Overview
overview
10Static
static
10[DemonArch...fb.exe
windows7-x64
1[DemonArch...4e.exe
windows7-x64
7[DemonArch...86.exe
windows7-x64
[DemonArch...1e.exe
windows7-x64
10[DemonArch...a6.exe
windows7-x64
7[DemonArch...a8.exe
windows7-x64
1[DemonArch...4b.exe
windows7-x64
3[DemonArch...6b.dll
windows7-x64
1[DemonArch...23.exe
windows7-x64
8[DemonArch...38.exe
windows7-x64
10[DemonArch...94.exe
windows7-x64
10[DemonArch...03.exe
windows7-x64
5[DemonArch...96.exe
windows7-x64
10[DemonArch...f0.dll
windows7-x64
3[DemonArch...4c.exe
windows7-x64
10[DemonArch...b3.exe
windows7-x64
1[DemonArch...44.exe
windows7-x64
[DemonArch...13.exe
windows7-x64
1[DemonArch...22.exe
windows7-x64
10[DemonArch...7e.exe
windows7-x64
1[DemonArch...73.exe
windows7-x64
10[DemonArch...94.exe
windows7-x64
10[DemonArch...f6.exe
windows7-x64
[DemonArch...b6.exe
windows7-x64
1[DemonArch...84.exe
windows7-x64
1[DemonArch...a0.exe
windows7-x64
10[DemonArch...9e.exe
windows7-x64
[DemonArch...f2.exe
windows7-x64
[DemonArch...f4.exe
windows7-x64
3[DemonArch...c8.dll
windows7-x64
1[DemonArch...85.dll
windows7-x64
10[DemonArch...71.exe
windows7-x64
Analysis
-
max time kernel
34s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 17:19
Behavioral task
behavioral1
Sample
[DemonArchives]560184b003e9c461fdfa4ab15cd3b6fb.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
[DemonArchives]58b00f133ec3b7efa68faf94233d594e.exe
Resource
win7-20240611-en
Behavioral task
behavioral3
Sample
[DemonArchives]627ba000cff6d43aa031da4020d15186.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
[DemonArchives]68d0fb679004d3c27c9efa840010881e.exe
Resource
win7-20240611-en
Behavioral task
behavioral5
Sample
[DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
[DemonArchives]6bc2fcef470b064c9bd339c7e2553ea8.exe
Resource
win7-20231129-en
Behavioral task
behavioral7
Sample
[DemonArchives]6bf80d8b5b235df5efb621da1dd61b4b.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
[DemonArchives]6e102d15d6af7c43d43141e9d2a1206b.dll
Resource
win7-20240611-en
Behavioral task
behavioral9
Sample
[DemonArchives]6e4f9763c17ea31c3d1406eabd7db423.exe
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
[DemonArchives]720d7d1deff763aee99bcc266f96b238.exe
Resource
win7-20240611-en
Behavioral task
behavioral11
Sample
[DemonArchives]7a8bde6d1942443bdbf09e610eb1b794.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
[DemonArchives]7da028810a703bb926d39a9b4ba50703.exe
Resource
win7-20231129-en
Behavioral task
behavioral13
Sample
[DemonArchives]7e020e96f43c40b26aa7f880ad0f8a96.exe
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
[DemonArchives]81759dd56bd4387d02cb20d44422c8f0.dll
Resource
win7-20240419-en
Behavioral task
behavioral15
Sample
[DemonArchives]853a559e0dcb25ab9605685ec776224c.exe
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
[DemonArchives]887a4917f4af1126d489a4f4d56b2eb3.exe
Resource
win7-20240508-en
Behavioral task
behavioral17
Sample
[DemonArchives]8edcc9bf66c21c55cf482dcac1c18c44.exe
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
[DemonArchives]973465ab358797d8d056e4f04bda2513.exe
Resource
win7-20240221-en
Behavioral task
behavioral19
Sample
[DemonArchives]9a6f31f789128531e4c714e44915f822.exe
Resource
win7-20240220-en
Behavioral task
behavioral20
Sample
[DemonArchives]9afac07fd6517652d6e659963db8b87e.exe
Resource
win7-20240611-en
Behavioral task
behavioral21
Sample
[DemonArchives]a367e7069b0df249dbcd93f02f05a573.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
[DemonArchives]a410ac0c141ebeb019661a692020fb94.exe
Resource
win7-20240419-en
Behavioral task
behavioral23
Sample
[DemonArchives]a62aacc19cac89138571eec242bcd4f6.exe
Resource
win7-20240508-en
Behavioral task
behavioral24
Sample
[DemonArchives]a7f2bf63baba5ffe2b5e76ab67d25bb6.exe
