Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:36
Static task
static1
Behavioral task
behavioral1
Sample
57f144a367aad10f85ac746fde7e9571.exe
Resource
win7v20201028
General
-
Target
57f144a367aad10f85ac746fde7e9571.exe
-
Size
503KB
-
MD5
57f144a367aad10f85ac746fde7e9571
-
SHA1
d4b7744b503b11e7a82564953e4179ba36bd9c5c
-
SHA256
3a7f7b56d9b3c6996f00bd40b7ff5d70e0ce858fc76cc0d89f603a26c34e9e5c
-
SHA512
11fe3ef1fbc6218693ecc1afa88b0cefedc72b1b1800fba430cf547401d8f3860a206b67f050fe06b30a7aeeb7cdebf4d6e4afe311aca989e8a775c75853d96b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
wotsuper.exepid process 1388 wotsuper.exe -
Loads dropped DLL 2 IoCs
Processes:
57f144a367aad10f85ac746fde7e9571.exepid process 1848 57f144a367aad10f85ac746fde7e9571.exe 1848 57f144a367aad10f85ac746fde7e9571.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Drops file in Program Files directory 3 IoCs
Processes:
57f144a367aad10f85ac746fde7e9571.exedescription ioc process File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe 57f144a367aad10f85ac746fde7e9571.exe File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe 57f144a367aad10f85ac746fde7e9571.exe File created C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini 57f144a367aad10f85ac746fde7e9571.exe -
Drops file in Windows directory 1 IoCs
Processes:
57f144a367aad10f85ac746fde7e9571.exedescription ioc process File opened for modification C:\Windows\wotsuper.reg 57f144a367aad10f85ac746fde7e9571.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wotsuper.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wotsuper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wotsuper.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000195aee3b433888e513c52473cc940b02d8a2a07ab165b4439b55df16f40644b7000000000e8000000002000020000000e299784728e03028b783e613bfcebc92dcc301e7c599c72ff3f8df1858d5a87a90000000c81aad890d3211b47675e6fb457b445a8fadc263c876345e85044b6589c6ea482cbf2b8c0bc10c8f29f5546c21a8a54eff89b9e544e14aa1e6a29655e4a34c57aa36ac0bb23939c6098a05f8be7eb0ff4ab941303d8b751e4107b32599385e7e44471b5b6949b9023de0811784bd2fbeada140cb418a7a77e43e6546b7f120d2db2fb7a8215b0c6e826c4c5f7cc5f511400000000c73dc39c03f360814d5f320fb3ef2a0a8a5f4f7ed5f949e891af80ca7d905d55029dd34e4cd1af2d95336f4ca2879922717759736233ebb3e42a7c14e63b293 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{85B2DBC1-22D6-11EB-8489-EE45CAFA0C11} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000c62891582ed6b9a1c4f06f54a2343e5bbdc52296db5d00544b51df422fd9b27b000000000e80000000020000200000007849cf2a6dde4935c2ec4e54ea9c410b8078e54bb751f91c4e3571efb2782f3e200000007369173495bbf6f6d13e795a9318d07ad31132c52d4c98f28a75d38214e64e7840000000b4c9864092f04d19f43a245b541f3833eee5d243960d77dd986f2308cb195c11dc26db6ab1430962eb2bf5ff4034c92f1ada1176862a7416083e3eb55b555e69 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "311724008" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d01e695de3b6d601 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 1992 regedit.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
wotsuper.exepid process 1388 wotsuper.exe 1388 wotsuper.exe 1388 wotsuper.exe 1388 wotsuper.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1988 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1988 iexplore.exe 1988 iexplore.exe 1684 IEXPLORE.EXE 1684 IEXPLORE.EXE 1684 IEXPLORE.EXE 1684 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
57f144a367aad10f85ac746fde7e9571.exeiexplore.exedescription pid process target process PID 1848 wrote to memory of 1388 1848 57f144a367aad10f85ac746fde7e9571.exe wotsuper.exe PID 1848 wrote to memory of 1388 1848 57f144a367aad10f85ac746fde7e9571.exe wotsuper.exe PID 1848 wrote to memory of 1388 1848 57f144a367aad10f85ac746fde7e9571.exe wotsuper.exe PID 1848 wrote to memory of 1388 1848 57f144a367aad10f85ac746fde7e9571.exe wotsuper.exe PID 1848 wrote to memory of 1992 1848 57f144a367aad10f85ac746fde7e9571.exe regedit.exe PID 1848 wrote to memory of 1992 1848 57f144a367aad10f85ac746fde7e9571.exe regedit.exe PID 1848 wrote to memory of 1992 1848 57f144a367aad10f85ac746fde7e9571.exe regedit.exe PID 1848 wrote to memory of 1992 1848 57f144a367aad10f85ac746fde7e9571.exe regedit.exe PID 1848 wrote to memory of 1988 1848 57f144a367aad10f85ac746fde7e9571.exe iexplore.exe PID 1848 wrote to memory of 1988 1848 57f144a367aad10f85ac746fde7e9571.exe iexplore.exe PID 1848 wrote to memory of 1988 1848 57f144a367aad10f85ac746fde7e9571.exe iexplore.exe PID 1848 wrote to memory of 1988 1848 57f144a367aad10f85ac746fde7e9571.exe iexplore.exe PID 1988 wrote to memory of 1684 1988 iexplore.exe IEXPLORE.EXE PID 1988 wrote to memory of 1684 1988 iexplore.exe IEXPLORE.EXE PID 1988 wrote to memory of 1684 1988 iexplore.exe IEXPLORE.EXE PID 1988 wrote to memory of 1684 1988 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\57f144a367aad10f85ac746fde7e9571.exe"C:\Users\Admin\AppData\Local\Temp\57f144a367aad10f85ac746fde7e9571.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg2⤵
- Runs .reg file with regedit
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1lBhp.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1988 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exeMD5
06077cafcb7bfc014cbaf6f86de3e135
SHA1edac330e5d9ae292092f74f4353d6354617d0047
SHA2564f1754d38419af7a4bb7eac503eabb4d4c8c6a5a6aab6327cf3a0eebfaecc0cb
SHA512a0ef240723eeabc3a76e72a1a840cc4963ace8e2e7f5745f7c6043c1b6ae77c3a0f48516af0a129c531835f7dff2a3bbae46fefbe69a59f210b2ca835001fe51
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
856180e17f478834cc59f08ee0c8b925
SHA1350f357d3ded2b318ffd8d2e56f641b9ae9c0863
SHA25611816fac652743f9d02de4e4309c63fda043514aaedd5fedd96319090f586196
SHA5125560084a8f9dcf99f8207051dc962377730b7a6aae8ca33914f07250c422fbbdff59511b49597939b7b69a8ea6090abb22b080e3b204a857c1e82915e1b3c9e1
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.datMD5
a4b9dac58ea280565d941bfc2f899eb1
SHA1502e406a763a9a5de3578bfdfdcae1460343213a
SHA2563e4eb0815379761bbf738f0ece3c7642e109ddae746652fa77d777aec1e01be7
SHA512e795085d547b66433f6183f39cd61bb081cbf1e06f471a2d464a47935242fba8dda64a2775163bad9e631a15fff704bda609a6a8fc44e07aa420fc0893897556
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3QQI2ZX8.txtMD5
b898545c3920dec0aedc29627b79caf3
SHA110d6e131f2c2c75d4525be92e2f345a2dfb62214
SHA256c658c99cef3daf908a836b105d62e6526f626bb3dfa659ec7bd81584d9a8531d
SHA5125e62e21828cbdf7c3ad7110c001f09f8e959882fa1a0b3b7280751b014b75d56e81a63b9ce17380202ec294e8a97088878dc84b8699b94e84797ea8e7b25def5
-
\Program Files (x86)\wotsuper\wotsuper\wotsuper.exeMD5
06077cafcb7bfc014cbaf6f86de3e135
SHA1edac330e5d9ae292092f74f4353d6354617d0047
SHA2564f1754d38419af7a4bb7eac503eabb4d4c8c6a5a6aab6327cf3a0eebfaecc0cb
SHA512a0ef240723eeabc3a76e72a1a840cc4963ace8e2e7f5745f7c6043c1b6ae77c3a0f48516af0a129c531835f7dff2a3bbae46fefbe69a59f210b2ca835001fe51
-
\Program Files (x86)\wotsuper\wotsuper\wotsuper.exeMD5
06077cafcb7bfc014cbaf6f86de3e135
SHA1edac330e5d9ae292092f74f4353d6354617d0047
SHA2564f1754d38419af7a4bb7eac503eabb4d4c8c6a5a6aab6327cf3a0eebfaecc0cb
SHA512a0ef240723eeabc3a76e72a1a840cc4963ace8e2e7f5745f7c6043c1b6ae77c3a0f48516af0a129c531835f7dff2a3bbae46fefbe69a59f210b2ca835001fe51
-
memory/1388-2-0x0000000000000000-mapping.dmp
-
memory/1684-7-0x0000000000000000-mapping.dmp
-
memory/1784-6-0x000007FEF6680000-0x000007FEF68FA000-memory.dmpFilesize
2.5MB
-
memory/1988-5-0x0000000000000000-mapping.dmp
-
memory/1992-4-0x0000000000000000-mapping.dmp