Analysis
-
max time kernel
114s -
max time network
140s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:36
Static task
static1
Behavioral task
behavioral1
Sample
432db6f0e813f2dd346bb4411b6263b3.exe
Resource
win7v20201028
General
-
Target
432db6f0e813f2dd346bb4411b6263b3.exe
-
Size
696KB
-
MD5
432db6f0e813f2dd346bb4411b6263b3
-
SHA1
64e07afef6d1c9c3cb7aaa57d0d469892203fbc4
-
SHA256
7ee9786ce295430044ac02259ca43dd92a036f3146533b308dca24f87e05edd4
-
SHA512
f9cbe6df06359f290ed5720399f20d969a254ed33927d6d7eaf8d137da8cd07166dada50906d633c03c6c3c1d871dadc5731639c1ddb700525ab7b0a90d17e8b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
wotsuper.exepid process 1496 wotsuper.exe -
Loads dropped DLL 2 IoCs
Processes:
432db6f0e813f2dd346bb4411b6263b3.exepid process 1588 432db6f0e813f2dd346bb4411b6263b3.exe 1588 432db6f0e813f2dd346bb4411b6263b3.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 28 ip-api.com -
Drops file in Program Files directory 3 IoCs
Processes:
432db6f0e813f2dd346bb4411b6263b3.exedescription ioc process File created C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini 432db6f0e813f2dd346bb4411b6263b3.exe File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe 432db6f0e813f2dd346bb4411b6263b3.exe File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe 432db6f0e813f2dd346bb4411b6263b3.exe -
Drops file in Windows directory 1 IoCs
Processes:
432db6f0e813f2dd346bb4411b6263b3.exedescription ioc process File opened for modification C:\Windows\wotsuper.reg 432db6f0e813f2dd346bb4411b6263b3.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wotsuper.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wotsuper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wotsuper.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000f817331c2e9c5f2374c9b8d7f45545a0c366554d130fdf23a09975e4b38d797e000000000e800000000200002000000045e1644836b51b5daaf04c445ca1d2c2eeaa4319d8d5d876a44cdcef64b169d020000000898acdbb63106bfabdb84e17c55e7394e9233a7f9bcd1bea7779838fe67614f940000000c42e3b8ccd639da54ac6a778d9e5286a47d97e1ab5a6793c463c9eb692e0c991713ab86d18cbd0ab6ee3d7e125b29a23f1ba33b05f700755411ae3a349463a39 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10e79938e3b6d601 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a600000000002000000000010660000000100002000000084b264906a041afd0fdf228923cdf3d38807b97275c83dacaa604cea04f5e006000000000e80000000020000200000002612ab40cc5f2f4cc67fec44facd6be1d0b4fc96dc31afae43d3c26af530e8b790000000bd645ff4223360e45befa9a39aff957cb1f9f171f96398a01613cc6cd586c1a5fd4da0639d997c3c1b5bcb65c91342dad46018fb20d2418fd323299acff54c95a138e0c2fd7240515f44623b598275147ff8a59e09281d7c5ef17f76689da22ca2c8c7cbf54d880498f84318fbcee92383412a43190798c25d86b4b3a9565c9240b70f7ded46550f9289c2bcc5ed812c40000000549a3c67f989bea70b2a94398c12d90c75d2c65b7c943b5ead510bb14bf98fae650de325349602e073ca692f0de277caf4297a62f4268fa319ee89f27c070491 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "311723946" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{602A0091-22D6-11EB-9B42-F2DC1BF59C8B} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 1932 regedit.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
wotsuper.exepid process 1496 wotsuper.exe 1496 wotsuper.exe 1496 wotsuper.exe 1496 wotsuper.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1896 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1896 iexplore.exe 1896 iexplore.exe 1356 IEXPLORE.EXE 1356 IEXPLORE.EXE 1356 IEXPLORE.EXE 1356 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
