raccoon | ecb89e9f66cd7f37efefec4cb211770200ccb17c810ad741cb3ec141e41c361c

Analysis

max time kernel
134s
max time network
137s
platform
windows10_x64
resource
win10
submitted
08-07-2020 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

509fbb95026308e9f02cefd909499184.exe
Size

985KB
MD5

509fbb95026308e9f02cefd909499184
SHA1

a8c63734588c2c06211b7646f957a9d0225fdd4f
SHA256

ecb89e9f66cd7f37efefec4cb211770200ccb17c810ad741cb3ec141e41c361c
SHA512

3e5add9d78cb751c0a7362f7b283747e9fbe6efc6037cdfb024d527cba4279da8affdd93b0c2eb24b0a964c2a1003c0d38756786d245e1ccac1c0a9397b8f504

Score

10^/10

ransomware stealer raccoon spyware discovery

Malware Config

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note

[Raccoon Stealer] - v1.5.13-af-hotfix Release Build compiled on Mon Jul 6 14:33:03 2020 Launched at: 2020.07.08 - 16:48:24 GMT Bot_ID: 664A9041-4AC4-46F3-B3DC-87DB4D57890E_Admin Running on a desktop =R=A=C=C=O=O=N= - Cookies: 0 - Passwords: 5 - Files: 0 System Information: - System Language: English - System TimeZone: -0 hrs - IP: 154.61.71.51 - Location: 37.750999, -97.821999 | ?, ?, United States (?) - ComputerName: GOHCSFBB - Username: Admin - Windows version: NT 10.0 - Product name: Windows 10 Pro - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 4095 MB (741 MB used) - Screen resolution: 1280x720 - Display devices: 0) Microsoft Basic Display Adapter ============

Signatures

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MicrosoftEdge.exe

pid process

3516 MicrosoftEdge.exe

pid	process
3516	MicrosoftEdge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

MicrosoftEdge.exeWerFault.exetaskkill.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3516	MicrosoftEdge.exe
Token: SeDebugPrivilege	3516	MicrosoftEdge.exe
Token: SeDebugPrivilege	3516	MicrosoftEdge.exe
Token: SeDebugPrivilege	3516	MicrosoftEdge.exe
Token: SeDebugPrivilege	4248	WerFault.exe
Token: SeDebugPrivilege	4952	taskkill.exe
Token: SeRestorePrivilege	568	WerFault.exe
Token: SeBackupPrivilege	568	WerFault.exe
Token: SeDebugPrivilege	568	WerFault.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

WerFault.exewotsuper1.exeWerFault.exe

pid	process
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
3812	wotsuper1.exe
3812	wotsuper1.exe
3812	wotsuper1.exe
3812	wotsuper1.exe
3812	wotsuper1.exe
3812	wotsuper1.exe
3812	wotsuper1.exe
3812	wotsuper1.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exewotsuper1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wotsuper1.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ip-api.com
Modifies control panel 1 IoCs
evasion

Processes:

MicrosoftEdge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Colors MicrosoftEdge.exe
Checks whether UAC is enabled 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MicrosoftEdge.exe

flow	ioc
22	ip-api.com

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Colors	MicrosoftEdge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftEdge.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5108 timeout.exe

pid	process
5108	timeout.exe

Checks for installed software on the system 1 TTPs 62 IoCs

discovery

Query Registry

T1012

Processes:

wotsuper1.exewotsuper2.exe509fbb95026308e9f02cefd909499184.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\wotsuper 2.1\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	wotsuper1.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	wotsuper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\wotsuper 2.1\DisplayName = "wotsuper 2.1"	509fbb95026308e9f02cefd909499184.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	wotsuper1.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	wotsuper2.exe
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\wotsuper 2.1\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	wotsuper2.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	wotsuper1.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	wotsuper2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	wotsuper2.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

