0cd84bfd6c8c5f61e644286675ece0013aafea6a538f899afc544bcbc0c00f75

Analysis

max time kernel
141s
max time network
147s
platform
windows7_x64
resource
win7v20201028
submitted
09-11-2020 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

473b99ecfc3b75620f6201898e1d8f74.exe
Size

473KB
MD5

473b99ecfc3b75620f6201898e1d8f74
SHA1

d30e8402cfdd0c2bb67c9c27fbba685682861818
SHA256

0cd84bfd6c8c5f61e644286675ece0013aafea6a538f899afc544bcbc0c00f75
SHA512

45b4ef4bf7fd28543ee1f1ac738fe66daebb1cffd45f4cd357d9e6a86419da184764ef66adb854dcb985a5b5259d2de1a6c3fa67f3e3c52e8582f2fe538dbba8

Score

10^/10

discovery persistence

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 1392 cmd.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	1392	cmd.exe

ServiceHost packer 14 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral1/memory/1460-32-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/1460-31-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/1460-33-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/1460-34-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/1460-35-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/1460-36-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/1460-37-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/1460-39-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/1460-40-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/1460-41-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/1460-38-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/1460-43-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/1460-44-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/1460-42-0x0000000000000000-mapping.dmp	servicehost

Executes dropped EXE 4 IoCs

Processes:

wotsuper.exe1.exe2.exespoolsvc.exe

pid process

1740 wotsuper.exe
1232 1.exe
1460 2.exe
2036 spoolsvc.exe

pid	process
1740	wotsuper.exe
1232	1.exe
1460	2.exe
2036	spoolsvc.exe

Loads dropped DLL 8 IoCs

Processes:

473b99ecfc3b75620f6201898e1d8f74.exewotsuper.exeWerFault.exe

pid	process
1764	473b99ecfc3b75620f6201898e1d8f74.exe
1740	wotsuper.exe
1740	wotsuper.exe
1260	WerFault.exe
1260	WerFault.exe
1260	WerFault.exe
1260	WerFault.exe
1260	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\VersionRecover = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\spoolsvc.exe"	spoolsvc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

Processes:

473b99ecfc3b75620f6201898e1d8f74.exe

description	ioc	process
File created	C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini	473b99ecfc3b75620f6201898e1d8f74.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe	473b99ecfc3b75620f6201898e1d8f74.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe	473b99ecfc3b75620f6201898e1d8f74.exe

Drops file in Windows directory 1 IoCs

Processes:

473b99ecfc3b75620f6201898e1d8f74.exe

description ioc process

File opened for modification C:\Windows\wotsuper.reg 473b99ecfc3b75620f6201898e1d8f74.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1260 1460 WerFault.exe 2.exe
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

1304 regedit.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

spoolsvc.exe

pid process

2036 spoolsvc.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1260 WerFault.exe
1260 WerFault.exe
1260 WerFault.exe
1260 WerFault.exe
1260 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 1460 2.exe
Token: SeDebugPrivilege 1260 WerFault.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

efsui.exe

pid process

1660 efsui.exe
1660 efsui.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

efsui.exe

pid process

1660 efsui.exe
1660 efsui.exe

description	ioc	process
File opened for modification	C:\Windows\wotsuper.reg	473b99ecfc3b75620f6201898e1d8f74.exe

pid	pid_target	process	target process
1260	1460	WerFault.exe	2.exe

pid	process
1304	regedit.exe

pid	process
2036	spoolsvc.exe

pid	process
1260	WerFault.exe
1260	WerFault.exe
1260	WerFault.exe
1260	WerFault.exe
1260	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1460	2.exe
Token: SeDebugPrivilege	1260	WerFault.exe

pid	process
1660	efsui.exe
1660	efsui.exe

pid	process
1660	efsui.exe
1660	efsui.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

