Analysis
-
max time kernel
102s -
max time network
144s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:39
Static task
static1
Behavioral task
behavioral1
Sample
4ef8ca1609ef52a9a30bcc7e87083b55.exe
Resource
win7v20201028
General
-
Target
4ef8ca1609ef52a9a30bcc7e87083b55.exe
-
Size
681KB
-
MD5
4ef8ca1609ef52a9a30bcc7e87083b55
-
SHA1
d2f204852ab8b8d19288eef03549c87cfb9fbda9
-
SHA256
aa0391688fb348eaa32856bcf0caca596177985f4dd9733f69ab2018ba8d1ff7
-
SHA512
991ad0bf136825f3c46a748aca349a4a0dd007fe0b72aaff631978f2a2682d8aa12457f7c6df20733dedad919b4606b1c0731a413c75be51289a2f4896c2ec4a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
wotsuper.exepid process 1456 wotsuper.exe -
Loads dropped DLL 2 IoCs
Processes:
4ef8ca1609ef52a9a30bcc7e87083b55.exepid process 1080 4ef8ca1609ef52a9a30bcc7e87083b55.exe 1080 4ef8ca1609ef52a9a30bcc7e87083b55.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Drops file in Program Files directory 3 IoCs
Processes:
4ef8ca1609ef52a9a30bcc7e87083b55.exedescription ioc process File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe 4ef8ca1609ef52a9a30bcc7e87083b55.exe File created C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini 4ef8ca1609ef52a9a30bcc7e87083b55.exe File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe 4ef8ca1609ef52a9a30bcc7e87083b55.exe -
Drops file in Windows directory 1 IoCs
Processes:
4ef8ca1609ef52a9a30bcc7e87083b55.exedescription ioc process File opened for modification C:\Windows\wotsuper.reg 4ef8ca1609ef52a9a30bcc7e87083b55.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wotsuper.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wotsuper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wotsuper.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b6600000000020000000000106600000001000020000000a4f3de0de3f261ad291046ade51cddb94a689c9261a104a5fbcfdb68dfe908bb000000000e8000000002000020000000691b8dd2508f1daf16d9081951d6cad9a364959129d442f3af868f56744434ae20000000cb94f305a2af6371abc05477d4b6fc06a8fd39fced3ef9d0e4aca7ce87f4f4fc40000000788ba519ba85c2655d8b6d279d972c3eb2067958d4d0036ad87d919e67ca425de45ff4b38263be11859d909901f73764d17bed81484eefbdb971179398bde5f8 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c089adb7f3b6d601 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b6600000000020000000000106600000001000020000000cf47f7c8e60dee1d5fa09c06b149dc666b27879707dcbe491c22014e57f30462000000000e8000000002000020000000f3a7fe150a6aebf5280ad20df4b8ae43f586693a3a62be9d629f89c86399025c900000005118da624a45fd98307cc8208702e7d10ba66098c90dd1c94b0d7e4ce8a4ef9afee10d73a6cfce19b8ea3910fa8653544f5248a32155124eca4e0140bc00a7cd9181deef08d5af8d2a54067524c2a433c5e3950089da894f5a5660bf8c9abbf4db4c8420236a8d4c876ed260bc099fdae9664b698b45d1b4f9de8fab8c66f82aac204371ba00dced1786924240bde9454000000060dce12806705f8214cff7d1525cf3d91d69edc7e2724bc1f790b361cbe89a2c31ef6d27eeff8dc056a213053b6bb924dd0fe83fa9c023427f7958f46e126360 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "311731027" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DC35A041-22E6-11EB-9964-C611B4A1F110} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 1520 regedit.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
wotsuper.exepid process 1456 wotsuper.exe 1456 wotsuper.exe 1456 wotsuper.exe 1456 wotsuper.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1640 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1640 iexplore.exe 1640 iexplore.exe 536 IEXPLORE.EXE 536 IEXPLORE.EXE 536 IEXPLORE.EXE 536 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
