe3cb
SHA14c76025234d27019bf329a32b12cd9b59f85e7c9
SHA25619b50e2abc13cacdb6d8adfcc81934423adfcbe1476f163776998bdc2d271413
SHA512923e3c5bc20581b0ad090127f315383d46ab4b19f9ebbe89cb442feb5b0b75e492f18e0797690f1bd0888c81e88ef9811b8af2526ceb5c2f4bbe1c3e3cf00800
-
Filesize
100KB
MD5411af8233187eaf37bdd0caccc24a100
SHA12183a3d7ffa8da741e20db853e01acd671de621e
SHA25604ccaf9fecb98aa573255103cd927bc0e1e7ea02e2316b93620a7eb4b7be85d7
SHA5126f318cca23a72f90c6ef6dda78abe845d32b0cc483a82e7d499bc4a122179986e2abf32db2348b9935b8fa40cc7384d264540b33451496ea0b40519c0fa5c102
-
Filesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94