473b99ecfc3b75620f6201898e1d8f74.exewotsuper.execmd.exe2.exe

description	pid	process	target process
PID 1764 wrote to memory of 1740	1764	473b99ecfc3b75620f6201898e1d8f74.exe	wotsuper.exe
PID 1764 wrote to memory of 1740	1764	473b99ecfc3b75620f6201898e1d8f74.exe	wotsuper.exe
PID 1764 wrote to memory of 1740	1764	473b99ecfc3b75620f6201898e1d8f74.exe	wotsuper.exe
PID 1764 wrote to memory of 1740	1764	473b99ecfc3b75620f6201898e1d8f74.exe	wotsuper.exe
PID 1764 wrote to memory of 1304	1764	473b99ecfc3b75620f6201898e1d8f74.exe	regedit.exe
PID 1764 wrote to memory of 1304	1764	473b99ecfc3b75620f6201898e1d8f74.exe	regedit.exe
PID 1764 wrote to memory of 1304	1764	473b99ecfc3b75620f6201898e1d8f74.exe	regedit.exe
PID 1764 wrote to memory of 1304	1764	473b99ecfc3b75620f6201898e1d8f74.exe	regedit.exe
PID 1740 wrote to memory of 1232	1740	wotsuper.exe	1.exe
PID 1740 wrote to memory of 1232	1740	wotsuper.exe	1.exe
PID 1740 wrote to memory of 1232	1740	wotsuper.exe	1.exe
PID 1740 wrote to memory of 1232	1740	wotsuper.exe	1.exe
PID 1740 wrote to memory of 1460	1740	wotsuper.exe	2.exe
PID 1740 wrote to memory of 1460	1740	wotsuper.exe	2.exe
PID 1740 wrote to memory of 1460	1740	wotsuper.exe	2.exe
PID 1740 wrote to memory of 1460	1740	wotsuper.exe	2.exe
PID 1656 wrote to memory of 1640	1656	cmd.exe	choice.exe
PID 1656 wrote to memory of 1640	1656	cmd.exe	choice.exe
PID 1656 wrote to memory of 1640	1656	cmd.exe	choice.exe
PID 1656 wrote to memory of 2036	1656	cmd.exe	spoolsvc.exe
PID 1656 wrote to memory of 2036	1656	cmd.exe	spoolsvc.exe
PID 1656 wrote to memory of 2036	1656	cmd.exe	spoolsvc.exe
PID 1656 wrote to memory of 2036	1656	cmd.exe	spoolsvc.exe
PID 1460 wrote to memory of 1260	1460	2.exe	WerFault.exe
PID 1460 wrote to memory of 1260	1460	2.exe	WerFault.exe
PID 1460 wrote to memory of 1260	1460	2.exe	WerFault.exe
PID 1460 wrote to memory of 1260	1460	2.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\473b99ecfc3b75620f6201898e1d8f74.exe
"C:\Users\Admin\AppData\Local\Temp\473b99ecfc3b75620f6201898e1d8f74.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1764

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1.exe"
3⤵
- Executes dropped EXE
PID:1232

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 704
4⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg
2⤵
- Runs .reg file with regedit
PID:1304

C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1660

C:\Windows\system32\cmd.exe
cmd /c choice /C Y /N /D Y /T 3 & del "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1.exe" & C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
2⤵
PID:1640

C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
MD5
2ed9f34a134fc04a70618a44bd272757

SHA1
448a0df4d27179cb6cac1e3e355f9abf07e10403

SHA256
75869f1a124f201963e819e722cb2529f7d03855a3b55bd8cc8ab46c9f7e85a4

SHA512
d0017310438735c374be6b9bce769a317e2a69f82bf0d70236a7c7913df8f6ae7dab2fe55d64deff9e8bccae516cbf09e381df0dcf09477dc12f39ca81a0521e

Download Submit
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
MD5
2ed9f34a134fc04a70618a44bd272757

SHA1
448a0df4d27179cb6cac1e3e355f9abf07e10403

SHA256
75869f1a124f201963e819e722cb2529f7d03855a3b55bd8cc8ab46c9f7e85a4

SHA512
d0017310438735c374be6b9bce769a317e2a69f82bf0d70236a7c7913df8f6ae7dab2fe55d64deff9e8bccae516cbf09e381df0dcf09477dc12f39ca81a0521e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
MD5
e76739b49a4f804989d54946bc7da936

SHA1
67f4113a3af2561ef011cffc33146dc7cb48514d

SHA256
783122da15a5aaa2c6bda3b76ed0ce77d988150698b65ac0a460e207f6e623bf

SHA512
7ede05cb06ccf69e91d695127ef3fe2be8ccaf5f533355236caa7bd8c9f26178acf9f9fdfe8a0622ee7326341eb74b26256b2b3daf1c0c1a66135e2b8b26ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1.exe
MD5
e76739b49a4f804989d54946bc7da936

SHA1
67f4113a3af2561ef011cffc33146dc7cb48514d

SHA256
783122da15a5aaa2c6bda3b76ed0ce77d988150698b65ac0a460e207f6e623bf

SHA512
7ede05cb06ccf69e91d695127ef3fe2be8ccaf5f533355236caa7bd8c9f26178acf9f9fdfe8a0622ee7326341eb74b26256b2b3daf1c0c1a66135e2b8b26ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1.exe
MD5
e76739b49a4f804989d54946bc7da936

SHA1
67f4113a3af2561ef011cffc33146dc7cb48514d

SHA256
783122da15a5aaa2c6bda3b76ed0ce77d988150698b65ac0a460e207f6e623bf

SHA512
7ede05cb06ccf69e91d695127ef3fe2be8ccaf5f533355236caa7bd8c9f26178acf9f9fdfe8a0622ee7326341eb74b26256b2b3daf1c0c1a66135e2b8b26ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2.exe
MD5
4ff7dc2eafcc5f54b282c2deac99b951

SHA1
63edfac7d9204b3191891dd4cb64b198385bdcfd

SHA256
6a4aeb3aa7f4135963c93f1e36649f484b8bc0ef70a6fe95b670bff32dcb75a0

SHA512
e0dbf69f7b7aae09a0c5708ac42d5ae45285dd34e21c56aa0b82500ebd982ea3ceb95db52d40f75e6a9f4d4e6250bd7d87ceb1a6220d7cf5e1ea66b869d97091

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2.exe
MD5
4ff7dc2eafcc5f54b282c2deac99b951

SHA1
63edfac7d9204b3191891dd4cb64b198385bdcfd

SHA256
6a4aeb3aa7f4135963c93f1e36649f484b8bc0ef70a6fe95b670bff32dcb75a0

SHA512
e0dbf69f7b7aae09a0c5708ac42d5ae45285dd34e21c56aa0b82500ebd982ea3ceb95db52d40f75e6a9f4d4e6250bd7d87ceb1a6220d7cf5e1ea66b869d97091

Download Submit
\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
MD5
2ed9f34a134fc04a70618a44bd272757

SHA1
448a0df4d27179cb6cac1e3e355f9abf07e10403

SHA256
75869f1a124f201963e819e722cb2529f7d03855a3b55bd8cc8ab46c9f7e85a4

SHA512
d0017310438735c374be6b9bce769a317e2a69f82bf0d70236a7c7913df8f6ae7dab2fe55d64deff9e8bccae516cbf09e381df0dcf09477dc12f39ca81a0521e

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1.exe
MD5
e76739b49a4f804989d54946bc7da936

SHA1
67f4113a3af2561ef011cffc33146dc7cb48514d

SHA256
783122da15a5aaa2c6bda3b76ed0ce77d988150698b65ac0a460e207f6e623bf

SHA512
7ede05cb06ccf69e91d695127ef3fe2be8ccaf5f533355236caa7bd8c9f26178acf9f9fdfe8a0622ee7326341eb74b26256b2b3daf1c0c1a66135e2b8b26ce29

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2.exe
MD5
4ff7dc2eafcc5f54b282c2deac99b951

SHA1
63edfac7d9204b3191891dd4cb64b198385bdcfd

SHA256
6a4aeb3aa7f4135963c93f1e36649f484b8bc0ef70a6fe95b670bff32dcb75a0

SHA512
e0dbf69f7b7aae09a0c5708ac42d5ae45285dd34e21c56aa0b82500ebd982ea3ceb95db52d40f75e6a9f4d4e6250bd7d87ceb1a6220d7cf5e1ea66b869d97091

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2.exe
MD5
4ff7dc2eafcc5f54b282c2deac99b951

SHA1
63edfac7d9204b3191891dd4cb64b198385bdcfd

SHA256
6a4aeb3aa7f4135963c93f1e36649f484b8bc0ef70a6fe95b670bff32dcb75a0

SHA512
e0dbf69f7b7aae09a0c5708ac42d5ae45285dd34e21c56aa0b82500ebd982ea3ceb95db52d40f75e6a9f4d4e6250bd7d87ceb1a6220d7cf5e1ea66b869d97091

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2.exe
MD5
4ff7dc2eafcc5f54b282c2deac99b951

SHA1
63edfac7d9204b3191891dd4cb64b198385bdcfd

SHA256
6a4aeb3aa7f4135963c93f1e36649f484b8bc0ef70a6fe95b670bff32dcb75a0

SHA512
e0dbf69f7b7aae09a0c5708ac42d5ae45285dd34e21c56aa0b82500ebd982ea3ceb95db52d40f75e6a9f4d4e6250bd7d87ceb1a6220d7cf5e1ea66b869d97091

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2.exe
MD5
4ff7dc2eafcc5f54b282c2deac99b951

SHA1
63edfac7d9204b3191891dd4cb64b198385bdcfd

SHA256
6a4aeb3aa7f4135963c93f1e36649f484b8bc0ef70a6fe95b670bff32dcb75a0

SHA512
e0dbf69f7b7aae09a0c5708ac42d5ae45285dd34e21c56aa0b82500ebd982ea3ceb95db52d40f75e6a9f4d4e6250bd7d87ceb1a6220d7cf5e1ea66b869d97091

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2.exe
MD5
4ff7dc2eafcc5f54b282c2deac99b951

SHA1
63edfac7d9204b3191891dd4cb64b198385bdcfd

SHA256
6a4aeb3aa7f4135963c93f1e36649f484b8bc0ef70a6fe95b670bff32dcb75a0

SHA512
e0dbf69f7b7aae09a0c5708ac42d5ae45285dd34e21c56aa0b82500ebd982ea3ceb95db52d40f75e6a9f4d4e6250bd7d87ceb1a6220d7cf5e1ea66b869d97091

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2.exe
MD5
4ff7dc2eafcc5f54b282c2deac99b951

SHA1
63edfac7d9204b3191891dd4cb64b198385bdcfd

SHA256
6a4aeb3aa7f4135963c93f1e36649f484b8bc0ef70a6fe95b670bff32dcb75a0

SHA512
e0dbf69f7b7aae09a0c5708ac42d5ae45285dd34e21c56aa0b82500ebd982ea3ceb95db52d40f75e6a9f4d4e6250bd7d87ceb1a6220d7cf5e1ea66b869d97091

Download Submit
memory/1232-6-0x0000000000000000-mapping.dmp

Download
memory/1232-14-0x0000000073B40000-0x000000007422E000-memory.dmp

Filesize
6.9MB

Download
memory/1232-15-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1260-25-0x0000000000000000-mapping.dmp

Download
memory/1260-26-0x0000000001E90000-0x0000000001EA1000-memory.dmp

Filesize
68KB

Download
memory/1260-45-0x0000000002690000-0x00000000026A1000-memory.dmp

Filesize
68KB

Download
memory/1304-4-0x0000000000000000-mapping.dmp

Download
memory/1460-34-0x0000000000000000-mapping.dmp

Download
memory/1460-36-0x0000000000000000-mapping.dmp

Download
memory/1460-16-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/1460-13-0x0000000073B40000-0x000000007422E000-memory.dmp

Filesize
6.9MB

Download
memory/1460-10-0x0000000000000000-mapping.dmp

Download
memory/1460-42-0x0000000000000000-mapping.dmp

Download
memory/1460-32-0x0000000000000000-mapping.dmp

Download
memory/1460-31-0x0000000000000000-mapping.dmp

Download
memory/1460-33-0x0000000000000000-mapping.dmp

Download
memory/1460-44-0x0000000000000000-mapping.dmp

Download
memory/1460-35-0x0000000000000000-mapping.dmp

Download
memory/1460-43-0x0000000000000000-mapping.dmp

Download
memory/1460-37-0x0000000000000000-mapping.dmp

Download
memory/1460-39-0x0000000000000000-mapping.dmp

Download
memory/1460-40-0x0000000000000000-mapping.dmp

Download
memory/1460-41-0x0000000000000000-mapping.dmp

Download
memory/1460-38-0x0000000000000000-mapping.dmp

Download
memory/1640-19-0x0000000000000000-mapping.dmp

Download
memory/1740-1-0x0000000000000000-mapping.dmp

Download
memory/2036-20-0x0000000000000000-mapping.dmp

Download
memory/2036-23-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/2036-22-0x0000000073B40000-0x000000007422E000-memory.dmp

Filesize
6.9MB

Download