4ef8ca1609ef52a9a30bcc7e87083b55.exeiexplore.exedescription pid process target process PID 1080 wrote to memory of 1456 1080 4ef8ca1609ef52a9a30bcc7e87083b55.exe wotsuper.exe PID 1080 wrote to memory of 1456 1080 4ef8ca1609ef52a9a30bcc7e87083b55.exe wotsuper.exe PID 1080 wrote to memory of 1456 1080 4ef8ca1609ef52a9a30bcc7e87083b55.exe wotsuper.exe PID 1080 wrote to memory of 1456 1080 4ef8ca1609ef52a9a30bcc7e87083b55.exe wotsuper.exe PID 1080 wrote to memory of 1520 1080 4ef8ca1609ef52a9a30bcc7e87083b55.exe regedit.exe PID 1080 wrote to memory of 1520 1080 4ef8ca1609ef52a9a30bcc7e87083b55.exe regedit.exe PID 1080 wrote to memory of 1520 1080 4ef8ca1609ef52a9a30bcc7e87083b55.exe regedit.exe PID 1080 wrote to memory of 1520 1080 4ef8ca1609ef52a9a30bcc7e87083b55.exe regedit.exe PID 1080 wrote to memory of 1640 1080 4ef8ca1609ef52a9a30bcc7e87083b55.exe iexplore.exe PID 1080 wrote to memory of 1640 1080 4ef8ca1609ef52a9a30bcc7e87083b55.exe iexplore.exe PID 1080 wrote to memory of 1640 1080 4ef8ca1609ef52a9a30bcc7e87083b55.exe iexplore.exe PID 1080 wrote to memory of 1640 1080 4ef8ca1609ef52a9a30bcc7e87083b55.exe iexplore.exe PID 1640 wrote to memory of 536 1640 iexplore.exe IEXPLORE.EXE PID 1640 wrote to memory of 536 1640 iexplore.exe IEXPLORE.EXE PID 1640 wrote to memory of 536 1640 iexplore.exe IEXPLORE.EXE PID 1640 wrote to memory of 536 1640 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ef8ca1609ef52a9a30bcc7e87083b55.exe"C:\Users\Admin\AppData\Local\Temp\4ef8ca1609ef52a9a30bcc7e87083b55.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg2⤵
- Runs .reg file with regedit
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1lBhp.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exeMD5
b546f0345b342336c17e5308953a0523
SHA1b2c4bb0a6a3f19b70f078ca4e9dd4cdd66d7848e
SHA256844416ef0674d50b0c579e1d95ed7ac729d5c553b26770764d4e609fb94e94ec
SHA512f866163aabfcbde5b7da25e937799b35f6f7e0619cc88e69d23719f843815f23bf5dd253b4a3a9428909cecd9f7df3d02ec313e163bad1a40ed599a32be1e27d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
8a0f138687887daf41a1d0647b63d3f8
SHA1f95462b13e7091e1f7ad33130b6a8a340e6bf35c
SHA256cf22e7479cd0e2548f21f24b5fac7960c26ff98a34ef78a8e804775b66b1ada5
SHA51204de7932672b82584daa39681767159474fc2bf33ab8f9bdf38c6403f89e765e83d6228b5da16058829eb17b6bf5c632c544411a400085d5cc7fb3920bbd9d67
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\s7iy1jn\imagestore.datMD5
e0bf1a6766d82121595a186af3587abb
SHA10b74bcdd1f0d4a8ea8c10716e480d5cc40534b38
SHA256cbd8821d7893e8ef18a0f02b3d486421b3ca11ffdb3d591df307a5444fb4ae5a
SHA5124f976f1667efe79b5f928501916a0b0196929206668aefedc05d310761c735fd5be38cda8d2df83016a88ea9ae4025f4a381c122b400c324bcd54507f04c41ba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YI7L9ECR.txtMD5
842a07e2143b8c222f4b976a70f57cfc
SHA1175f73cd876b9ff3e645ce14fd19469104bb64b6
SHA25618e938cc5eaa2112ac58d1e2e1edfce84c0ba2abbac7a1b6f08031a039fc958d
SHA5121d04a8a497ae1cbf0893aed34eeb7bf2980ed0c18c6a3ea4cee99c7c40d445e504a0a324783bc0763974c19bd03118afa06c50ab3f6841b0f3af0ac80a889114
-
\Program Files (x86)\wotsuper\wotsuper\wotsuper.exeMD5
b546f0345b342336c17e5308953a0523
SHA1b2c4bb0a6a3f19b70f078ca4e9dd4cdd66d7848e
SHA256844416ef0674d50b0c579e1d95ed7ac729d5c553b26770764d4e609fb94e94ec
SHA512f866163aabfcbde5b7da25e937799b35f6f7e0619cc88e69d23719f843815f23bf5dd253b4a3a9428909cecd9f7df3d02ec313e163bad1a40ed599a32be1e27d
-
\Program Files (x86)\wotsuper\wotsuper\wotsuper.exeMD5
b546f0345b342336c17e5308953a0523
SHA1b2c4bb0a6a3f19b70f078ca4e9dd4cdd66d7848e
SHA256844416ef0674d50b0c579e1d95ed7ac729d5c553b26770764d4e609fb94e94ec
SHA512f866163aabfcbde5b7da25e937799b35f6f7e0619cc88e69d23719f843815f23bf5dd253b4a3a9428909cecd9f7df3d02ec313e163bad1a40ed599a32be1e27d
-
memory/536-9-0x0000000000000000-mapping.dmp
-
memory/1088-6-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmpFilesize
2.5MB
-
memory/1456-8-0x0000000001EC0000-0x0000000001ED1000-memory.dmpFilesize
68KB
-
memory/1456-7-0x000000000058B000-0x000000000058C000-memory.dmpFilesize
4KB
-
memory/1456-2-0x0000000000000000-mapping.dmp
-
memory/1520-4-0x0000000000000000-mapping.dmp
-
memory/1640-5-0x0000000000000000-mapping.dmp