509fbb95026308e9f02cefd909499184.exewotsuper1.execmd.exewotsuper2.execmd.exe

description	pid	process	target process
PID 3920 wrote to memory of 3796	3920	509fbb95026308e9f02cefd909499184.exe	wotsuper.exe
PID 3920 wrote to memory of 3796	3920	509fbb95026308e9f02cefd909499184.exe	wotsuper.exe
PID 3920 wrote to memory of 3796	3920	509fbb95026308e9f02cefd909499184.exe	wotsuper.exe
PID 3920 wrote to memory of 3812	3920	509fbb95026308e9f02cefd909499184.exe	wotsuper1.exe
PID 3920 wrote to memory of 3812	3920	509fbb95026308e9f02cefd909499184.exe	wotsuper1.exe
PID 3920 wrote to memory of 3812	3920	509fbb95026308e9f02cefd909499184.exe	wotsuper1.exe
PID 3920 wrote to memory of 4104	3920	509fbb95026308e9f02cefd909499184.exe	regedit.exe
PID 3920 wrote to memory of 4104	3920	509fbb95026308e9f02cefd909499184.exe	regedit.exe
PID 3920 wrote to memory of 4104	3920	509fbb95026308e9f02cefd909499184.exe	regedit.exe
PID 3920 wrote to memory of 4128	3920	509fbb95026308e9f02cefd909499184.exe	wotsuper2.exe
PID 3920 wrote to memory of 4128	3920	509fbb95026308e9f02cefd909499184.exe	wotsuper2.exe
PID 3920 wrote to memory of 4128	3920	509fbb95026308e9f02cefd909499184.exe	wotsuper2.exe
PID 3812 wrote to memory of 4908	3812	wotsuper1.exe	cmd.exe
PID 3812 wrote to memory of 4908	3812	wotsuper1.exe	cmd.exe
PID 3812 wrote to memory of 4908	3812	wotsuper1.exe	cmd.exe
PID 4908 wrote to memory of 4952	4908	cmd.exe	taskkill.exe
PID 4908 wrote to memory of 4952	4908	cmd.exe	taskkill.exe
PID 4908 wrote to memory of 4952	4908	cmd.exe	taskkill.exe
PID 4128 wrote to memory of 5076	4128	wotsuper2.exe	cmd.exe
PID 4128 wrote to memory of 5076	4128	wotsuper2.exe	cmd.exe
PID 4128 wrote to memory of 5076	4128	wotsuper2.exe	cmd.exe
PID 5076 wrote to memory of 5108	5076	cmd.exe	timeout.exe
PID 5076 wrote to memory of 5108	5076	cmd.exe	timeout.exe
PID 5076 wrote to memory of 5108	5076	cmd.exe	timeout.exe

Executes dropped EXE 3 IoCs

Processes:

wotsuper.exewotsuper1.exewotsuper2.exe

pid process

3796 wotsuper.exe
3812 wotsuper1.exe
4128 wotsuper2.exe

pid	process
3796	wotsuper.exe
3812	wotsuper1.exe
4128	wotsuper2.exe

Loads dropped DLL 10 IoCs

Processes:

wotsuper1.exewotsuper2.exe

pid	process
3812	wotsuper1.exe
3812	wotsuper1.exe
4128	wotsuper2.exe
4128	wotsuper2.exe
4128	wotsuper2.exe
4128	wotsuper2.exe
4128	wotsuper2.exe
4128	wotsuper2.exe
4128	wotsuper2.exe
4128	wotsuper2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

4104 regedit.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4952 taskkill.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4248 3516 WerFault.exe MicrosoftEdge.exe
568 3796 WerFault.exe wotsuper.exe
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4248 created 3516 4248 WerFault.exe MicrosoftEdge.exe
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.

Processes:

yara_rule

raccoon_log_file

pid	process
4104	regedit.exe

pid	process
4952	taskkill.exe

pid	pid_target	process	target process
4248	3516	WerFault.exe	MicrosoftEdge.exe
568	3796	WerFault.exe	wotsuper.exe

description	pid	process	target process
PID 4248 created 3516	4248	WerFault.exe	MicrosoftEdge.exe

yara_rule
raccoon_log_file

Drops file in Program Files directory 5 IoCs

Processes:

509fbb95026308e9f02cefd909499184.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe	509fbb95026308e9f02cefd909499184.exe
File created	C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini	509fbb95026308e9f02cefd909499184.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe	509fbb95026308e9f02cefd909499184.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe	509fbb95026308e9f02cefd909499184.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\wotsuper2.exe	509fbb95026308e9f02cefd909499184.exe

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Drops file in Windows directory 2 IoCs

Processes:

509fbb95026308e9f02cefd909499184.exeMicrosoftEdge.exe

description	ioc	process
File opened for modification	C:\Windows\wotsuper.reg	509fbb95026308e9f02cefd909499184.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Modifies registry class 113 IoCs

Processes:

MicrosoftEdge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 8a978de4d243d601	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000706d36917216e50972e7c6ff8510888c30c180b0262b92654f795b24ddea364b39826e7519f819817ce2104b3d6f180e32b2b7b304456f57e502	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{55AE54F4-B367-439D-A88D-5B3ED57F2E22}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe

C:\Users\Admin\AppData\Local\Temp\509fbb95026308e9f02cefd909499184.exe
"C:\Users\Admin\AppData\Local\Temp\509fbb95026308e9f02cefd909499184.exe"
1⤵
- Checks for installed software on the system
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3920
- C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
  "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"
  2⤵
  - Executes dropped EXE
  PID:3796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1356
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    - Program crash
    PID:568
- C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
  "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Checks processor information in registry
  - Checks for installed software on the system
  - Suspicious use of WriteProcessMemory
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im wotsuper1.exe /f & erase C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im wotsuper1.exe /f
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Kills process with taskkill
      PID:4952
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg
  2⤵
  - Runs .reg file with regedit
  PID:4104
- C:\Program Files (x86)\wotsuper\wotsuper\wotsuper2.exe
  "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper2.exe"
  2⤵
  - Checks for installed software on the system
  - Suspicious use of WriteProcessMemory
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4128
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper2.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:5108

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- Modifies Internet Explorer settings
- Modifies control panel
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
PID:3516
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3516 -s 3428
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Checks processor information in registry
  - Enumerates system info in registry
  - Program crash
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:4248

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe

Download Submit
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe

Download Submit
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe

Download Submit
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe

Download Submit
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper2.exe

Download Submit
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper2.exe

Download Submit
\ProgramData\mozglue.dll

Download Submit
\ProgramData\nss3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
memory/568-344-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/568-355-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/3796-12-0x00000000020D0000-0x00000000020EE000-memory.dmp

Filesize
120KB

Download
memory/3796-350-0x0000000000000000-mapping.dmp

Download
memory/3796-345-0x0000000000000000-mapping.dmp

Download
memory/3796-354-0x0000000000000000-mapping.dmp

Download
memory/3796-353-0x0000000000000000-mapping.dmp

Download
memory/3796-352-0x0000000000000000-mapping.dmp

Download
memory/3796-351-0x0000000000000000-mapping.dmp

Download
memory/3796-347-0x0000000000000000-mapping.dmp

Download
memory/3796-349-0x0000000000000000-mapping.dmp

Download
memory/3796-348-0x0000000000000000-mapping.dmp

Download
memory/3796-346-0x0000000000000000-mapping.dmp

Download
memory/3796-0-0x0000000000000000-mapping.dmp

Download
memory/3796-10-0x00000000008D0000-0x00000000008F0000-memory.dmp

Filesize
128KB

Download
memory/3812-2-0x0000000000000000-mapping.dmp

Download
memory/4104-5-0x0000000000000000-mapping.dmp

Download
memory/4128-17-0x00000000034C2000-0x00000000034C3000-memory.dmp

Filesize
4KB

Download
memory/4128-7-0x0000000000000000-mapping.dmp

Download
memory/4128-18-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4248-13-0x00000270052D0000-0x00000270052D1000-memory.dmp

Filesize
4KB

Download
memory/4248-14-0x00000270052D0000-0x00000270052D1000-memory.dmp

Filesize
4KB

Download
memory/4248-16-0x0000027006240000-0x0000027006241000-memory.dmp

Filesize
4KB

Download
memory/4248-26-0x0000027006180000-0x0000027006181000-memory.dmp

Filesize
4KB

Download
memory/4248-21-0x0000027006330000-0x0000027006331000-memory.dmp

Filesize
4KB

Download
memory/4248-22-0x00000270052B0000-0x00000270052B1000-memory.dmp

Filesize
4KB

Download
memory/4908-333-0x0000000000000000-mapping.dmp

Download
memory/4952-334-0x0000000000000000-mapping.dmp

Download
memory/5076-342-0x0000000000000000-mapping.dmp

Download
memory/5108-343-0x0000000000000000-mapping.dmp

Download