98c7afbcedd4b065eca5ef447f3d054a65653b841acc67612dd7722143124b2c

Analysis

max time kernel
9s
max time network
147s
platform
windows10_x64
resource
win10v200722
submitted
13-08-2020 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4b38b75499cf83d346f4a822d0ba030.exe
Size

2.3MB
MD5

d4b38b75499cf83d346f4a822d0ba030
SHA1

69aeec844c0a450e5f8780cf88931891a3e63088
SHA256

98c7afbcedd4b065eca5ef447f3d054a65653b841acc67612dd7722143124b2c
SHA512

90622ffe132c3232d1310dce75736abd51c659843a89428b11bdaa92fbfa66b82fef0e1d1f81050beaa35daf1298f3c23046c7bf2b399acc2b37c6fd8987260d

Score

8^/10

spyware discovery persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

wotsuper.exewotsuper1.exewotsuper2.exetmp1.exetmp2.exe

pid process

3832 wotsuper.exe
2080 wotsuper1.exe
4020 wotsuper2.exe
2668 tmp1.exe
3400 tmp2.exe

pid	process
3832	wotsuper.exe
2080	wotsuper1.exe
4020	wotsuper2.exe
2668	tmp1.exe
3400	tmp2.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d4b38b75499cf83d346f4a822d0ba030.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\International\Geo\Nation	d4b38b75499cf83d346f4a822d0ba030.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wotsuper2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	wotsuper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	wotsuper2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 ip-api.com

flow	ioc
35	ip-api.com

Drops file in Program Files directory 6 IoCs

Processes:

d4b38b75499cf83d346f4a822d0ba030.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe	d4b38b75499cf83d346f4a822d0ba030.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe	d4b38b75499cf83d346f4a822d0ba030.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\wotsuper2.exe	d4b38b75499cf83d346f4a822d0ba030.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\wotsuper11.exe	d4b38b75499cf83d346f4a822d0ba030.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe	d4b38b75499cf83d346f4a822d0ba030.exe
File created	C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini	d4b38b75499cf83d346f4a822d0ba030.exe

Drops file in Windows directory 2 IoCs

Processes:

d4b38b75499cf83d346f4a822d0ba030.exeMicrosoftEdge.exe

description	ioc	process
File opened for modification	C:\Windows\wotsuper.reg	d4b38b75499cf83d346f4a822d0ba030.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Modifies Control Panel 1 IoCs
evasion

Processes:

MicrosoftEdge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Colors MicrosoftEdge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Colors	MicrosoftEdge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 126 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = f84f865c2260d601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompleted = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000870e655e2f4f68e801e97fe9180745f97fe9817f538e16c0ccbba66858df7b43ae701bbbb4c8cf6ab99c294b818c45024c78ce212e827ccfc6ff74d4c5b35cc7a3133e2d3c7f363107990964ee02981fbbdeaa4907fb0dcdae38	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{23AC2331-52FC-494E-B4BB-60646F17A4A3} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

2148 regedit.exe

pid	process
2148	regedit.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

MicrosoftEdge.exe

description	pid	process
Token: SeDebugPrivilege	916	MicrosoftEdge.exe
Token: SeDebugPrivilege	916	MicrosoftEdge.exe
Token: SeDebugPrivilege	916	MicrosoftEdge.exe
Token: SeDebugPrivilege	916	MicrosoftEdge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

916 MicrosoftEdge.exe
1896 MicrosoftEdgeCP.exe

pid	process
916	MicrosoftEdge.exe
1896	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