Resource
win7-20231129-en
Behavioral task
behavioral25
Sample
[DemonArchives]a9ea383aca2b60aece3a27c899e3f784.exe
Resource
win7-20240611-en
Behavioral task
behavioral26
Sample
[DemonArchives]ad9972de71fbca864e9303a043d203a0.exe
Resource
win7-20240221-en
Behavioral task
behavioral27
Sample
[DemonArchives]adefb3d586e8f74af30155d21ac5fc9e.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
[DemonArchives]b00c6b1b2a79fc9c57f97d16d58d00f2.exe
Resource
win7-20240220-en
Behavioral task
behavioral29
Sample
[DemonArchives]b2d7c4f62aa3abc7e398981d5c280af4.exe
Resource
win7-20240611-en
Behavioral task
behavioral30
Sample
[DemonArchives]c30111080c9e6acc70dd86ff97188ac8.dll
Resource
win7-20240419-en
Behavioral task
behavioral31
Sample
[DemonArchives]ddc0d08019efa4cc5f2a39de99cc0a85.dll
Resource
win7-20240220-en
Behavioral task
behavioral32
Sample
[DemonArchives]e28fe1917c5ffe9a3062ee369087f971.exe
Resource
win7-20240221-en
General
-
Target
[DemonArchives]ddc0d08019efa4cc5f2a39de99cc0a85.dll
-
Size
1.9MB
-
MD5
ddc0d08019efa4cc5f2a39de99cc0a85
-
SHA1
2935aa4ad7e2a8c3687659a84f943b27ef9bddb9
-
SHA256
8db48baa9134fa85bdee0a3786cf27e12a2c031997ae2f19d0e996203a05fb00
-
SHA512
230d5f8596763f691d8367015f5a2d7ec3b8c5a04167958851bc6b684ff032f784403ea6cd74c2bbfb1b24cb491b2a1fab1ade5a323c43d663c4957d00a03eda
-
SSDEEP
24576:w7IY7a9IRCRqRPkHQo411810cNScGKJydXTZDwmzRMo3DP7x5nbiQjXYvJ:wIY5RMHMf810Knor5zqo3zNJuQjE
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Modifies firewall policy service 3 TTPs 9 IoCs
Processes:
rundll32mgr.exeWaterMark.exesvchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svchost.exe -
Processes:
rundll32mgr.exeWaterMark.exesvchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Processes:
WaterMark.exesvchost.exerundll32mgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
rundll32mgr.exeWaterMark.exepid process 2920 rundll32mgr.exe 2648 WaterMark.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exerundll32mgr.exepid process 2436 rundll32.exe 2436 rundll32.exe 2920 rundll32mgr.exe 2920 rundll32mgr.exe -
Processes:
resource yara_rule behavioral31/memory/2920-18-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral31/memory/2920-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral31/memory/2920-33-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral31/memory/2920-30-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral31/memory/2920-12-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral31/memory/2920-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral31/memory/2920-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral31/memory/2920-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral31/memory/2920-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral31/memory/2648-42-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral31/memory/2648-47-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral31/memory/2648-52-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral31/memory/2648-710-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral31/memory/2648-711-0x0000000002670000-0x00000000036FE000-memory.dmp upx -
Processes:
rundll32mgr.exeWaterMark.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32mgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" WaterMark.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc WaterMark.exe -
Processes:
rundll32mgr.exeWaterMark.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
WaterMark.exesvchost.exedescription ioc process File opened (read-only) \??\E: WaterMark.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\H: WaterMark.exe File opened (read-only) \??\I: WaterMark.exe File opened (read-only) \??\L: WaterMark.exe File opened (read-only) \??\M: WaterMark.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\G: WaterMark.exe File opened (read-only) \??\J: WaterMark.exe File opened (read-only) \??\K: WaterMark.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\M: svchost.exe -