432db6f0e813f2dd346bb4411b6263b3.exeiexplore.exedescription pid process target process PID 1588 wrote to memory of 1496 1588 432db6f0e813f2dd346bb4411b6263b3.exe wotsuper.exe PID 1588 wrote to memory of 1496 1588 432db6f0e813f2dd346bb4411b6263b3.exe wotsuper.exe PID 1588 wrote to memory of 1496 1588 432db6f0e813f2dd346bb4411b6263b3.exe wotsuper.exe PID 1588 wrote to memory of 1496 1588 432db6f0e813f2dd346bb4411b6263b3.exe wotsuper.exe PID 1588 wrote to memory of 1932 1588 432db6f0e813f2dd346bb4411b6263b3.exe regedit.exe PID 1588 wrote to memory of 1932 1588 432db6f0e813f2dd346bb4411b6263b3.exe regedit.exe PID 1588 wrote to memory of 1932 1588 432db6f0e813f2dd346bb4411b6263b3.exe regedit.exe PID 1588 wrote to memory of 1932 1588 432db6f0e813f2dd346bb4411b6263b3.exe regedit.exe PID 1588 wrote to memory of 1896 1588 432db6f0e813f2dd346bb4411b6263b3.exe iexplore.exe PID 1588 wrote to memory of 1896 1588 432db6f0e813f2dd346bb4411b6263b3.exe iexplore.exe PID 1588 wrote to memory of 1896 1588 432db6f0e813f2dd346bb4411b6263b3.exe iexplore.exe PID 1588 wrote to memory of 1896 1588 432db6f0e813f2dd346bb4411b6263b3.exe iexplore.exe PID 1896 wrote to memory of 1356 1896 iexplore.exe IEXPLORE.EXE PID 1896 wrote to memory of 1356 1896 iexplore.exe IEXPLORE.EXE PID 1896 wrote to memory of 1356 1896 iexplore.exe IEXPLORE.EXE PID 1896 wrote to memory of 1356 1896 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\432db6f0e813f2dd346bb4411b6263b3.exe"C:\Users\Admin\AppData\Local\Temp\432db6f0e813f2dd346bb4411b6263b3.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg2⤵
- Runs .reg file with regedit
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1lBhp.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exeMD5
92ab03f9b717775109003526dc953222
SHA1c9e1ae9bfa62f155692ca7a2084d17cfc2e12ae1
SHA25678c9d1c82182e7bdc21c5a5747590ab050b57f6e4b8b5f8a03b4177414f00ba7
SHA5124f929e6ba9157701fd72cf1dad251f2fd9918f5e00ab52ecc56f4b0a5b952f4cca5588a73cf60602d52e389674db82c1eb47a11ba4e9923f0fd59947f993c75e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
ebb9fe3fa4a3519fc590b350d3b817a1
SHA1aae08f705f34d0c98aa8ef26864f20c54af28cc6
SHA2569b34a474908c0081ad75849ae753a3b254200e74ae2d999d36385f135e50e2da
SHA512facd9bb05708b0f56c5e3cae4f5f63cdd67be0df499183ef0cc2c6ffa0e59f8a9bbe612afda8fe4b8c3bdb4f4d3a387f627e47291c3ae9429447712b479aa71f
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.datMD5
931ebab29571bc8ec9d36bd4d6c4df42
SHA1471a4c83d51b09732dc6e80a08d47dc2ba086852
SHA25640967cea81a07be327150b9f192b63d421da0e63f0b258d3ab5a02b80df3205b
SHA51236c10c3453526f832a1e5fca1fa53335ba07e60f279a33ef5897312a57582f90d0080d502e64e67d6020b6f750a7fa3955426dba4b7d71d44436c8d40ee0f2da
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\399141JQ.txtMD5
6643bae8c97bddaf6fbdacb033f6437f
SHA118c5e8637ee71263770f718fc2e65f3264cd9af0
SHA2564888530d8ec28a9577abac5976a5ed1e235f35d2c322e08aa72c980289ddda45
SHA5128b2b1356db3217ebadd72550a15b94498fece331a1fa616ec57a537a71a9cfa1984991172cf1f57cff58aadac0b5989c2bf09a50fe4ea1471938c17b19574ecd
-
\Program Files (x86)\wotsuper\wotsuper\wotsuper.exeMD5
92ab03f9b717775109003526dc953222
SHA1c9e1ae9bfa62f155692ca7a2084d17cfc2e12ae1
SHA25678c9d1c82182e7bdc21c5a5747590ab050b57f6e4b8b5f8a03b4177414f00ba7
SHA5124f929e6ba9157701fd72cf1dad251f2fd9918f5e00ab52ecc56f4b0a5b952f4cca5588a73cf60602d52e389674db82c1eb47a11ba4e9923f0fd59947f993c75e
-
\Program Files (x86)\wotsuper\wotsuper\wotsuper.exeMD5
92ab03f9b717775109003526dc953222
SHA1c9e1ae9bfa62f155692ca7a2084d17cfc2e12ae1
SHA25678c9d1c82182e7bdc21c5a5747590ab050b57f6e4b8b5f8a03b4177414f00ba7
SHA5124f929e6ba9157701fd72cf1dad251f2fd9918f5e00ab52ecc56f4b0a5b952f4cca5588a73cf60602d52e389674db82c1eb47a11ba4e9923f0fd59947f993c75e
-
memory/1356-7-0x0000000000000000-mapping.dmp
-
memory/1496-9-0x0000000001F30000-0x0000000001F41000-memory.dmpFilesize
68KB
-
memory/1496-8-0x00000000005AB000-0x00000000005AC000-memory.dmpFilesize
4KB
-
memory/1496-2-0x0000000000000000-mapping.dmp
-
memory/1780-6-0x000007FEF68D0000-0x000007FEF6B4A000-memory.dmpFilesize
2.5MB
-
memory/1896-5-0x0000000000000000-mapping.dmp
-
memory/1932-4-0x0000000000000000-mapping.dmp