d4b38b75499cf83d346f4a822d0ba030.exewotsuper2.execmd.exe

description	pid	process	target process
PID 3740 wrote to memory of 3832	3740	d4b38b75499cf83d346f4a822d0ba030.exe	wotsuper.exe
PID 3740 wrote to memory of 3832	3740	d4b38b75499cf83d346f4a822d0ba030.exe	wotsuper.exe
PID 3740 wrote to memory of 3832	3740	d4b38b75499cf83d346f4a822d0ba030.exe	wotsuper.exe
PID 3740 wrote to memory of 2080	3740	d4b38b75499cf83d346f4a822d0ba030.exe	wotsuper1.exe
PID 3740 wrote to memory of 2080	3740	d4b38b75499cf83d346f4a822d0ba030.exe	wotsuper1.exe
PID 3740 wrote to memory of 2080	3740	d4b38b75499cf83d346f4a822d0ba030.exe	wotsuper1.exe
PID 3740 wrote to memory of 4020	3740	d4b38b75499cf83d346f4a822d0ba030.exe	wotsuper2.exe
PID 3740 wrote to memory of 4020	3740	d4b38b75499cf83d346f4a822d0ba030.exe	wotsuper2.exe
PID 3740 wrote to memory of 4020	3740	d4b38b75499cf83d346f4a822d0ba030.exe	wotsuper2.exe
PID 3740 wrote to memory of 2148	3740	d4b38b75499cf83d346f4a822d0ba030.exe	regedit.exe
PID 3740 wrote to memory of 2148	3740	d4b38b75499cf83d346f4a822d0ba030.exe	regedit.exe
PID 3740 wrote to memory of 2148	3740	d4b38b75499cf83d346f4a822d0ba030.exe	regedit.exe
PID 4020 wrote to memory of 2320	4020	wotsuper2.exe	cmd.exe
PID 4020 wrote to memory of 2320	4020	wotsuper2.exe	cmd.exe
PID 4020 wrote to memory of 2320	4020	wotsuper2.exe	cmd.exe
PID 2320 wrote to memory of 2668	2320	cmd.exe	tmp1.exe
PID 2320 wrote to memory of 2668	2320	cmd.exe	tmp1.exe
PID 2320 wrote to memory of 2668	2320	cmd.exe	tmp1.exe
PID 2320 wrote to memory of 3400	2320	cmd.exe	tmp2.exe
PID 2320 wrote to memory of 3400	2320	cmd.exe	tmp2.exe
PID 2320 wrote to memory of 3400	2320	cmd.exe	tmp2.exe

C:\Users\Admin\AppData\Local\Temp\d4b38b75499cf83d346f4a822d0ba030.exe
"C:\Users\Admin\AppData\Local\Temp\d4b38b75499cf83d346f4a822d0ba030.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
  "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
  "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe"
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Program Files (x86)\wotsuper\wotsuper\wotsuper2.exe
  "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper2.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start tmp1.exe & start tmp2.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tmp1.exe
      tmp1.exe
      4⤵
      Executes dropped EXE
      PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tmp2.exe
      tmp2.exe
      4⤵
      Executes dropped EXE
      PID:3400
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg
  2⤵
  - Runs .reg file with regedit
  PID:2148

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:916

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1256

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1896

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe

MD5
559a3ab04d99bb4cb745938e8ca50df7

SHA1
ad5e3b52aa06e70c7773f6154821a5c9fb71600b

SHA256
ea83340d68d0d0074a2033d733ac1c540a20a1b3695b1736a1acda0d140c2a36

SHA512
0fbf18d40b40c303e14b1103fa72de417f7e2651e3a0b6f6f2fc451df6f983824e7eaff300bece4f0ce6069a2a7358552b097ce8e52680899475ddf05740240a

Download Submit
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe

MD5
559a3ab04d99bb4cb745938e8ca50df7

SHA1
ad5e3b52aa06e70c7773f6154821a5c9fb71600b

SHA256
ea83340d68d0d0074a2033d733ac1c540a20a1b3695b1736a1acda0d140c2a36

SHA512
0fbf18d40b40c303e14b1103fa72de417f7e2651e3a0b6f6f2fc451df6f983824e7eaff300bece4f0ce6069a2a7358552b097ce8e52680899475ddf05740240a

Download Submit
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe

MD5
f88d4dfabd4f78acaa42d895f43f8828

SHA1
c9b36c929c99f32a9ed2470dd8855dd1745037a7

SHA256
140a91341c83c30263f50513c724101f9fc998604d2760198863c2eae167c0f9

SHA512
8ffd5d00a775bd0e4b6e4000a010786fc0ea5fbea12f972b3896fb1b9f4deda03ba00a73bfa439877698c8adc9fa1f9567c30514bd096fdde26fdda0c1fe38d3

Download Submit
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe

MD5
f88d4dfabd4f78acaa42d895f43f8828

SHA1
c9b36c929c99f32a9ed2470dd8855dd1745037a7

SHA256
140a91341c83c30263f50513c724101f9fc998604d2760198863c2eae167c0f9

SHA512
8ffd5d00a775bd0e4b6e4000a010786fc0ea5fbea12f972b3896fb1b9f4deda03ba00a73bfa439877698c8adc9fa1f9567c30514bd096fdde26fdda0c1fe38d3

Download Submit
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper2.exe

MD5
2b5321933427432adbfe1cfce7f08344

SHA1
b36505e427fe3d407b1f4e25cbc1ece657da1ea0

SHA256
1bde501cef6136fd7d61ae338b9bf743788012a9aad2c76f6100e2b79dd6435d

SHA512
da92b5a20d5a8b848f5b6f25fd4861cbea1c45e6becc63b7a037c8a0d10c94c495270f6b2fac672564820b8387e69b30c700c74e4a74f841b737f30be8152b10

Download Submit
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper2.exe

MD5
2b5321933427432adbfe1cfce7f08344

SHA1
b36505e427fe3d407b1f4e25cbc1ece657da1ea0

SHA256
1bde501cef6136fd7d61ae338b9bf743788012a9aad2c76f6100e2b79dd6435d

SHA512
da92b5a20d5a8b848f5b6f25fd4861cbea1c45e6becc63b7a037c8a0d10c94c495270f6b2fac672564820b8387e69b30c700c74e4a74f841b737f30be8152b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tmp1.exe

MD5
401f633fb3b93427975f59639658404b

SHA1
51b5ac180fbdca5d74642fe32e0ab3d6ab8fa6b7

SHA256
4f28bf2f6d84e7ecb7daf9fdaf0897ae2c32337f68f9eec4a7a8b948b714c0da

SHA512
0708aa4bae6689b696f783afd75610319d45687f26a17517e9423529638d994dcd7217e30ff5ac4dd36700fcd3eaaac97da7524dfc7805015c60be6790486211

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tmp1.exe

MD5
401f633fb3b93427975f59639658404b

SHA1
51b5ac180fbdca5d74642fe32e0ab3d6ab8fa6b7

SHA256
4f28bf2f6d84e7ecb7daf9fdaf0897ae2c32337f68f9eec4a7a8b948b714c0da

SHA512
0708aa4bae6689b696f783afd75610319d45687f26a17517e9423529638d994dcd7217e30ff5ac4dd36700fcd3eaaac97da7524dfc7805015c60be6790486211

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tmp2.exe

MD5
3bad4ac424e0b6f2b4fde8205c37b5be

SHA1
8709ce3012f178e52716865992bdef531ba87c05

SHA256
238d672eddadd5d79508ea509462e3d135d1e85756d3ae3c8793ea3055cbd966

SHA512
bb61bbc81fa855b3c2532d3634c51b5a813ee1c2028fa7492e5619d52daa6a0396fc95e5d854ba4f8da4fac207b1f80ac77505ac957ab401958da84fe5dcab01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tmp2.exe

MD5
3bad4ac424e0b6f2b4fde8205c37b5be

SHA1
8709ce3012f178e52716865992bdef531ba87c05

SHA256
238d672eddadd5d79508ea509462e3d135d1e85756d3ae3c8793ea3055cbd966

SHA512
bb61bbc81fa855b3c2532d3634c51b5a813ee1c2028fa7492e5619d52daa6a0396fc95e5d854ba4f8da4fac207b1f80ac77505ac957ab401958da84fe5dcab01

Download Submit
memory/2080-3-0x0000000000000000-mapping.dmp

Download
memory/2148-9-0x0000000000000000-mapping.dmp

Download
memory/2320-10-0x0000000000000000-mapping.dmp

Download
memory/2668-11-0x0000000000000000-mapping.dmp

Download
memory/2668-12-0x0000000000000000-mapping.dmp

Download
memory/2668-20-0x000000006FA10000-0x00000000700FE000-memory.dmp

Filesize
6.9MB

Download
memory/3400-15-0x0000000000000000-mapping.dmp

Download
memory/3400-16-0x0000000000000000-mapping.dmp

Download
memory/3400-19-0x000000006FA10000-0x00000000700FE000-memory.dmp

Filesize
6.9MB

Download
memory/3832-0-0x0000000000000000-mapping.dmp

Download
memory/4020-6-0x0000000000000000-mapping.dmp

Download