Drops file in System32 directory 3 IoCs
Processes:
rundll32.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.exerundll32mgr.exedescription ioc process File opened for modification C:\Program Files\Common Files\System\msadc\msdaprsr.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\D3DCompiler_47.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msadomd.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcer.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxF0E.tmp rundll32mgr.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\DirectDB.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcor.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\F12.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\JSProfilerCore.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msador15.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm svchost.exe File opened for modification C:\Program Files\DVD Maker\PipeTran.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msadrh15.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\iedvtool.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadce.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdaosp.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe svchost.exe File opened for modification C:\Program Files\DVD Maker\Pipeline.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html svchost.exe File opened for modification C:\Program Files\Internet Explorer\jsdbgui.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadds.dll svchost.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
WaterMark.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI WaterMark.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3024 2436 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
WaterMark.exesvchost.exesvchost.exepid process 2648 WaterMark.exe 2648 WaterMark.exe 2648 WaterMark.exe 2648 WaterMark.exe 2648 WaterMark.exe 2648 WaterMark.exe 2648 WaterMark.exe 2648 WaterMark.exe 2648 WaterMark.exe 1148 svchost.exe 1148 svchost.exe 2648 WaterMark.exe 1148 svchost.exe 1148 svchost.exe 2368 svchost.exe 1148 svchost.exe 1148 svchost.exe 2368 svchost.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
WaterMark.exesvchost.exerundll32.exesvchost.exedescription pid process Token: SeDebugPrivilege 2648 WaterMark.exe Token: SeDebugPrivilege 2648 WaterMark.exe Token: SeDebugPrivilege 2648 WaterMark.exe Token: SeDebugPrivilege 1148 svchost.exe Token: SeDebugPrivilege 2648 WaterMark.exe Token: SeDebugPrivilege 2436 rundll32.exe Token: SeDebugPrivilege 2648 WaterMark.exe Token: SeDebugPrivilege 2368 svchost.exe Token: SeDebugPrivilege 2368 svchost.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
rundll32mgr.exeWaterMark.exepid process 2920 rundll32mgr.exe 2648 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exerundll32mgr.exeWaterMark.exesvchost.exedescription pid process target process PID 2276 wrote to memory of 2436 2276 rundll32.exe rundll32.exe PID 2276 wrote to memory of 2436 2276 rundll32.exe rundll32.exe PID 2276 wrote to memory of 2436 2276 rundll32.exe rundll32.exe PID 2276 wrote to memory of 2436 2276 rundll32.exe rundll32.exe PID 2276 wrote to memory of 2436 2276 rundll32.exe rundll32.exe PID 2276 wrote to memory of 2436 2276 rundll32.exe rundll32.exe PID 2276 wrote to memory of 2436 2276 rundll32.exe rundll32.exe PID 2436 wrote to memory of 2920 2436 rundll32.exe rundll32mgr.exe PID 2436 wrote to memory of 2920 2436 rundll32.exe rundll32mgr.exe PID 2436 wrote to memory of 2920 2436 rundll32.exe rundll32mgr.exe PID 2436 wrote to memory of 2920 2436 rundll32.exe rundll32mgr.exe PID 2436 wrote to memory of 3024 2436 rundll32.exe WerFault.exe PID 2436 wrote to memory of 3024 2436 rundll32.exe WerFault.exe PID 2436 wrote to memory of 3024 2436 rundll32.exe WerFault.exe PID 2436 wrote to memory of 3024 2436 rundll32.exe WerFault.exe PID 2920 wrote to memory of 2648 2920 rundll32mgr.exe WaterMark.exe PID 2920 wrote to memory of 2648 2920 rundll32mgr.exe WaterMark.exe PID 2920 wrote to memory of 2648 2920 rundll32mgr.exe WaterMark.exe PID 2920 wrote to memory of 2648 2920 rundll32mgr.exe WaterMark.exe PID 2648 wrote to memory of 2368 2648 WaterMark.exe svchost.exe PID 2648 wrote to memory of 2368 2648 WaterMark.exe svchost.exe PID 2648 wrote to memory of 2368 2648 WaterMark.exe svchost.exe PID 2648 wrote to memory of 2368 2648 WaterMark.exe svchost.exe PID 2648 wrote to memory of 2368 2648 WaterMark.exe svchost.exe PID 2648 wrote to memory of 2368 2648 WaterMark.exe svchost.exe PID 2648 wrote to memory of 2368 2648 WaterMark.exe svchost.exe PID 2648 wrote to memory of 2368 2648 WaterMark.exe svchost.exe PID 2648 wrote to memory of 2368 2648 WaterMark.exe svchost.exe PID 2648 wrote to memory of 2368 2648 WaterMark.exe svchost.exe PID 2648 wrote to memory of 1072 2648 WaterMark.exe taskhost.exe PID 2648 wrote to memory of 1128 2648 WaterMark.exe Dwm.exe PID 2648 wrote to memory of 1152 2648 WaterMark.exe Explorer.EXE PID 2648 wrote to memory of 1712 2648 WaterMark.exe DllHost.exe PID 2648 wrote to memory of 2276 2648 WaterMark.exe rundll32.exe PID 2648 wrote to memory of 2436 2648 WaterMark.exe rundll32.exe PID 2648 wrote to memory of 2436 2648 WaterMark.exe rundll32.exe PID 2648 wrote to memory of 3024 2648 WaterMark.exe WerFault.exe PID 2648 wrote to memory of 3024 2648 WaterMark.exe WerFault.exe PID 2648 wrote to memory of 1148 2648 WaterMark.exe svchost.exe PID 2648 wrote to memory of 1148 2648 WaterMark.exe svchost.exe PID 2648 wrote to memory of 1148 2648 WaterMark.exe svchost.exe PID 2648 wrote to memory of 1148 2648 WaterMark.exe svchost.exe PID 2648 wrote to memory of 1148 2648 WaterMark.exe svchost.exe PID 2648 wrote to memory of 1148 2648 WaterMark.exe svchost.exe PID 2648 wrote to memory of 1148 2648 WaterMark.exe svchost.exe PID 2648 wrote to memory of 1148 2648 WaterMark.exe svchost.exe PID 2648 wrote to memory of 1148 2648 WaterMark.exe svchost.exe PID 2648 wrote to memory of 1148 2648 WaterMark.exe svchost.exe PID 1148 wrote to memory of 260 1148 svchost.exe smss.exe PID 1148 wrote to memory of 260 1148 svchost.exe smss.exe PID 1148 wrote to memory of 260 1148 svchost.exe smss.exe PID 1148 wrote to memory of 260 1148 svchost.exe smss.exe PID 1148 wrote to memory of 260 1148 svchost.exe smss.exe PID 1148 wrote to memory of 340 1148 svchost.exe csrss.exe PID 1148 wrote to memory of 340 1148 svchost.exe csrss.exe PID 1148 wrote to memory of 340 1148 svchost.exe csrss.exe PID 1148 wrote to memory of 340 1148 svchost.exe csrss.exe PID 1148 wrote to memory of 340 1148 svchost.exe csrss.exe PID 1148 wrote to memory of 388 1148 svchost.exe wininit.exe PID 1148 wrote to memory of 388 1148 svchost.exe wininit.exe PID 1148 wrote to memory of 388 1148 svchost.exe wininit.exe PID 1148 wrote to memory of 388 1148 svchost.exe wininit.exe PID 1148 wrote to memory of 388 1148 svchost.exe wininit.exe PID 1148 wrote to memory of 400 1148 svchost.exe csrss.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
rundll32mgr.exeWaterMark.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\[DemonArchives]ddc0d08019efa4cc5f2a39de99cc0a85.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\[DemonArchives]ddc0d08019efa4cc5f2a39de99cc0a85.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 2284⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
6Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.htmlFilesize
342KB
MD5f27c64139de7d29c2b7473c91cc68e29
SHA13741742d22a186dcaee249fe29e7f73b11051c22
SHA25675ed8bb478e2434d4c16610f402436ed13b2b350556a940842ba3afac3b3fef0
SHA512e1ed50b6e44b1e56a426615a81a780e33134fa091bc4df203c8242653915c13374bdebaf11fce624e55ad2d114a1da83792530f3013397f7107a74d6d0df7fa2
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.htmlFilesize
338KB
MD5ba6959ffb613adcc53120be6a1487203
SHA18bdb5de4e43380baa2c28494c3e0e33bcbbcfc2c
SHA256b59d5f3bc8faeb681b5fe5c44924cfca9fafbf0d240debf4b43c9567d858c527
SHA512734d07aad3261a47e830b2b44e34f6325214e7acf674354b4866abc6bb08ede3779bdd6e43499ca805b0ba9c40bb085258973dfdca0b0e9e641886dd583dfbbf
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5ec065997b770f85fd20c8679e35e8894
SHA144dc3c43dcdb5da5f5fd4eca48ab91fa6fbb69e5
SHA2563994de6d60586a578bb3bd0193b1ddf8d4b374b34d662b97d8d5fb9fed1ef6cc
SHA5125bbc16e7bebd7cd1bc2acced61913bf765fa0e6114444d45638e9a22a544f0ddffc3ab75a1cde5d9e87a789a3b2c874cef9525bcedc52985e2d4373a5aee8299
-
C:\strg.pifFilesize
100KB
MD55988a8da1e841656fc59ce4ca497d6e3
SHA12dd73e96fb3e2218a5c61d4f3c16cb2e4a669f81
SHA25655377c78d56d02c93738a0ff442fc48ef28750098017c099f43e9b0a334bf612
SHA512a506df8e34af32479126ca74da7a62cd004e9877b6ea21e99d7384037ec8d327b1231e9c2192174da726fca2f6f06e3b8f3e9a57ec2a7964979fd803a8d94f01
-
\Windows\SysWOW64\rundll32mgr.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
memory/1072-65-0x0000000002010000-0x0000000002012000-memory.dmpFilesize
8KB
-
memory/2368-57-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2368-55-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2368-101-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2368-97-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2368-93-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2436-11-0x00000000001D0000-0x0000000000204000-memory.dmpFilesize
208KB
-
memory/2436-4-0x00000000001D0000-0x0000000000204000-memory.dmpFilesize
208KB
-
memory/2436-2-0x0000000010000000-0x0000000010373000-memory.dmpFilesize
3.4MB
-
memory/2436-436-0x0000000010000000-0x0000000010373000-memory.dmpFilesize
3.4MB
-
memory/2436-80-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2436-3-0x0000000010000000-0x0000000010373000-memory.dmpFilesize
3.4MB
-
memory/2436-77-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2648-34-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2648-710-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2648-711-0x0000000002670000-0x00000000036FE000-memory.dmpFilesize
16.6MB
-
memory/2648-92-0x00000000038D0000-0x00000000038D1000-memory.dmpFilesize
4KB
-
memory/2648-52-0x0000000002670000-0x00000000036FE000-memory.dmpFilesize
16.6MB
-
memory/2648-47-0x0000000002670000-0x00000000036FE000-memory.dmpFilesize
16.6MB
-
memory/2648-42-0x0000000002670000-0x00000000036FE000-memory.dmpFilesize
16.6MB
-
memory/2920-31-0x0000000000401000-0x0000000000416000-memory.dmpFilesize
84KB
-
memory/2920-13-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2920-15-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2920-16-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2920-29-0x0000000000416000-0x0000000000420000-memory.dmpFilesize
40KB
-
memory/2920-30-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2920-12-0x0000000002640000-0x00000000036CE000-memory.dmpFilesize
16.6MB
-
memory/2920-1152-0x0000000002640000-0x00000000036CE000-memory.dmpFilesize
16.6MB
-
memory/2920-14-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2920-33-0x0000000002640000-0x00000000036CE000-memory.dmpFilesize
16.6MB
-
memory/2920-17-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2920-18-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3024-86-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB